Help with output rootkitrevealer v1.7
Results 1 to 4 of 4

Thread: Help with output rootkitrevealer v1.7

  1. #1
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    769

    Help with output rootkitrevealer v1.7

    Hello fellow members of AO. I recently scanned my system with RootKitRevealer v1.7 and it found *37 discrepancies*

    33 are located in
    c:\documents and settings\all users\documents\my music\alicia keys\destiny's child\thumbs.db:encryptable <--(they all end in this)
    and my personal document folder. Some of them have and say 304 bytes hidden from Windows API and or 13 bytes data mismatch between Windows API and raw hive data.

    I will try to include a screen shot for "explaining" most of the corruption seems to be in my 2006 hurricane folder or my pictures. Me and my GF use limewire I think it's the reason for this output.

    How can I determine if this is really malicious code on the system or false positives?
    Curious, what does this mean? Some of them have and say 304 bytes hidden from Windows API I have a pretty good idea but wtf?
    anything to be worried about?

    [img=http://img153.imageshack.us/img153/9766/rootkitth3.th.jpg]
    Last edited by Computernerd22; June 25th, 2007 at 03:04 AM.

  2. #2
    Senior Member JPnyc's Avatar
    Join Date
    Jan 2005
    Posts
    2,734
    When you run a program like this it is absolutely crucial that you don't do anything with the computer while it's running. What the program does is take a "snapshot" of what the Windows API thinks is on your hard disk, and then it goes about reading the raw data and compares the two.
    If you have any programs open that are making changes or downloading anything or really doing anything at all, the program's snapshot of the Windows API will not reflect these changes in the raw data. That's where most discrepancies/false positives come from.

  3. #3
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    That just means that the file has an alternative ntfs stream. It has a flag that the file can be encrypted.

    More about NTFS: http://www.wikistc.org/wiki/Alternate_data_streams

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    You can safely remove the Thumbs.db files. They'll be re-created by windows (thumbnails in folder views).
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Similar Threads

  1. Iptables Script / Tutorial
    By str34m3r in forum The Security Tutorials Forum
    Replies: 16
    Last Post: September 25th, 2006, 02:20 AM
  2. Cracking this algorithm.
    By AxessTerminated in forum Programming Security
    Replies: 12
    Last Post: September 13th, 2004, 02:26 AM
  3. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 07:01 AM
  4. Snort + MySql Server error...
    By Condoor in forum AntiOnline's General Chit Chat
    Replies: 11
    Last Post: February 12th, 2003, 03:08 AM
  5. Firewall Machine not connecting to port443
    By Natasha69 in forum *nix Security Discussions
    Replies: 1
    Last Post: November 8th, 2002, 08:45 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides