For who liked this old rootkit detector not so easy to read, here the new version: http://www.gmer.net/. Some old version crashed my system when I used XP SP3 32-Bit. Tried on Seven 64-Bit and it seems to work.
Nice to see it is still being developed now that the dev is working for Avast. Which makes it more funny that the only vendor having a detection for it on VT is Avast @blacknight Your link is broken.
Yeah it's broken. But here you go: http://www.gmer.net/ Strange, I got this line in the Rootkit/Malware tab: C:\Windows\system32\csrss.exe [640:664] fffff960008802d0
Just ran it on my Win 7 x64 build and log said I was clean as a whistle. You might want to check these out: http://superuser.com/questions/872983/csrss-exe-anomalies-is-this-a-rootkit http://securityxploded.com/hidden-process-detection.php - scroll down to this section: HPD with CSRSS Process Handle Enumeration BTW - GMER installs a hidden service .......................... Plus drops a driver in %AppData%\temp
I haven't used it in months, the spartan GUI annoyed me, and it behaved a bit weird. It should have looked like Tuluka: http://www.downloadcrew.com/article/22466-tuluka It's probably nothing malicious, but I would still investigate it.
I did it and my symptoms are same as this guy found: http://superuser.com/questions/872983/csrss-exe-anomalies-is-this-a-rootkit (thanks to @itman for the link) Still don't know whether my pc is infected or not. Too complex for me though.
I'm not sure but I think I had this same reading on my old Win XP PC. Perhaps it's caused by one of your security tools?
was just looking at Gmer website today and see it supports windows 10 now. wonder if they got the ms signed driver?
I just ran it in shadow mode and at first it showed a bunch of red entries and asked if I wanted to run a full scan. It said they were system modifications. I ran the full scan and boom , Gmer crashed.
I decided to run it again. the first screen shot with red marked entries is before the full scan. the second one run after selecting full scan shows it crashed some where in sys 32 appguard dlls. I had appguard set to off so not sure about this one.
The executable is not digitally signed, but i'm not sure if the driver is signed. It drops a driver to the temporary directory. To find out if it is digitally signed, you can go to the temporary directory and look in the file-properties of the dropped driver.