prevx says clean but gmer shows rootkit modification

well prevx and dr web av 5 realtime give this pc a clean bill of health but gmer scan has a scary tale to tell....so can i trust prevx or am i missing something ?
screen shot:

[StevieO]

Hi, not really scary, but if you're not used to ARK's then they sure can be !

Looks like legit entries to me.

sr.sys = Sytem Restore which appears to be disabled ?

svchost = i imagine are normal windows files

You could always upload them to VT & Jotti to check

[PrevxHelp]

I agree with SteveO - this looks like a false positive from GMER because the files are in the correct paths and under the correct service names. It might be worth installing and trying another antirootkit program to see if it finds anything as well.

Also note that some system protection programs (not Prevx, however) prevent antirootkit programs from functioning properly so you may want to double check with them disabled/uninstalled.

Let me know what you find

Quote:

Let me know what you find

well panda antirootkit and rootkit revealer did not reveal any rootkit but there was one more entry in red by gmer that is not seen in the screen shot it was.

Quote:

Disk\Device\Harddisk\DRO sector 00:rootkit-like behavior;

but now i bid adieu to gmer for good its a bit too much for my tender heart

[PrevxHelp]

Could you let us know what other security software you're using? (Mostly just so we prevent any FPs in the future which could be similar to GMER's )

Quote:

Originally Posted by PrevxHelp

Could you let us know what other security software you're using? (Mostly just so we prevent any FPs in the future which could be similar to GMER's )

oh well this was an old laptop xp sp3 which i dusted out to use so it won't feel neglected it has dr web av v5 /rollback but then i put my fav green eye alias prevx to check its wellbeing all seemed well but windows update icon in the tool bar with 0% update got the hercule poirot in me to investigate the net result .... to to
i think i need to look for something else than rollback rx for my pcs it seems to cause a lot more fp warnings any suggestions?

[aigle]

Quote:

Originally Posted by PrevxHelp

I agree with SteveO - this looks like a false positive from GMER because the files are in the correct paths and under the correct service names. It might be worth installing and trying another antirootkit program to see if it finds anything as well.

Also note that some system protection programs (not Prevx, however) prevent antirootkit programs from functioning properly so you may want to double check with them disabled/uninstalled.

Let me know what you find

Are you sure there are false positives?
@thathagat
can you scan with MBAM, SAS, HitmanPro and esp pls try RootRepeal.

Quote:

Originally Posted by aigle

@thathagat
can you scan with MBAM, SAS, HitmanPro and esp pls try RootRepeal.

here..........hope the mods don't Repeal this post
SAS:quick scan clean
Mbam:quick scan clean
Hitman pro:clean
RootRepeal:Among other hidden files about prevx/dr web this too

Quote:

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!
Hidden Services
-------------------
Service Name: PSched
Image PathSystem32\DRIVERS\psched.sys

Gmer:Oh once again

Quote:

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; <-- ROOTKIT !!!
---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] CryptSvc <-- ROOTKIT !!!
Service C:\WINDOWS\System32\DRIVERS\psched.sys (*** hidden *** ) [MANUAL] PSched <-- ROOTKIT !!!
Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [MANUAL] seclogon <-- ROOTKIT !!!
Service C:\WINDOWS\system32\DRIVERS\sr.sys (*** hidden *** ) [DISABLED] sr <-- ROOTKIT !!!
Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [AUTO] srservice <-- ROOTKIT !!!

[StevieO]

Often when using ARK's they highlight normal files etc that can behave in an RK fashion. Nothing to worry about generally, but i agree it's very alarming at first until you get more used to it. The danger is, deleting legit files that show up. Always try and cross reference with other Apps, and using a search www before even thinking of doing anything.

I still feel they are FP's, but if you send them to Prevx they'll soon tell you. Try to copy them to a new folder etc, via one of your ARK's.

PSCHED.SYS = Safe to use

The filename PSCHED.SYS is used by objects that are classified as safe. It has not yet been seen to be associated with malicious software.

http://www.prevx.com/filenames/33884...SCHED.SYS.html


cryptsvc = Microsoft

seclogon = Secondary Logon Microsoft

[PrevxHelp]

I agree that these are most likely FPs - thathagat: can you try removing the other security software you have installed to see if they are FPs caused by other product's protection? We had an FP a while back with our rootkit detection because of Comodo's disk protection making us think that files were rootkits which may be similar to what is happening here.

[aigle]

Thanks. I just wonder why gmer is doing this. I will still like to post it over sysinternals.

Quote:

Originally Posted by PrevxHelp

thathagat: can you try removing the other security software you have installed to see if they are FPs caused by other product's protection?

well instead of un-installing softwares i went to base installation snapshot which has no av/as/am nothing and ran gmer+rootrepeal
gmer-now shows only one entry no hidden services etc

Quote:

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; <-- ROOTKIT !!!

rootrepeal: shows no hidden sevices only this file

Quote:

Path: Volume C:\
Status: MBR Rootkit Detected!

gmer screen shot:

[PrevxHelp]

Quote:

Originally Posted by thathagat

well instead of un-installing softwares i went to base installation snapshot

What program are you using for taking installation snapshots? Many of them hide the MBR which would explain the warning you're receiving.

[EraserHW]

Quote:

Originally Posted by PrevxHelp

What program are you using for taking installation snapshots? Many of them hide the MBR which would explain the warning you're receiving.

From the screenshot looks like he's using Returnil, which would explain the false positive

[kasperking]

Quote:

Originally Posted by PrevxHelp

What program are you using for taking installation snapshots? Many of them hide the MBR which would explain the warning you're receiving.

its rollback rx the tray icon is oh so unmistakeably horrendous... at least for me

[PrevxHelp]

Quote:

Originally Posted by kasperking

its rollback rx the tray icon is oh so unmistakeably horrendous... at least for me

Rollback Rx would most likely be the culprit for the rootkit warning as it does hide the MBR.

A word of caution: don't use the fix MBR utilities on your system as you may lose your snapshots if they think they're cleaning the rootkit which is actually your rollback software