Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Rootkit Revealer Says Error In Cmd.exe

  • Please log in to reply
1 reply to this topic

#1 jerryc


  • Members
  • 91 posts
  • Local time:05:46 PM

Posted 22 October 2007 - 09:18 PM

XP Pro, fully updated, Trend Micro, Spywareblaster, Adaware, A2, all show no current problems. did get a keylogger a few months ago, which was so severe it shut off Trend. All seems pretty well with that now, but sometimes I think there still may be some issue there as occasionally the keys seem slow, or double strike. I just ran Rootkit Revealer and got the title message, that "there's an error in cmd.exe which prevents RR from accurately analyzing the system."

These below are the first 5 lines that were captured before it quit. The first two are from April, the rest are today. There were many more lines, all of which were Temp Int Files which I have since deleted, but I have not yet rescanned.

HKLM\SECURITY\Policy\Secrets\SAC* 4/24/2007 3:41 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 4/24/2007 3:41 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\TotalScanned 10/22/2007 3:37 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\LastScannedFileName 10/22/2007 3:37 PM 49 bytes Windows API length not consistent with raw hive data.
C:\Documents and Settings\Administrator\Cookies\administrator@customer[2].txt 10/22/2007 3:57 PM 104 bytes Hidden from Windows API.

Any thoughts?

BC AdBot (Login to Remove)



#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 50,731 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:46 PM

Posted 22 October 2007 - 10:07 PM

The Cmd.exe error has been known to be caused by either the PATH or PATHEXT environment variables not being correct. See the discussion in "An error occured in CMD.EXE".

Starting with v1.71 RKR began to scan the HKLM\Security\Policy hive which contains SAC* and SAI* hidden keys with embedded nulls. This is normal and not a cause for alarm. See "RKR 1.71 and HKLM\Security\Policy\Secrets".
Also see "Info on common log entries".

If your unsure how to use RKR or read its logs, use AVG Anti-Rootkit or Panda AntiRootkit.zip instead.

Edited by quietman7, 22 October 2007 - 10:10 PM.

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users