Hi there

Am trying out GMER (latest version) and it has come back screaming that my PC is infected with a rootkit, as follows:

\Device\Harddisk0\DRO Sector00:MBR Rootkit detected

Needless to say that this is alarming but I have no way of (i) checking if this is true and (ii) of knowing what to do next.

Can anyone advise? Is there another product that I can use to check/validate this finding?

Also, I am wondering if GMER has a memory leak as after scanning for a while I found it impossible to do anything on my PC...had to rollback to an earlier position.

Again, can anyone advise if this is a know issue?

:D

Read all this topic teh relevent info is in there:thumb:

http://www.wilderssecurity.com/showthread.php?t=199157

HTH.

Hi fcukdat

Thanks for that. Very informative. I will take a detailed look.

BTW - am looking for a standalone anti rootkit program and there are alot about but GMER & Rootkit Unhooker seem to have the best reputation. Do you have any advice or view on which of these two is better in terms of user friendliness (given that from what I have rest both appear to have the sme detection & cleaning power)?

;D

-{ Quote: "Hi fcukdat

Thanks for that. Very informative. I will take a detailed look.

BTW - am looking for a standalone anti rootkit program and there are alot about but GMER & Rootkit Unhooker seem to have the best reputation. Do you have any advice or view on which of these two is better in terms of user friendliness (given that from what I have rest both appear to have the sme detection & cleaning power)?

;D" }-

Hi Baldrick,

You didn't happen to have Rollback Rx by any chance? In my system and the thread that fcukdat indicated to you, it appears that it is Rollback RX the culprit...

Best regards,
Atomas31

-{ Quote: "Also, I am wondering if GMER has a memory leak as after scanning for a while I found it impossible to do anything on my PC...had to rollback to an earlier position." }-What CPU do you own and how much memory?

Gmer can leak in case you scan during SP2 or SP3 installation then Out of Memory is possible.. Gmer gets sizes of 900 MB in memory!!

-{ Quote: "Hi fcukdat

BTW - am looking for a standalone anti rootkit program and there are alot about but GMER & Rootkit Unhooker seem to have the best reputation. Do you have any advice or view on which of these two is better in terms of user friendliness (given that from what I have rest both appear to have the sme detection & cleaning power)?

;D" }-

GMER latest version supercedes RKU final release in functionability and variety of RK's covered. RKU was dethroned a while back but that said i still find the RKU GUI a lot more easiar on the eye when interpreting data returned.

As with any forensic tool i think both are user freindly to folks that know there stuff or equally not very helpful to somone who needs their tool to do their decision making for them....

-{ Quote: "i still find the RKU GUI a lot more easiar on the eye when interpreting data returned." }-
Agreed. RkU UI is easy to manage.

I believe that the successor to Rku is in the ofing as the Rku Team now works for Microsoft and are apparently working on something new. Hopefully it will be along the lines of the SysInternals takeover...stillproviding a good product for free?

Atomas31

Nearly but not quite. I use GoBack and therefore I suspect that this is the same false positive as with RollBack RX, as they both modified (obviously) the MBR to allow them to operate ahead of the OS. Who did yo report the Rollback RX issue as a likely false positive? If yo can advise I will do the same re. GoBack.

Thanks



Baldrick

Hi Baldrick,

The support of GMER have indicated to me that the driver Goback2k.sys from Goback could give the sort of False Positive I got... So if you have Goback, there are a big chance that what GMER is finding is a False positive!

There email is info@gmer.net

Best regards,
Atomas31

-{ Quote: "GMER latest version supercedes RKU final release in functionability and variety of RK's covered" }-GMER was always a leap ahead but the GUI of RkU is very comfortable as we all know.

Some common classes of programs, such as PartitionManager and some backup/recovery programs modify the MBR on installation.

Activating the Acronis Startup Recovery Manager modifies the MBR.

Consider what you've installed that might have modded your MBR, and if it's really harmful.

Over-writing your MBR with a known-good MBR isn't likely to harm system operation, but the program that modified the MBR may have to re-installed or a feature re-enabled.

Hope this helps!

Thanks to all for the replies and advice. I have emailed GMET Support re. this based on Rollback RX causing the same and asked then if they can do anything for GMER ignores such false positives. Will have to wait to see what they come back with. If it is of use I will post back here.;D