Rootkit?

[Energize]

Rootkit revealer and sophos anti-rootkit pick up these entries on a windows xp pro sp3 machine, are they anything malicious or a false positive?

 

[bledd]

can't read the second one..

run malwarebytes, nod32, spyware s&d etc..

turn system restore off first

 

[Energize]

System restore is off. I have ran anti virus scans and spybot but nothing came up. What do you mean you can't read the 2nd one, the second picture?

 

[Steve09]

I'm sorry I can't help with the thread but I've seen on a couple of occasions people saying to turn system restore off, what are the advantages of doing that?

Thanks

 

[Wiggins]

I believe its to stop the virus rewriting itself.

Pointless having system restore on if you have to turn it off when getting a virus.

 

[Eddie]

System Restore can be useful if you cause problems when installing a dodgy driver or something. So for some people it might be beneficial to switch it back on when you've cleaned up your system.

If you get a virus you have to turn it off to wipe the restore points because the virus could still be there (switch System Restore off then restart the system to remove any stored restore points).

 

[bledd]

^^ driver rollback is independent to system restore, you can just enter safemode and remove a dodgy driver with system restore off

 

[platypus]

Not sure about the first image, but the second one seems safe enough.

RKR 1.71 now scans the HKLM\Security security hive, and as a consequence it finds keys with trailing nulls such as

HKLM\Security\Policy\Secrets\SAC*
HKLM\Security\Policy\Secrets\SAI*​

These are windows keys, and just didn't show up on earlier versions of RKR.

 

[Eddie]

^^ driver rollback is independent to system restore, you can just enter safemode and remove a dodgy driver with system restore off

Yes, choosing a driver was possibly a bad example, but the point I was making is still valid. System Restore can prove useful to some people but an unnecessary drain to others.