-
June 25th, 2007, 02:55 AM
#1
Help with output rootkitrevealer v1.7
Hello fellow members of AO. I recently scanned my system with RootKitRevealer v1.7 and it found *37 discrepancies*
33 are located in
c:\documents and settings\all users\documents\my music\alicia keys\destiny's child\thumbs.db:encryptable <--(they all end in this)
and my personal document folder. Some of them have and say 304 bytes hidden from Windows API and or 13 bytes data mismatch between Windows API and raw hive data.
I will try to include a screen shot for "explaining" most of the corruption seems to be in my 2006 hurricane folder or my pictures. Me and my GF use limewire I think it's the reason for this output.
How can I determine if this is really malicious code on the system or false positives?
Curious, what does this mean? Some of them have and say 304 bytes hidden from Windows API I have a pretty good idea but wtf?
anything to be worried about?
[img=http://img153.imageshack.us/img153/9766/rootkitth3.th.jpg]
Last edited by Computernerd22; June 25th, 2007 at 03:04 AM.
-
June 25th, 2007, 03:51 AM
#2
When you run a program like this it is absolutely crucial that you don't do anything with the computer while it's running. What the program does is take a "snapshot" of what the Windows API thinks is on your hard disk, and then it goes about reading the raw data and compares the two.
If you have any programs open that are making changes or downloading anything or really doing anything at all, the program's snapshot of the Windows API will not reflect these changes in the raw data. That's where most discrepancies/false positives come from.
-
June 25th, 2007, 02:53 PM
#3
That just means that the file has an alternative ntfs stream. It has a flag that the file can be encrypted.
More about NTFS: http://www.wikistc.org/wiki/Alternate_data_streams
-
June 25th, 2007, 03:05 PM
#4
You can safely remove the Thumbs.db files. They'll be re-created by windows (thumbnails in folder views).
Oliver's Law:
Experience is something you don't get until just after you need it.
Similar Threads
-
By str34m3r in forum The Security Tutorials Forum
Replies: 16
Last Post: September 25th, 2006, 02:20 AM
-
By AxessTerminated in forum Programming Security
Replies: 12
Last Post: September 13th, 2004, 02:26 AM
-
By gore in forum Newbie Security Questions
Replies: 11
Last Post: December 29th, 2003, 08:01 AM
-
By Condoor in forum AntiOnline's General Chit Chat
Replies: 11
Last Post: February 12th, 2003, 04:08 AM
-
By Natasha69 in forum *nix Security Discussions
Replies: 1
Last Post: November 8th, 2002, 09:45 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|