Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Usage
  New Posts New Posts RSS Feed - rootkit revealer won't write report
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

rootkit revealer won't write report

 Post Reply Post Reply
Author
Message
jwixson View Drop Down
Newbie
Newbie


Joined: 09 May 2008
Location: United States
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote jwixson Quote  Post ReplyReply Direct Link To This Post Topic: rootkit revealer won't write report
    Posted: 12 August 2010 at 6:59am
OuchRootkit revealer runs fine on my XPpro SP3, shows lots of discrepancies but, when i tell it to save the log, it hangs!  And this is true whether i run my downloaded version (the latest posted), or whether i run it online.
It does not create a file, and i have to kill RR  - it won't even close!  (I have to do a screensave to keep a record.)
Any guess what's wrong?
Back to Top
bootsect View Drop Down
Senior Member
Senior Member
Avatar

Joined: 24 December 2009
Status: Offline
Points: 747
Post Options Post Options   Thanks (0) Thanks(0)   Quote bootsect Quote  Post ReplyReply Direct Link To This Post Posted: 12 August 2010 at 8:15am
Solution Lamp

Don't waste your time with this out-dated proof-of-concept detector.
Back to Top
jwixson View Drop Down
Newbie
Newbie


Joined: 09 May 2008
Location: United States
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote jwixson Quote  Post ReplyReply Direct Link To This Post Posted: 12 August 2010 at 4:53pm
OuchProbably good advice, but what is better?
I am concerned because RR report shows fifty discrepancies!  Eg
- key name contains embedded nulls
- hidden from API
- visible in directory, but not in API or MFT
- et cetera.
First off, this sort of thing is at least of concern - to know what is going on in each case.
Secondly, my computer - with a fast, dual processor - crawls.  Often a keystroke takes a minute or two to respond.
And, tho Process Explorer (and Task Manager) claim "100% idle," my hard drive light is solidly on - for many minutes at a time.  Something is going on!
I welcome any suggestions for software which can detect malware (i have run MalwareBytes, whidh found nothing)
But, much as i use black-box software and solutions when there is nothing better, i would really like to look into Windows (XPproSP3 in this case) and see what is going on inside!
So, do you know what's better to find why i have these discrepancies?  Or to see what is laming my XP?
Thx, jw
Back to Top
SvenBomwollen View Drop Down
Senior Member
Senior Member


Joined: 29 August 2008
Location: Germany
Status: Offline
Points: 1630
Post Options Post Options   Thanks (0) Thanks(0)   Quote SvenBomwollen Quote  Post ReplyReply Direct Link To This Post Posted: 15 August 2010 at 2:42pm

Hello, jwixson.

Coming back to your initial problem report, you might try whether this piece of advice will make RKR save your report:

Before confirming the report file suggested by RKR, please, select a different folder. Select a folder where your own account has got read and write privileges.

Kind regards,
SvenBomwollen

Back to Top
jwixson View Drop Down
Newbie
Newbie


Joined: 09 May 2008
Location: United States
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote jwixson Quote  Post ReplyReply Direct Link To This Post Posted: 16 August 2010 at 1:51am
Sven,
 
thank you for the reply.
I tried your suggestion, but it does not work.  What happens is: when i try to save, RKR asks for a destination.  No matter which path i give it, RKR opens a file there, but hangs up while trying to write to it.  The result is that i have an empty file and have to kill RKR.  On the other hand, i tried RKR on another computer, and it works correctly.
There is something about this computer, either a protection scheme (Norton, in my case, tho i disabled it) or else a rootkit itself is preventing the writing and closing of the file.
 
But RKR does not handle the situation well - it merely hangs!  No chance to continue, select another file or location, or whatever - it dies.
And this makes me wonder: is RKR is still maintained?  I gather that it does not work for Windows7.
How can i find out?
 
And is there comparable software (anywhere) for System7?
 
thx,
Jwixson
Back to Top
nullptr View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Australia
Status: Offline
Points: 763
Post Options Post Options   Thanks (0) Thanks(0)   Quote nullptr Quote  Post ReplyReply Direct Link To This Post Posted: 16 August 2010 at 4:30am
RKR will not work for Windows 7.

Assuming that you're running 32 bit (x86) Windows, you can try Rootkit Unhooker, Vba32 AntiRootkit or Root Repeal. Links to them available here.
Back to Top
jwixson View Drop Down
Newbie
Newbie


Joined: 09 May 2008
Location: United States
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote jwixson Quote  Post ReplyReply Direct Link To This Post Posted: 16 August 2010 at 6:28am
nullptr,
i'll give them a try, thanks.
 
Otherwise: I wonder if the Sysinternals tools are still maintained.
Is there anywhere to report problems - aside from posting them here?  Does Sysinternals have a reporting facility?
jwixson
Back to Top
SvenBomwollen View Drop Down
Senior Member
Senior Member


Joined: 29 August 2008
Location: Germany
Status: Offline
Points: 1630
Post Options Post Options   Thanks (0) Thanks(0)   Quote SvenBomwollen Quote  Post ReplyReply Direct Link To This Post Posted: 16 August 2010 at 11:24am

Hello, jwixson.

Quote is RKR is still maintained?
Considering the fact that the current version was released in November 2006, I suspect that the answer may be: no.
Quote Otherwise: I wonder if the Sysinternals tools are still maintained.
Having a look at this site should give a good idea on which Sysinternals utilities are being maintained: Sysinternals Site Discussion

Quote Is there anywhere to report problems - aside from posting them here?  Does Sysinternals have a reporting facility?
Twice: no. But the programme authors do visit the forums and read problem/bug reports.

Kind regards,
SvenBomwollen



Edited by SvenBomwollen - 16 August 2010 at 11:27am
Back to Top
jwixson View Drop Down
Newbie
Newbie


Joined: 09 May 2008
Location: United States
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote jwixson Quote  Post ReplyReply Direct Link To This Post Posted: 16 August 2010 at 7:00pm
Sven,
too bad.  SysInternals was a good thing - as long as Mark supported it.
 
Thanks,
Jwixson
Back to Top
jwixson View Drop Down
Newbie
Newbie


Joined: 09 May 2008
Location: United States
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote jwixson Quote  Post ReplyReply Direct Link To This Post Posted: 18 October 2010 at 2:22am
mituan,
 
i believe you, but would like some more information on that matter, if you can supply it.
 
Beyond that:  where is Mark Russinovich when we need him?
What could be more important than keeping rootkits out of our systems?
(Are you listening, Mark?)
 
thanks for reply,
Jim
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down