PDA

View Full Version : Rootalyzer log file - Please help!



rootbot
2008-09-25, 09:51
i recently downloaded the latest version of rootalyzer and did a deep scan. even though my quick scan came up with no hidden stuff for all 6 categories, i found 3 items in the deep scan. here's my log. please help with interpreting the results. thanks!

// info: Rootkit removal help file
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
File: "Unknown ADS", "C:\WINDOWS\Cursors\arrow_n.cur:NEDTA.DAT:$DATA"

File: "Unknown ADS", "C:\Documents and Settings\playerguy\My Documents\Security\AntiRootkit\PAVARK.exe:License:$DATA"

Directory:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA"

so that's my log above. thanks for any help or comments that you can offer!

PepiMK
2008-09-25, 16:29
The first is registration information from Ahead Nero, the CD/DVD burning suite that uses this "rootkit" method to hide it.

The second seems to be the license of PAVARK? You can use FileAlyzer to view PAVARK.exe, Stream tab, I'm pretty sure it'll contain just text.

The last one RootAlyzer should already tell you about as being some Office stuff, that's not dangerous as well :)

rootbot
2008-09-29, 12:40
thanks for the reply. i had no idea what the first entry was, or that it was linked to nero. should i get rid of nero? i did pay for a license but it's about to expire anyways, so i probably won't be renewing with them after this. as for pavark, it is a file from panda antirootkit, so i am puzzled as to why it would show up as infected. you are right about the last one. it did appear to be from office, but i posted because i figured malware could appear more legit by pretending to be from office. is that usually the directory the unknown ADS shows up in? how can you tell a legitimate office directory form a rootkit one?