RootkitRevealer shows 12,000 files "Hidden from Windows API", but they are legit files!?

Hello. I've used RootkitRevealer many times, and I'm pretty good at interpreting its results.

However, I have one computer which has very *strange* results.

RootkitRevealer shows 12,000 files "Hidden from Windows API".  12,000!!!

I browsed to some of these files, and they certainly were not hidden, I could see and open them just fine.  They are also legit files, just standard files. I didn't look through all 12,000, but I did browse them. I did not search the *entire* results to look for malware files, that would take hours.

I cleared the IE cache beforehand, shut off the screensaver, closed all apps (except processes always running in background), and didn't touch the computer during the scan.

I ran it 3 times, results were similar.

has anyone seen this? What's could be causing this?

Thanks...
-Jon
JONATHANHELDAsked:
Who is Participating?
 
war1Commented:
Greetings, JONATHANHELD !

The 12,000 files include System Restore, which are hidden of Windows API.  If you do not want the results of System Restore cluttering your Rootkit Revealer results, you can turn OFF and then ON System Restore.

Best wishes!
0
 
r-kCommented:
Can you post a sample of what you found?
The most interesting part is usually the first 50 lines or so.

Was there anything in the Registry that was hidden?

Just to rule out bugs, use the latest version of RootkitRevealer.
0
 
rpggamergirlCommented:
>>RootkitRevealer shows 12,000 files "Hidden from Windows API".  12,000!!!

I browsed to some of these files, and they certainly were not hidden, I could see and open them just fine.  They are also legit files, just standard files.<<

That normally happens when the user scans his pc with Rootkit Revealer and at the same time not leaving the pc idle, the log will be polluted with legit entries. When Rootkit Revealer is scanning and pc is not idle e.g. the user is browsing online, opening/closing programs, all these activities are recorded as "hidden from API" because of how Rootkit Revealer works.
A log from Rootkit Revealer shows everything that is happening during the time it took to create the log. Not all entries are bad.

When Rootkit Revealer starts, it asks windows what is there and records it, then compare it with what is on the disk. All activities that was going on while rootkit revealer was scanning will be recorded as hidden from windows API. Of course it does not mean it is hidden.
It is always recommended to leave the pc idle when scanning with Rootkit Revealer.
0
 
JONATHANHELDAuthor Commented:
Thanks to all for your input.

I found the problem - the Hard Drive is starting to crash.
It's having one of those "slow" crashes - 20 bad sectors, next day 100 bad secors, next day 800 bad sectors, etc. I've seen this before.

So I'm guessing this is the reason why RKR showed inaccurate data.

Cheers...
-Jon
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.