On 4/24/06, dave matthews <[EMAIL PROTECTED]> wrote: > > hi all, > > RootkitRevealer flagged this file as a problem: > > c:\Documents and Settings\myUserName\Application Data\Macromedia\Flash > Player\macromedia.com\support\flashplayer\sys\#name.com. > > Was able to delete all other files in this folder, this one resists > deletion and renaming. Tried deleting it using safe mode too... no luck. > > Please notice the 'period' at the end of the file name, seems unique and > no other files in the folder have one at the end of "com". > > Googled the real company name and they seem to be a reputable Flash > component seller, so i changed it to "#name.com." for this post.
How does RootkitRevealer work? I think it scans your entire hard drive, once using standard windows calls, and once using low level disk access. It then compares the two scans, to look for files that are different between the two, which shows possibly that a rootkit is trying to hide something. However, this could produce false positives (ie, flag files that are innocent), if the file changes inbetween the two scans. For example, say you have a chat program, which logs to disk all incoming messages. If someone sends you a message, after the first scan, but before the second, then RootkitRevealer will detect a difference in the two scans, and flag your chat file as something wrong with it. However, the inability to delete/rename it seems odd. Try downloading Process Explorer http://www.sysinternals.com/Utilities/ProcessExplorer.htmland searching to see what process is accessing that file. That might give some further clues. -David R _______________________________________________ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
