| View previous topic :: View next topic |
| Author |
Message |
Tibilicus
Corporal
Joined: Sep 10, 2006
Posts: 60
Location: USA
|
 Posted: Sun Oct 22, 2006 12:03 pm Post subject: The impotance of disabaling certain items when scanning? |
|
|
HI,
Today I did my fort nightly rootkit scan with rootkit revealer. To my shock however it found two items. I couldnt beleive thsi so scanned again. Same thing, but then I noticed I had a emssaging clinet open int eht ry. After closing it down the scan came back clean. It got me thinkign so this time I opend 2 messenger clinets. The scan now came abck with around 6 hidden objects. Then ocne again with non of them open no objects found. This got my wondering of why you rootkit guys always ask to disable background processes? Why does rootkit revealer report them as rootkits as surely all fiels should be hidden. Heres ane xample of the sort of thign it found when the messaging client was running.
C:\System Volume Information\_restore{4E1FA31E-4F4E-412B-AE3A-25056B1B89B8}\RP123\A0019482.RDB 22/10/2006 12:34 1.32 MB Hidden from Windows API.
Anyway im jsut looking to e educated on why having programs runnignc ases suche ffects. 
Thanks
Tib
|
|
| Back to top |
|
 |
AbuIbrahim
Security Expert
Special Response Team
Joined: Jan 18, 2006
Posts: 1924
|
|
| Back to top |
|
|
Tibilicus
Corporal
Joined: Sep 10, 2006
Posts: 60
Location: USA
|
| Posted: Sun Oct 22, 2006 11:34 pm Post subject: |
|
|
AbuIbrahim not only after finally diagnosting a FP that was a pain in the ass redirects Tib again.
He is God.
:p
Anyway thanks for that ehres the sort of stuff my scans were producing. I would say the fact I didnt disable any real time scanning and was connected to the internet effected the scan:
C:\System Volume Information\_restore{4E1FA31E-4F4E-412B-AE3A-25056B1B89B8}\RP126\A0020274.RDB 22/10/2006 22:51 1.32 MB Hidden from Windows API.
C:\System Volume Information\_restore{4E1FA31E-4F4E-412B-AE3A-25056B1B89B8}\RP126\A0020275.RDB 22/10/2006 22:55 1.32 MB Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 22/10/2006 22:51 64.00 KB Visible in Windows API, but not in MFT or directory index.
Anyway thanks for the help. BTW this was a genrel question. I dont think I have a rootkit unless any one spots somethign odd about these entries.
Tib
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Mon Oct 23, 2006 3:17 am Post subject: |
|
|
Those entries are just system restore and Windows Update doing their thing in the background. You're good!
_________________
Negster22 - MS MVP - Consumer Security 2006-2008 
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
