Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

RootkitRevealer shows 12,000 files "Hidden from Windows API", but they are legit files!?

Posted on 2006-07-01
4
Medium Priority
?
259 Views
Last Modified: 2013-12-04
Hello. I've used RootkitRevealer many times, and I'm pretty good at interpreting its results.

However, I have one computer which has very *strange* results.

RootkitRevealer shows 12,000 files "Hidden from Windows API".  12,000!!!

I browsed to some of these files, and they certainly were not hidden, I could see and open them just fine.  They are also legit files, just standard files. I didn't look through all 12,000, but I did browse them. I did not search the *entire* results to look for malware files, that would take hours.

I cleared the IE cache beforehand, shut off the screensaver, closed all apps (except processes always running in background), and didn't touch the computer during the scan.

I ran it 3 times, results were similar.

has anyone seen this? What's could be causing this?

Thanks...
-Jon
0
Comment
Question by:JONATHANHELD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 97

Accepted Solution

by:
war1 earned 900 total points
ID: 17024777
Greetings, JONATHANHELD !

The 12,000 files include System Restore, which are hidden of Windows API.  If you do not want the results of System Restore cluttering your Rootkit Revealer results, you can turn OFF and then ON System Restore.

Best wishes!
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 300 total points
ID: 17025101
Can you post a sample of what you found?
The most interesting part is usually the first 50 lines or so.

Was there anything in the Registry that was hidden?

Just to rule out bugs, use the latest version of RootkitRevealer.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 300 total points
ID: 17026251
>>RootkitRevealer shows 12,000 files "Hidden from Windows API".  12,000!!!

I browsed to some of these files, and they certainly were not hidden, I could see and open them just fine.  They are also legit files, just standard files.<<

That normally happens when the user scans his pc with Rootkit Revealer and at the same time not leaving the pc idle, the log will be polluted with legit entries. When Rootkit Revealer is scanning and pc is not idle e.g. the user is browsing online, opening/closing programs, all these activities are recorded as "hidden from API" because of how Rootkit Revealer works.
A log from Rootkit Revealer shows everything that is happening during the time it took to create the log. Not all entries are bad.

When Rootkit Revealer starts, it asks windows what is there and records it, then compare it with what is on the disk. All activities that was going on while rootkit revealer was scanning will be recorded as hidden from windows API. Of course it does not mean it is hidden.
It is always recommended to leave the pc idle when scanning with Rootkit Revealer.
0
 

Author Comment

by:JONATHANHELD
ID: 17031038
Thanks to all for your input.

I found the problem - the Hard Drive is starting to crash.
It's having one of those "slow" crashes - 20 bad sectors, next day 100 bad secors, next day 800 bad sectors, etc. I've seen this before.

So I'm guessing this is the reason why RKR showed inaccurate data.

Cheers...
-Jon
0

Featured Post

Protect Your Retail Business and Reputation

Wi-Fi access doesn't just impact your business & customer experience, it can also affect your security.  Join us for an informative webinar to learn more about the top threats and trends impacting retail today, and the key solutions to protecting retail networks and reputations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question