Solved

RootkitRevealer shows 12,000 files "Hidden from Windows API", but they are legit files!?

Posted on 2006-07-01
4
255 Views
Last Modified: 2013-12-04
Hello. I've used RootkitRevealer many times, and I'm pretty good at interpreting its results.

However, I have one computer which has very *strange* results.

RootkitRevealer shows 12,000 files "Hidden from Windows API".  12,000!!!

I browsed to some of these files, and they certainly were not hidden, I could see and open them just fine.  They are also legit files, just standard files. I didn't look through all 12,000, but I did browse them. I did not search the *entire* results to look for malware files, that would take hours.

I cleared the IE cache beforehand, shut off the screensaver, closed all apps (except processes always running in background), and didn't touch the computer during the scan.

I ran it 3 times, results were similar.

has anyone seen this? What's could be causing this?

Thanks...
-Jon
0
Comment
Question by:JONATHANHELD
4 Comments
 
LVL 97

Accepted Solution

by:
war1 earned 300 total points
ID: 17024777
Greetings, JONATHANHELD !

The 12,000 files include System Restore, which are hidden of Windows API.  If you do not want the results of System Restore cluttering your Rootkit Revealer results, you can turn OFF and then ON System Restore.

Best wishes!
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 100 total points
ID: 17025101
Can you post a sample of what you found?
The most interesting part is usually the first 50 lines or so.

Was there anything in the Registry that was hidden?

Just to rule out bugs, use the latest version of RootkitRevealer.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 17026251
>>RootkitRevealer shows 12,000 files "Hidden from Windows API".  12,000!!!

I browsed to some of these files, and they certainly were not hidden, I could see and open them just fine.  They are also legit files, just standard files.<<

That normally happens when the user scans his pc with Rootkit Revealer and at the same time not leaving the pc idle, the log will be polluted with legit entries. When Rootkit Revealer is scanning and pc is not idle e.g. the user is browsing online, opening/closing programs, all these activities are recorded as "hidden from API" because of how Rootkit Revealer works.
A log from Rootkit Revealer shows everything that is happening during the time it took to create the log. Not all entries are bad.

When Rootkit Revealer starts, it asks windows what is there and records it, then compare it with what is on the disk. All activities that was going on while rootkit revealer was scanning will be recorded as hidden from windows API. Of course it does not mean it is hidden.
It is always recommended to leave the pc idle when scanning with Rootkit Revealer.
0
 

Author Comment

by:JONATHANHELD
ID: 17031038
Thanks to all for your input.

I found the problem - the Hard Drive is starting to crash.
It's having one of those "slow" crashes - 20 bad sectors, next day 100 bad secors, next day 800 bad sectors, etc. I've seen this before.

So I'm guessing this is the reason why RKR showed inaccurate data.

Cheers...
-Jon
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question