Gmer....newish rootkit detector ?

Discussion in 'other anti-trojan software' started by Longboard, Jun 16, 2006.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    Re: ?newish rootkit detector

    System volume Information DIR
     

    Attached Files:

  2. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Re: ?newish rootkit detector

    @controler
    Your log is clean. GMER doesn't see any rootkit. Here you have my samples.
    You can try other tools like RKR, I guess RKR will find nothing.

    It's normal behaviour.

    To browse "System volume Information" you can use "File" button on Processes Tab.

    http://www.theeldergeek.com/system_volume_information_folder1.htm

    Regards
     
    Last edited: Jun 24, 2006
  3. controler

    controler Guest

    Re: ?newish rootkit detector

    That is funny, I was to the same web page @ eldergeek about 5 min before you were:D
    I have always been able to access that folder before but have not tried in ages on this computer. I can not even log on to the admi account in safe mode anymore.
    Yes I have tried RKR before along with every other security software that I have seen. I am guessing it is time to install the Windows Vista on this computer or switch back ro my HD with Linux on it. I have installed so many programs on this thing it needs reformating again. Tonight I removed the newest A2 since it was freezing everything.

    Thank you for your new program.

    controler
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Re: ?newish rootkit detector

    But how does this tool compare to IceSword, which one is better?

    And you know what I don´t understand from tools like GMER and DarkSpy, why don´t they show the number of services/drivers, hooks etc installed, this way you could quickly compare the amount found in other tools. Now I have to count them myself. Just a small idea, it would be real handy. :blink:
     
  5. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Re: ?newish rootkit detector

    IceSword and DarkSpy have very good engine and they are very good in finding hidden processes/modules/files.

    GMER shows hooks, because some "malware" drivers didn't hide themselves, they just make a hooks.
    Sometimes there is no simple answer: you have the rootkit.
    If you don't know what is in your log - please sent it to someone who knows.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Re: ?newish rootkit detector

    Thanks for the reply GMER, lately my system has been acting a bit strange so I decided to checkout DarkSpy and GMER, but they have not found anything. Maybe a stupid question, but should I try in safe mode as well? About my other comment, I think you misunderstood, what I meant was that it would be nice if GMER would show for example: "There are 135 drivers installed". Currently you can already see the amount of processes running, why not do the same for Services/drivers etc.?
     
    Last edited: Jun 30, 2006
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Re: ?newish rootkit detector

    What do you mean by this? Currently there is nothing in my log. And btw, on the screenshots I see if GMER finds anything strange, it will show up in red right?

    So far I´ve tried tools like IceSword, DarkSpy, GMER, and more widely known tools as RootkitRevealer and BlackLight, but none of them have found anything strange. However, since installing Ewido AS, Neoava Guard and SocketLock, IceSword won´t work anymore, strange.
     
  8. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Re: ?newish rootkit detector

    Watch the movie pe386 -> http://www.gmer.net/files.php
    I think you have no rootkit.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Re: ?newish rootkit detector

    Well let´s hope so, but since I´m paranoid I´m not so sure, I certainly would be surprised if I would have a rootkit on my system though, it would be the ultimate proof that you can´t be too paranoid nowadays. o_O
     
  10. controler

    controler Guest

    Re: ?newish rootkit detector

    To add to rasheed's comment about drivers. I like to see the program mark wich are microsofts files and which are not but then maleware can be a micros0ft file I guess.

    An option to show non signed drivers is good though and would like to see only signed drivers work on the windows OS in the future. Signed drivers would not be maleware would they?

    controler
     
  11. controler

    controler Guest

    Re: ?newish rootkit detector

    When I go into setting and chose system protection and tracing and tic processes, drivers, User applications, processes & drivers my system locks up on bootup. I then need to boot safe mode and untic everything. What do I tic to get the minidump file? My minidump folder is empty.
    Is there another ongoing forum for gmer?

    thank you

    controler
     
  12. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Re: ?newish rootkit detector

    Hi,

    Gmer is an exhaustive and interesting free rootkit detector and prevention tool, especially in comparison to basic and paid detectors such as HiddenFinder or ProcessMaster.

    But it is currently not very useful:

    -when a rootkit presence is detected, the scan integrates external drives, and if there's no floppy disk drive, the scan is blocked: for a forensic analysis, the job/scan is done from external drives (or remotely from a clean machine) to C/hard drive.
    So the scan of C by default is really sufficient.

    -there's no finguerprint mode for the prevention features (log processes, drivers etc): the system "freezes" after the boot.

