As before, the
As you know, the
As a driver developer and antivirus researcher and developer I have certain methods to try and find out things. I tend to use out-of-the-box software for a first diagnosis. Since the user gave me temporary access to his machine via UltraVNC after a long chat session, I got the chance to look at it by myself. Mostly the user got to control his machine by himself, and we kept talking via chat. The first suggestion was to have certain tools downloaded from Sysinternals (now Microsoft Technet). Among them was the well-known Rootkit Revealer, Process Explorer and AutoRuns. Amazingly the Rootkit Revealer spotted the culprit quickly. Several files and folders were hidden from normal enumeration with Windows functions and suggested (by name and size) to be backups. Also the number of these files and their size matched the
The culprit - revealed through the folders named “RRestore” - was a program called “Rapid Restore” delivered with many IBM/Lenovo notebooks, as it seems. This program, for whatever reason, hides its backups from the user by means reminiscent of kernel mode rootkits and allows restoration of backups through some tool also delivered in the software bundle of the notebooks. So this is yet another software causing
I personally prefer backup software which I control, not the benevolent vendor of the machine I have bought.
// Oliver
0 Responses to “<Unknown> keeping us busy”