Sysinternals Homepage

Forum Home

Forum Home > Sysinternals Utilities > RootkitRevealer Logs

New Posts

RSS Feed: RKR log help

FAQ

FAQ

Register

Login

RKR log help

Post Reply

Author

Reverse Sort Order

Share Topic

Printable Version

Printable Version

Post this Topic to Delicious

Post this Topic to Digg

Post this Topic to Facebook

Post this Topic to Furl

Post this Topic to Google

Post this Topic to MySpace

Post this Topic to Newsvine

Post this Topic to reddit

Post this Topic to StumbleUpon

Translate

Post this Topic to Twitter

Post this Topic to Windows Live

Post this Topic to Yahoo Bookmarks

Yahoo Bookmarks

Topic Search

Topic Options

Topic Options

Create New Topic

molotov

View Drop Down

Members Profile

Send Private Message

Find Members Posts

Visit Members Homepage

Add to Buddy List

Moderator Group

Moderator Group

Joined: 04 October 2006
Online Status: Offline
Posts: 17492

Post Options

Post Options

Quote molotov

Quote

Post Reply

Reply

Direct Link To This Post

Topic: RKR log help
Posted: 04 November 2009 at 11:36am

In that event, as you indicated, the best/easiest option may be to use something like a BartPE disc or a bootable Linux disc, to try to remove the folder.

Daily affirmation:
net helpmsg 4006

Back to Top

Luizf

View Drop Down

Members Profile

Send Private Message

Find Members Posts

Add to Buddy List

Newbie

Newbie

Joined: 29 September 2009
Online Status: Offline
Posts: 4

Post Options

Post Options

Quote Luizf

Quote

Post Reply

Reply

Direct Link To This Post

Posted: 28 October 2009 at 9:34pm

Hello Molotov,

Yes, I am still dealing with this problem. I tried to do as you said, using autocomplete, but I got a message stating the system could not find the specified file.

Thanks for you help.

Regards,

Luiz

Back to Top

molotov

View Drop Down

Members Profile

Send Private Message

Find Members Posts

Visit Members Homepage

Add to Buddy List

Moderator Group

Moderator Group

Joined: 04 October 2006
Online Status: Offline
Posts: 17492

Post Options

Post Options

Quote molotov

Quote

Post Reply

Reply

Direct Link To This Post

Posted: 28 October 2009 at 10:04am

If you're still dealing with this... Can you use autocomplete in the CMD prompt to rename or remove the folder? Have you tried renaming the folder from the CMD prompt?

Daily affirmation:
net helpmsg 4006

Back to Top

Luizf

View Drop Down

Members Profile

Send Private Message

Find Members Posts

Add to Buddy List

Newbie

Newbie

Joined: 29 September 2009
Online Status: Offline
Posts: 4

Post Options

Post Options

Quote Luizf

Quote

Post Reply

Reply

Direct Link To This Post

Posted: 04 October 2009 at 3:01pm

Hello Sven,

Thank you again for your help.

I did what you said, but despite chkdsk pointed and fixed some inconsistencies, the problem still remains: I can not delete the folders.

Now I am loking for a bootable CD, and try to delete from the comand prompt.

Regards,

Luiz

Edited by Luizf - 04 October 2009 at 3:02pm

Back to Top

SvenBomwollen View Drop Down

View Drop Down

Members Profile

Send Private Message

Find Members Posts

Add to Buddy List

Senior Member

Senior Member

Joined: 29 August 2008
Location: Germany
Online Status: Offline
Posts: 1400

Post Options

Post Options

Quote SvenBomwollen

Quote SvenBomwollen

Quote

Post Reply

Reply

Direct Link To This Post

Posted: 04 October 2009 at 12:33am

Hello, Luiz.

Perhaps your file system is damaged? You might schedule a chkdsk run on drive C: for the next reboot.

