"Todd Towles" <[EMAIL PROTECTED]> writes: > But if it is a rootkit, does it not hide from normal AV scanning?
The Rxbot/Spybot variant that I've seen recently had a couple of startup hooks in the registry - "blah service" and value was "xaxe.exe" or "bling.exe". It made no real effort to hide, and could be removed by deleting startup keys, rebooting and then deleting the file in system32 - no serious attempt at hiding. cheers, Jamie -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
