http://www.sysinternals.com/Utilitie...tRevealer.html

RootkitRevealer.exe 1.20 runs ok and reports:
C:\$BadClus:$Bad 2002/12/03 21:51 4.00 GB Hidden from Windows API.
D:\$BadClus:$Bad 2002/12/03 22:12 14.65 GB Hidden from Windows API.

(4GB is size of C: and 14GB is D: on WDC 20GB disk;
and Chkdsk.exe /f /r reports all AOK;
NTFS was partioned/formated from working NT4-sp6a;
Streams.exe v1.3 reports NO alternate NTFS data streams)

but RKR versions 1.4 to ~1.56 would scan the disk and then
hang up Not allowing switch to anything else;
even Taskmgr.exe could not kill it;
requring Control-Alt-Delete to reboot
(no active virus sw; just use f-prot dos in manual mode)

Got newest 1.60; to be safe: ran Erunt.exe to backup
registry, exited everything but Explorer.exe and the
mouse control program LwbWheel.exe
Set Taskmgr.exe to high update speed

from cmd.exe prompt
(! at least it did that)

but screen was 90% grey; had to min/restore Taskmgr.exe
and Explorer.exe to get it back
(rootkitrevealer.exe runs under funny name and trying
to set its priority to Low with Taskmgr.exe - was "Access Violation")

The rr.txt file listed all ~20,000 files on C:/D:
as "Hidden from Windows API"

then did:
and rr2.txt file had same as rr.txt with additional
metafiles listing ...

1) since it did Not list anything from registry
assume No rootkit here ??
2) wish it did not trash screen But at least this
version exited ..
3) assume listing Every file as "Hidden from Windows API"
is just anomoly since they are visible from Explorer.exe ??
((saw posts re DIRCMD env var; so deleted it and reran
1.60; same results as above; btw there is No /4 switch
for the NT4-sp6a DIR command..))

TIA :rod-sacramento

Hi Rod,

The weird reports with things like the BadClustterMap metadata showing up were
known bugs of RootKitRevealer of 1.0 to 1.4 era. Mark finally fix these properly
sometime around V1.5

I've not personally experienced the lockup problems you report - but when it
runs it does take the CPU to 100% utilization - so everything will act a little
'weird' (screens not redrawing in an orderly fashion, sluggish responses) whilst
it is running.

The 'funny name' is part of the strategy I was telling you about in my last
post. RKR invents a 'random' name to run itself under each time, so Rootkits
that attempt to target it cannot identify and disable it.

As I also said, unfortunately, the 'random name' strategy leads to ever greater
clutter in your registry, as the names under which it runs get added to the
'Services' area, but never get removed - so the list of 'dead' keys just gets
longer and longer and longer :-(

Calvin.

Calvin wrote:
So True Calvin; see:
http://tinyurl.com/9wwhj ie
http://www.sysinternals.com/Forum/fo...?TID=2842&PN=1
where i beat this issue to death and make Mountain
out of mole-hill ...

Appears it is issue with alternate data streams ADS
-sysinternals streams.exe 1.3-2001 reports ok
whilst the newest 1.53 thinks
"The specified volume does not support streams."
so RKR is reporting all my 20000 c: d: files as
"Hidden from Windows API" so it creates
a 3MB report file and "runs out of resources" causing
the lock-ups .. (thought resource problem was
thing of past ie win-3.11-95-me and Not NT4 ??)

i have at least six entries from RKR of form:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY _GGKRQ

whats wrong with creating remove.reg file:
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY _GGKRQ]
which when merged with regedit.exe will remove that key ??

Lastly; wonder why RKR OK with your NT4 and
mine goes to lunch .. ?? In 2002 i parted/formatted
this drive with my Old Fuji disk NT4-SP5 FAT-16 system before
installing NT4 .. wonder if there was an issue with
NTFS that was Not resolved until SP6a ??

:rod-sacramento

nt4-ever wrote:

You could be on to something here - have you spoken to Mark about the problems
you are experiencing directly ? I find Mark is quite approachable and helpful -
especially when somebody has a genuine problem with one of his utilities. As you
can appreciate, he probably runs out of patience fairly quickly if people ask
silly obvious questions that can be answered by a bit of simple reading. (and I
don't blame him either !)

Nothing wrong with removing these entries from the registry - manually or using
a .reg file. But as I pointed out, every time RKR runs you'll get a new entry
here - with a DIFFERENT name - so it won't be GGKRQ next time :-(


Shouldn't be file system related - but who really knows - I've recently learnt
(by bitter experience) that just because Chkdsk says a volume is OK, doesn't
mean it really is. My de-fragmenter would choke on one of my volumes (and report
that the NTFS file structures were invalid), Chkdsk said it was fine - yet if I
removed all the files, reformatted clean, put all the files back and repeated
the defragmentation it then worked properly.

Calvin.

Calvin wrote:
has anyone different results with 1.53 on nt4-ntfs ?
http://www.sysinternals.com/utilities/streams.html
http://www.sysinternals.com/Files/Streams.zip

i have been posting in their forum:
http://www.sysinternals.com/Forum/fo...s.asp?TID=2842

from the forum:
"Assuming a normal exit, it should do a cleanup of the service entry
and the temp file."

it removes the temp file here; so likely they not realize on nt4
it is not removing the reg entries..

rootkits go main-stream:
Sony, What Were You Thinking? Mark Minasi
http://www.windowsitpro.com/Windows/...681/48681.html

:rod

nt4-ever wrote:

Hmmm - last time I used RKR same thing here - no cleanup of the registry at all
- he may have improved it since - I'll experiment when I have some free time.

Even if it removes the CurrentControlSet\Services key I bet you it STILL won't
remove the entries in CurrentControlSet\Enum\Root\LEGACY_xxxxx OR
CurrentControlSet\Enum\HTREE\ROOT\0 This is my major complaint about this
utility. I understand why Mark has approached the problem the way he has, but I
think it may be that this problem is unsolvable and the clutter in the registry
will get ever worse unless you manually intervene to cleanup.

Calvin.