Solved

RootkitRevealer shows 12,000 files "Hidden from Windows API", but they are legit files!?

Posted on 2006-07-01
4
256 Views
Last Modified: 2013-12-04
Hello. I've used RootkitRevealer many times, and I'm pretty good at interpreting its results.

However, I have one computer which has very *strange* results.

RootkitRevealer shows 12,000 files "Hidden from Windows API".  12,000!!!

I browsed to some of these files, and they certainly were not hidden, I could see and open them just fine.  They are also legit files, just standard files. I didn't look through all 12,000, but I did browse them. I did not search the *entire* results to look for malware files, that would take hours.

I cleared the IE cache beforehand, shut off the screensaver, closed all apps (except processes always running in background), and didn't touch the computer during the scan.

I ran it 3 times, results were similar.

has anyone seen this? What's could be causing this?

Thanks...
-Jon
0
Comment
Question by:JONATHANHELD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 97

Accepted Solution

by:
war1 earned 300 total points
ID: 17024777
Greetings, JONATHANHELD !

The 12,000 files include System Restore, which are hidden of Windows API.  If you do not want the results of System Restore cluttering your Rootkit Revealer results, you can turn OFF and then ON System Restore.

Best wishes!
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 100 total points
ID: 17025101
Can you post a sample of what you found?
The most interesting part is usually the first 50 lines or so.

Was there anything in the Registry that was hidden?

Just to rule out bugs, use the latest version of RootkitRevealer.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 17026251
>>RootkitRevealer shows 12,000 files "Hidden from Windows API".  12,000!!!

I browsed to some of these files, and they certainly were not hidden, I could see and open them just fine.  They are also legit files, just standard files.<<

That normally happens when the user scans his pc with Rootkit Revealer and at the same time not leaving the pc idle, the log will be polluted with legit entries. When Rootkit Revealer is scanning and pc is not idle e.g. the user is browsing online, opening/closing programs, all these activities are recorded as "hidden from API" because of how Rootkit Revealer works.
A log from Rootkit Revealer shows everything that is happening during the time it took to create the log. Not all entries are bad.

When Rootkit Revealer starts, it asks windows what is there and records it, then compare it with what is on the disk. All activities that was going on while rootkit revealer was scanning will be recorded as hidden from windows API. Of course it does not mean it is hidden.
It is always recommended to leave the pc idle when scanning with Rootkit Revealer.
0
 

Author Comment

by:JONATHANHELD
ID: 17031038
Thanks to all for your input.

I found the problem - the Hard Drive is starting to crash.
It's having one of those "slow" crashes - 20 bad sectors, next day 100 bad secors, next day 800 bad sectors, etc. I've seen this before.

So I'm guessing this is the reason why RKR showed inaccurate data.

Cheers...
-Jon
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Admin File Share Access 9 87
should I worry about this? 6 104
Best practice in Granting access to certain computer only for external contractor ? 8 96
SSL certificate pack 6 365
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
OfficeMate Freezes on login or does not load after login credentials are input.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question