    More over, it does not detect objects hidden via DKOM (Fu), and some other Service Control Manager subversion methods as it was shown by BadRKDemo.
    BadRKDemo is not a rootkit (not yet!), but a demonstration tool released by the DarkSpy team which is not detected by most anti-rootkits tools.
    Gmer does not detect it via the task (rootkit, services etc), and i've not tried the prevention features which may detect the loaded driver.
    The news "Why you should use rootkit prevention software" at http://www.antirootkit.com/ integrates a link to my quick study.

    More free detectors always means more choices.

    Regards
     
  13. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Re: ?newish rootkit detector

    Try: http://www.castlecops.com/

    Yes. Current version doesn't detects it.

    @kareldjag
    Thanks for your tests.

    http://www.gmer.net/badrkdemo.wmv

    I hope the next version will be released soon.

    Regards
     
    Last edited: Jul 2, 2006
  14. controler

    controler Guest

    kareldjag

    is antirootkit com tied to rootkit com? I see some of the same posters at both.

    What do you think about johanna's Blue pill? Is it for AMD based systems only?
    because she is saying it is AMD hardware based?

    controler
     
  15. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    http://theinvisiblethings.blogspot.com/
    Regards
     
  16. controler

    controler Guest

    gmer , yes I read all that as I always do before I posted but I was wondering what you think about it.
    I believe it is only amined at AMD CPUs.
     
  17. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    The question is : does some BIG companies will do something ?

     
  18. controler

    controler Guest

    Yes johanna has allready told me she is selling her wears to AV's

    controler
     
  19. controler

    controler Guest

    Ok I thought it was only AMD 64 and that is good because I have always used Intel, just works so much better.

    Has nothing to do with Norton, or MS.

    controler
     
  20. AshG

    AshG Registered Member

    Joined:
    May 7, 2005
    Posts:
    206
    Location:
    East TN

    There are some fundamental differences between AMD and Intel architecture wise, not to mention the myriad legal issues that have finally come back to haunt the aspiring monopolist.

    AMD has a much more robust and better developed 64-bit desktop solution and a far more optimized memory pipe. Intel's slant towards a longer instruction pipe and off-die memory controller has hampered their performance in high-intensive memory applications and applications requiring wide data paths (hence why many Hollywood studios have ditched them for AMD) make AMD superior in many (not all) functions. Have you ever used a Prescott processor? They're room-heaters.

    Conroe may change this, as they have gone to a shorter data pipeline and a much more energy-efficient, and therefor cooler, processor design. I don't see myself buying one until the lawsuit is resolved and they begin more competitive, less abusive, business practices.

    AMD came to market first with desktop 64-bit processors, so it only makes sense that the author didn't spend their time focusing on a late-comer when other pressing matters came to be.
     
  21. SPB

    SPB Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    1
    I can tell you right off hand
    SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys ZwCreateProcess <-- ROOTKIT !!!
    SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys

    belongs to ProcessViewer By Igor Nys


    http://www.teamcti.com/pview/prcview.htm


    controler

    We are having a problem with the prcmondrv1041.sys driver. I log into Windows no problem. With fast user switching enabled, my wife then logs in and during login we get a blue screen crash. Analysis of the Minidump shows STOP error 10000050, {ffffffe8, 1, 804e1928, 0} -- Could not read faulting driver name -- Probably caused by prcmondrv1041.sys

    The driver indicates it was written by Igor Nys, but so does Norton Process Monitor (part of Norton Systemworks). To stop these blue screen crashes, I deleted the driver and the registry entries. No more blue screen crashes. The only effect on Norton Process Monitor that I noticed so far is that the CPU percentages no longer add up to 100. The keys referring to the driver in ControlSet001 and ControlSet002 that I deleted had entries

    display name: prcmondrv
    image path: \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys

    Is it certain this driver is not legitimate? It seems to be. Any reason the driver name could not be read?
     
  22. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Hi there

    Just decompressed the .ZIP and then tried to run Gmer (latest version on website) and got the following dialog:

    Gmer - Driver Issue 1.png

    Clicking OK on the first resulted in a 2nd dialog being presented after which the prgram terminated.

    Anybody seen this beforeo_O Any one have any ideas as to how to resolve?:blink:

    Thanks in advance:D

    PS. Am running WIndows XP Home SP2 with KIS 6 & ProcessGuard enabled.
     
  23. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Hi

    Are you running GMER from administrator account or user with administrator privileges ?

    Try to start driver manually: net start gmer
     
  24. dog

    dog Guest

    Just to add ... Did you allow the driver with PG? and/or KIS?
     
  25. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Hi there

    Yes I did but the first time it did not work. Seems to be working now thought.

    Thanks for the response.:D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.