Is this a rootkit clue?

Discussion in 'malware problems & news' started by bobreny, Jun 22, 2004.

Thread Status:
Not open for further replies.
  1. bobreny

    bobreny Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    2
    one of my security programs intercepted this attempted reg change?
    It looks like a HIDDEN files ie the "~"
    Could this be a root kit using hidden modified files?

    Bobby


    reg key change: value hacker eliminator
    rEG KEY: hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\run
    Value"Hacker Eliminator
    Data:D:\Program Files\securityD\HackerEliminator.exe
    Has been changed to D:\PROGRA~1\SECURI~1\HACKER~1.EXE

    Undo Changes
     
    bobreny, Jun 22, 2004
    #1
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    "D:\Program Files\securityD\HackerEliminator.exe" and "D:\PROGRA~1\SECURI~1\HACKER~1.EXE" mean the same thing. The first is in "long file name" notation while the second is in "MS-DOS-readable 8.3 short file name" notation. I have seen this behavior in some programs I use. The program installer may initially write to the registry in long notation, while the program itself later changes the entry to short notation.

    Rootkits do use wild card characters to hide processes, services, files, and registry keys. But that is not the case here.

    Nick
     
    nick s, Jun 22, 2004
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...