Another RKR won’t run

   RKR will want to load a driver AND install a temporary service (with a random name), so your real-time protection would need to permit that. Suggestion: suspend Process Guard while you run RKR.

Author	Message Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search Topic Options Post Reply Create New Topic
namrehto Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 23 June 2005 Location: Scotland Online Status: Offline Posts: 3861	Post Options Post Reply Quote namrehto Report Post Quote Reply Topic: Another RKR won’t run Posted: 01 May 2006 at 7:11am
	RKR will want to load a driver AND install a temporary service (with a random name), so your real-time protection would need to permit that. Suggestion: suspend Process Guard while you run RKR.
	Gil

trpeterson2005 Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 01 May 2006 Online Status: Offline Posts: 3	Post Options Post Reply Quote trpeterson2005 Report Post Quote Reply Posted: 01 May 2006 at 4:45am
	Hi Gorentz. I'm having a similar problem running RKR. When I click on it I get files showing up in Process Guard that are trying to install a helper/driver then then the message: Error loading helper/driver and RKR won't run even if I allow the loading. I just reinstalled the OS because something overcame my system and RKR wouldn't run beforehand either. I coud sure use some help on this as I haven't found that problem in the forum yet. Tony

BobDobbs Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 23 April 2006 Online Status: Offline Posts: 1	Post Options Post Reply Quote BobDobbs Report Post Quote Reply Posted: 23 April 2006 at 8:14pm
	Just downloaded and tried to run. Double click and nothing happens.. I think maybe I didnt actually double click, so do so again. Nothing. Check processes and 2 copies of Rootkitrevealer are running, both a bit over 2k in memory.. but nothing on screen. I logged in as Admin to run it, have tried renaming it to random .exe but its still the same. Well except I then had multiple copies of aaallalala2.exe running. Anyone else seen this? off to try searching the forums some more edit Sweet jumping jehosophat, found the answer (to my problem) 2 minutes after posting and it was so obvious I wanted to smack myself. A simple reboot fixed it, RKR now comes up fine for me. I'll be over there in the corner now. Edited by BobDobbs - 23 April 2006 at 8:22pm

gorentz Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 14 April 2006 Location: United States Online Status: Offline Posts: 2	Post Options Post Reply Quote gorentz Report Post Quote Reply Posted: 18 April 2006 at 10:37am
	I already tried that. Also, keep in mind that BlackLight is stopped the same way. And that the first time I try to run RKR on a Windows 2003 computer, the behavior is slightly different than on subsequent times. This leads me to suspect it's being blocked not on the basis of its name, but on the basis of something it's trying to do.

namrehto Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 23 June 2005 Location: Scotland Online Status: Offline Posts: 3861	Post Options Post Reply Quote namrehto Report Post Quote Reply Posted: 18 April 2006 at 3:20am
	As you say, RKR's real work is done by a randomly-named service. But that has to be installed and started by RootkitRevealer.exe in the first place. If you have something lurking which happens to be targetting the initial RootkitRevealer.exe process by name, try manually renaming RootkitRevealer.exe to something random.
	Gil

gorentz Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 14 April 2006 Location: United States Online Status: Offline Posts: 2	Post Options Post Reply Quote gorentz Report Post Quote Reply Posted: 18 April 2006 at 1:49am
	How can I find out what's keeping both RKR and BlackLight running on some of my computers. On one server RKR found a rootkit. On some others (Windows 2000, 2003, and NT) RKR wouldn't run. Nor would BlackLight beta. (Well, that one doesn't run on NT, anyway.) On the Windows 2003 ones I would double-click on RKR and get the message "...publisher could not be verified. Are you sure..." but the program would never run. It didn't appear in the process list or in the list of services. Yes, I'm aware that it runs under a weird random name. And on subsequent tries, I wouldn't even get the "publisher could not be verified" message. These computers do have the temporary folders that RKR needs. On other servers RKR and BlackLight ran just fine and didn't find any problems. I suspected something malicious that was keeping RKR and Blacklight from running, so on the servers on which RKR wouldn't run, I restored them using disk image backups I had taken a few weeks ago. (On some of them it was quite a bit of work. It made for a long weekend.) RKR runs fine on them now. I also had a desktop computer in the same situation. RKR runs fine on an older restored image. I have one other desktop that I haven't restored yet. When I try running RKR remotely via psexec, it quits with an error code of 128. On the desktop computers, there is also something that keeps Adobe Acrobat Standard from running, too. In fact, that issue is what first called our attention to a possible problem. Maybe something that targets things like RKR and Blacklight, but also stops Acrobat? Any suggestions as to how to find out what's doing this? I've saved disk images of all the likely infected systems so I can go back and investigate some more. But I'm not sure just how to investigate this.