I have run RootkitRevealer from www.sysinternals.com.
Can someone please explain this results.
Is there a rootkit hidden in System.EnterpriseServices?
Thank you,
Max Weinland
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll 04.11.2005
22:09 258 bytes Visible in Windows API, but not in MFT or directory
index.
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll 04.11.2005
22:09 114 bytes Visible in Windows API, but not in MFT or directory
index.
A rootkit is a piece of software which overwrites hooks in a table in
kernel memory so that a special crafted driver is ran instead of the
normal driver/service pointed by the hook. THis way access to files,
folder data etc. can be intercepted and ignored in for example dir
listings.
In any case, a rootkit will try to hide files from the Windows API. If
you then use low-level measures to read the NTFS data and compare it
against the data reported from the Windows API (which is used by
explorer, cmd.exe..) you can find files which are made hidden at some
point, but always are these files showing up in the low level searches
and not in the windows api listing.
In your case, it's the other way around, so not the work of a rootkit.
It's also that the file shown / found in the windows api listing isn't
the rootkit or the file containing the rootkit.
I'd suggest to you to run chkdsk c: /F
This will likely require you to reboot first and run the diskcheck
prior to XP boot.
Frans
--
------------------------------------------------------------------------
Get LLBLGen Pro, productive O/R mapping for .NET: http://www.llblgen.com
My .NET blog: http://weblogs.asp.net/fbouma
Microsoft MVP (C#)
------------------------------------------------------------------------