Rootkit in System.EnterpriseServices?

  • Thread starter Thread starter max_weinland
  • Start date Start date
M

max_weinland

Hello,

I have run RootkitRevealer from www.sysinternals.com.
Can someone please explain this results.
Is there a rootkit hidden in System.EnterpriseServices?

Thank you,
Max Weinland

C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll 04.11.2005
22:09 258 bytes Visible in Windows API, but not in MFT or directory
index.
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll 04.11.2005
22:09 114 bytes Visible in Windows API, but not in MFT or directory
index.
 
Hello,

I have run RootkitRevealer from www.sysinternals.com.
Can someone please explain this results.
Is there a rootkit hidden in System.EnterpriseServices?

Thank you,
Max Weinland

C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f
11d50a3a\System.EnterpriseServices.dll 04.11.2005 22:09 258 bytes
Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f
11d50a3a\System.EnterpriseServices.Wrapper.dll 04.11.2005 22:09 114
bytes Visible in Windows API, but not in MFT or directory index.
Click to expand...

A rootkit is a piece of software which overwrites hooks in a table in
kernel memory so that a special crafted driver is ran instead of the
normal driver/service pointed by the hook. THis way access to files,
folder data etc. can be intercepted and ignored in for example dir
listings.

In any case, a rootkit will try to hide files from the Windows API. If
you then use low-level measures to read the NTFS data and compare it
against the data reported from the Windows API (which is used by
explorer, cmd.exe..) you can find files which are made hidden at some
point, but always are these files showing up in the low level searches
and not in the windows api listing.

In your case, it's the other way around, so not the work of a rootkit.
It's also that the file shown / found in the windows api listing isn't
the rootkit or the file containing the rootkit.

I'd suggest to you to run chkdsk c: /F

This will likely require you to reboot first and run the diskcheck
prior to XP boot.

Frans


--
 
Back
Top