Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Usage
  New Posts New Posts RSS Feed - Revealer found two items
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Revealer found two items

 Post Reply Post Reply
Author
Message
haroldo View Drop Down
Newbie
Newbie
Avatar

Joined: 03 October 2005
Location: United States
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote haroldo Quote  Post ReplyReply Direct Link To This Post Topic: Revealer found two items
    Posted: 03 October 2005 at 7:03am

I tried RootkitRevealer

This is the result

  • HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 10/2/2005 7:22 AM 80 bytes Data mismatch between Windows API and raw hive data.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate \Reporting\EventCache\7971f918-a847-4430-9279-4a52d1efe18d&a mp;a mp;n bsp;9/22/2005 8:44 PM 0 bytes Hidden from Windows API.
  • C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb  10/2/2005 7:22 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.

    Any clues as to what I should do now.


Edited by haroldo
Calendar of Updates
Stay on top of your security updates!
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 06 October 2005 at 3:51pm
\RNG\Seed is normal. It's a value related to encryption that's sometimes updated during the scan.

The other two look like Windows Automatic Update did something in the  background mid-scan. Just try running RKR again.
Back to Top
haroldo View Drop Down
Newbie
Newbie
Avatar

Joined: 03 October 2005
Location: United States
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote haroldo Quote  Post ReplyReply Direct Link To This Post Posted: 07 October 2005 at 1:30pm

Thanks!

So I guess I should run this when the machine is not being used, right

Calendar of Updates
Stay on top of your security updates!
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 07 October 2005 at 1:51pm
Yes, you should not be using your machine when running RKR, in order to avoid false positives. The \RNG\Seed report could occur off and on, though. It appears to be harmless. As for the Windows Update items, you were probably just unlucky with the timing as/if/when the WU process did one of its regular background checks for updates.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.