Solved

RootkitRevealer shows 12,000 files "Hidden from Windows API", but they are legit files!?

Posted on 2006-07-01
4
252 Views
Last Modified: 2013-12-04
Hello. I've used RootkitRevealer many times, and I'm pretty good at interpreting its results.

However, I have one computer which has very *strange* results.

RootkitRevealer shows 12,000 files "Hidden from Windows API".  12,000!!!

I browsed to some of these files, and they certainly were not hidden, I could see and open them just fine.  They are also legit files, just standard files. I didn't look through all 12,000, but I did browse them. I did not search the *entire* results to look for malware files, that would take hours.

I cleared the IE cache beforehand, shut off the screensaver, closed all apps (except processes always running in background), and didn't touch the computer during the scan.

I ran it 3 times, results were similar.

has anyone seen this? What's could be causing this?

Thanks...
-Jon
0
Comment
Question by:JONATHANHELD
4 Comments
 
LVL 97

Accepted Solution

by:
war1 earned 300 total points
ID: 17024777
Greetings, JONATHANHELD !

The 12,000 files include System Restore, which are hidden of Windows API.  If you do not want the results of System Restore cluttering your Rootkit Revealer results, you can turn OFF and then ON System Restore.

Best wishes!
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 100 total points
ID: 17025101
Can you post a sample of what you found?
The most interesting part is usually the first 50 lines or so.

Was there anything in the Registry that was hidden?

Just to rule out bugs, use the latest version of RootkitRevealer.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 17026251
>>RootkitRevealer shows 12,000 files "Hidden from Windows API".  12,000!!!

I browsed to some of these files, and they certainly were not hidden, I could see and open them just fine.  They are also legit files, just standard files.<<

That normally happens when the user scans his pc with Rootkit Revealer and at the same time not leaving the pc idle, the log will be polluted with legit entries. When Rootkit Revealer is scanning and pc is not idle e.g. the user is browsing online, opening/closing programs, all these activities are recorded as "hidden from API" because of how Rootkit Revealer works.
A log from Rootkit Revealer shows everything that is happening during the time it took to create the log. Not all entries are bad.

When Rootkit Revealer starts, it asks windows what is there and records it, then compare it with what is on the disk. All activities that was going on while rootkit revealer was scanning will be recorded as hidden from windows API. Of course it does not mean it is hidden.
It is always recommended to leave the pc idle when scanning with Rootkit Revealer.
0
 

Author Comment

by:JONATHANHELD
ID: 17031038
Thanks to all for your input.

I found the problem - the Hard Drive is starting to crash.
It's having one of those "slow" crashes - 20 bad sectors, next day 100 bad secors, next day 800 bad sectors, etc. I've seen this before.

So I'm guessing this is the reason why RKR showed inaccurate data.

Cheers...
-Jon
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now