Is this a rootkit clue?

Discussion in 'malware problems & news' started by bobreny, Jun 22, 2004.

Thread Status:
Not open for further replies.
  1. bobreny

    bobreny Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    2
    one of my security programs intercepted this attempted reg change?
    It looks like a HIDDEN files ie the "~"
    Could this be a root kit using hidden modified files?

    Bobby


    reg key change: value hacker eliminator
    rEG KEY: hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\run
    Value"Hacker Eliminator
    Data:D:\Program Files\securityD\HackerEliminator.exe
    Has been changed to D:\PROGRA~1\SECURI~1\HACKER~1.EXE

    Undo Changes
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    "D:\Program Files\securityD\HackerEliminator.exe" and "D:\PROGRA~1\SECURI~1\HACKER~1.EXE" mean the same thing. The first is in "long file name" notation while the second is in "MS-DOS-readable 8.3 short file name" notation. I have seen this behavior in some programs I use. The program installer may initially write to the registry in long notation, while the program itself later changes the entry to short notation.

    Rootkits do use wild card characters to hide processes, services, files, and registry keys. But that is not the case here.

    Nick
     
Loading...
Thread Status:
Not open for further replies.