Launch Start => Run: cmd.exe. Type

fsutil set dirty C:

Exit the cmd.exe window and reboot Windows. Before Windows starts up normally it will run a chkdsk on drive C:. This should reveal (and hopefully fix) any file system inconsistencies.
Windows will wrte the results to the Applications eventlog, too, source=Winlogon on Pre-Vista systems, source=Wininit on Vista.

Kind regards,
SvenBomwollen

Back to Top

Luizf

View Drop Down

Members Profile

Send Private Message

Find Members Posts

Add to Buddy List

Newbie

Newbie

Joined: 29 September 2009
Online Status: Offline
Posts: 4

Post Options

Post Options

Quote Luizf

Quote

Post Reply

Reply

Direct Link To This Post

Posted: 03 October 2009 at 10:28pm

Hi Sven,

I have already tried to remove the folder, but Windows returns an error stating "can not delete the file. cannot read the file or source disk."

I have also tried to delete the parents folder, but i got the same error.

Also, doing it in safe mode didnt work either.

Thanks for the reply.

Regards,

Luiz

Edited by Luizf - 04 October 2009 at 12:20am

Back to Top

SvenBomwollen View Drop Down

View Drop Down

Members Profile

Send Private Message

Find Members Posts

Add to Buddy List

Senior Member

Senior Member

Joined: 29 August 2008
Location: Germany
Online Status: Offline
Posts: 1400

Post Options

Post Options

Quote SvenBomwollen

Quote SvenBomwollen

Quote

Post Reply

Reply

Direct Link To This Post

Posted: 03 October 2009 at 12:54am

Hello, Luizf.

Simply try to remove the folder
+ "C:\Documents and Settings\luiz\Dados de aplicativos\Macromedia\Flash Player\#SharedObjects" and
+ "C:\Documents and Settings\luiz\Dados de aplicativos\Macromedia\Flash Player\macromedia.com"
Next run RKR again. The two suspicious looking lines should be gone.

Note:
Deleting any subfolders of "C:\Documents and Settings\luiz\Dados de aplicativos\Macromedia\Flash Player" will do no harm. Flash will recreate whatever it needs at runtime.
Note also that the %APPDATA% folder (C:\Documents and Settings\luiz\Dados de aplicativos) is hidden. So you must tell Windows Explorer to display hidden and system folders before you can see the folder.

Kind reagrds,
SvenBomwollen

Back to Top

Luizf

View Drop Down

Members Profile

Send Private Message

Find Members Posts

Add to Buddy List

Newbie

Newbie

Joined: 29 September 2009
Online Status: Offline
Posts: 4

Post Options

Post Options

Quote Luizf

Quote

Post Reply

Reply

Direct Link To This Post

Posted: 29 September 2009 at 5:43pm

Running RKR I got the following log

HKLM\SECURITY\Policy\Secrets\SAC*    9/9/2004 00:28    0 bytes    Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*    9/9/2004 00:28    0 bytes    Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQLServer\Parameters    5/6/2009 15:51    0 bytes    Security mismatch.
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL10.SQLEXPRESS\Security    5/6/2009 15:51    0 bytes    Security mismatch.
C:\Documents and Settings\luiz\Dados de aplicativos\Macromedia\Flash Player\#SharedObjects\82ZA6P3B\four-thirds.org.\localData.sol    14/5/2009 21:25    48 bytes    Hidden from Windows API.
C:\Documents and Settings\luiz\Dados de aplicativos\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#four-thirds.org.\settings.sol    14/5/2009 21:25    86 bytes    Hidden from Windows API.

I guess the first four entries are not a problem. Am I right?

But the last two entries, the ones showed "Hidden from Windwos API" is puzzling me. I tried to remove the file, but when I tried to access the folder Windows stated that it points to a not available place on my disk. Could this be a disk directory problem ou could it be a real rootkit.

Thanks for any help and suggestion.

Edited by Luizf - 04 October 2009 at 12:21am

Back to Top

Post Reply

Forum Jump

Forum Permissions View Drop Down

View Drop Down

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum