Revealer found two items

Message Topic Search Topic Options Post Reply Create New Topic Printable Version

   I tried RootkitRevealer 
This is the result

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 10/2/2005 7:22 AM 80 bytes Data mismatch between Windows API and raw hive data. 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate  \Reporting\EventCache\7971f918-a847-4430-9279-4a52d1efe18d&a mp;a mp;n bsp;9/22/2005 8:44 PM 0 bytes Hidden from Windows API. 
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb  10/2/2005 7:22 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.

Any clues as to what I should do now.

Edited by haroldo

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version
haroldo Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 03 October 2005 Location: United States Online Status: Offline Posts: 3	Quote Reply Topic: Revealer found two items Posted: 03 October 2005 at 7:03am
	I tried RootkitRevealer This is the result HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 10/2/2005 7:22 AM 80 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate \Reporting\EventCache\7971f918-a847-4430-9279-4a52d1efe18d&a mp;a mp;n bsp;9/22/2005 8:44 PM 0 bytes Hidden from Windows API. C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 10/2/2005 7:22 AM 64.00 KB Visible in Windows API, but not in MFT or directory index. Any clues as to what I should do now. Edited by haroldo
	Calendar of Updates Stay on top of your security updates!

namrehto Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 23 June 2005 Location: Scotland Online Status: Offline Posts: 3861	Quote Reply Posted: 06 October 2005 at 3:51pm
	\RNG\Seed is normal. It's a value related to encryption that's sometimes updated during the scan. The other two look like Windows Automatic Update did something in the background mid-scan. Just try running RKR again.

haroldo Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 03 October 2005 Location: United States Online Status: Offline Posts: 3	Quote Reply Posted: 07 October 2005 at 1:30pm
	Thanks! So I guess I should run this when the machine is not being used, right
	Calendar of Updates Stay on top of your security updates!

namrehto Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 23 June 2005 Location: Scotland Online Status: Offline Posts: 3861	Quote Reply Posted: 07 October 2005 at 1:51pm
	Yes, you should not be using your machine when running RKR, in order to avoid false positives. The \RNG\Seed report could occur off and on, though. It appears to be harmless. As for the Windows Update items, you were probably just unlucky with the timing as/if/when the WU process did one of its regular background checks for updates.