Is this a rootkit clue?

Discussion in 'malware problems & news' started by bobreny, Jun 22, 2004.

Thread Status:
Not open for further replies.
  1. bobreny

    bobreny Registered Member

    Jun 22, 2004
    one of my security programs intercepted this attempted reg change?
    It looks like a HIDDEN files ie the "~"
    Could this be a root kit using hidden modified files?


    reg key change: value hacker eliminator
    rEG KEY: hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\run
    Value"Hacker Eliminator
    Data:D:\Program Files\securityD\HackerEliminator.exe
    Has been changed to D:\PROGRA~1\SECURI~1\HACKER~1.EXE

    Undo Changes
  2. nick s

    nick s Registered Member

    Nov 20, 2002
    "D:\Program Files\securityD\HackerEliminator.exe" and "D:\PROGRA~1\SECURI~1\HACKER~1.EXE" mean the same thing. The first is in "long file name" notation while the second is in "MS-DOS-readable 8.3 short file name" notation. I have seen this behavior in some programs I use. The program installer may initially write to the registry in long notation, while the program itself later changes the entry to short notation.

    Rootkits do use wild card characters to hide processes, services, files, and registry keys. But that is not the case here.

Thread Status:
Not open for further replies.