Gmer found this?

Discussion in 'malware problems & news' started by Atomas31, Feb 1, 2008.

Thread Status:
Not open for further replies.
  1. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Hi,

    Gmer found a mbr rootkit on my system (see screenshot), is this a false positive? Should I be worry?

    Thanks,
    Atomas31
     

    Attached Files:

  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Perhaps it's a FP. Since FD-ISR places code on the PBR, this could be triggering the detection.
     
  3. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I dont know if there is difference in how FDISR behaves in Vista, but I just did a scan with Gmer and I did not get that false positive. I have also done a scan in XP too, but that was a couple of months ago, but Gmer did not report any detected rootkits.
    If I saw that in my Gmer log I would be worried. Especially if I would´ve had some HIPS installed, Id be worried why they didnt report any activity on the MBR.
     
  4. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    i second that. i have FDISR on XP Pro SP2, running the same version of Gmer,and i have never received that alert. you may want to consider running other rootkit tools, and or a couple of online virus scans.


    Mike
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Try Prevx CSI.
     
  6. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Since it is in the MBR maybe it is Rollback Rx who's generating this alert?

    I might try the kasperky online scan just to be sure...

    Thanks,
     
  7. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Just try Prevx CSI and it found nothing suspicious...

    Unhackme and Counterspy also found nothing...

    My Nod32, comodo Boclean and Prosecurity never reported anything either...

    When I have a little more time, I will try Kaspersky online and see but so far it looks like a False positive...
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    NOD, UnhackMe, BOClean and CS are not supposed to detect MBR rootkit. Not saying that u have one.
     
  9. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    How did you scan with Gmer anyway? I can never get that program to work properly. Probably something I need to set?
    Is your computer acting strangely, because as I understand it that rootkit will force a reboot every 60 minutes.
     
  10. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi Atomas,

    As a RBx user, using the same version of Gmer, my scan result shows no alert at all on Windows XP SP2

    Regards,

    MaB
     
  11. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    This is how MBR RK(Sinowal.C) showed up using GMER when i last had it.

    gmeryu4.jpg

    Being honest i'm not quite sure what is on your setup but that said there are no stealth threads on system PID(4) showingo_O

    Apparently Dr Web Cure-It can detect and remove this beasty if it is installed so maybe worth giving it a run out to see if that finds any suspicious data.

    http://freedrweb.com/

    HTH:)
     
  12. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    This looks indeed authentic.

    Problem with latest Gmer is that everybody who wants can simply create false alarm when suspending gmer.sys in memory. So since Stealth MBR gmer compares from kernel and user mode, just suspend one of them and you receive false alarm.
     
  13. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Well, I tought that those software were supposed to detect Mbr rootkito_O

    @Stinjson

    I did nothing special every time I start it he make a quick scan and if I want him to scan my system I click on "scan".

    And no my system doesn't act strangely what so ever and it certainly not shuttingdown by himself...

    @Mab69
    Thanks for checking it!

    @Fcukdat

    I run Dr Web Cure it and he has found nothing related to MBR rootkit...

    Thanks to everybody else, I am in contact with the GMER support and he is checking the founding of GMER... I will come back to you to indicate if it is or not a false positive :)

    Best regards,
    Atomas31
     
  14. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Not the right tool to hunt hidden things and be aware of fp´s en masse. AOL is still considered as backdoor. (lool)

    DO you now how fresh the whole discovery is? They use old methods to defeat AVs if they combine these old rare methods, most AV´s and AR´s fail to detect.

    Actually there are only few tools that can detect ads based malware: You can count them on 5 fingers the same is valid for MBR Stealth. So don´t be surprised that most don´t detect anything.
     
  15. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
  16. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    You are right about the fact that Dr Web Cure gives a lot of false positives. I received a bunch of them but there was nothing about MBR rootkit...

    From the post of Fcukdat, Dr Web Cure should be one of the few able to detect this but it didn't detect anything.

    I also scan my system with PrevxCSI and it also found nothing...

    From the firsts contacts with GMER support, it looks like it might very strongly be a false positive... I'll post back when GMER support give me a definitive answer :)
     
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    If it is no false positive then it could be the Phantom. I guess it could even corrupt PrevX in memory with <unknown>.

    But high likely fp because as you see on fcuks screens one misses the system threads (8 times) on your screens.
     
  18. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Sorry but I don't understand what you mean in this phraseso_O
     
  19. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I received the part that is missed on your screens to fully prove the existence of Stealth.MBR:

    I show it to you: http://i25.tinypic.com/2dh5n2t.png

    This is likely a false alarm too because Kaspersky seems to use Stealth Code in his AntiVirus.

    If we would melt our two screens together we had nearly the result of fcuk´s screen.
     
  20. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Still not sure what you are trying to show me but I have checket with Rootkit Unhooker and under the tab "stealth code", there is nothing there... Also what part is missed on my screeno_O

    What scanner or tool do you suggest to confirm or not the presence of MBR rootkit?
     
  21. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    They always are!
    Only Kerio FW installed at the time or else it would be only MBR data returned on my GMER screenie;)

    Atomas31,

    What SJ(we) mean is that apart from the MBR(0) flags there also should be some stealth thread flags with this badboy.Here is the screenshot used in GMER's illustration/writeup of the MBR RK.This is the data that should be be returned if it is present.

    rk.jpg


    Also RKU will detect stealth objects if it is loaded.See screenshots on the following post ;)
    http://forum.sysinternals.com/forum_posts.asp?TID=13179&PID=60636#60636

    HTH :)
     
  22. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Thank you Fcukdat for that screens!

    Also, since my screens doesn't contain anything from you screen except the first line, does that mean that the chance for me to really have a mbr rootkit is almost egal to 0?
     
  23. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hmm IMO there is a higher chance of it being a F/p since 2/3 of the MBR RK killer club are not detecting anything and the fact you only have a part detection by GMER present also .

    That said i would still encourage you to work alongside GMER and get a definite determination before trusting your computer again:thumb:
     
  24. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    @Atomas chances are not at 0.
    Be extremely aware if you see IO stuff. They communicate with IO to filter the things you don´t shall see.
    Could also be disk.sys hook and then they have full control but to really
    check that you should first uninstall all security apps to prevent all kind of false alarms.
    But I am not sure if gmer is able to detect the ddefy method normally he should because the technique
    is already known for 2 years but latest unknown rustock claims to use similar kind probably one step further then stealth mbr and now imagine a combination of all this wicked stuff.
     
    Last edited: Feb 4, 2008
  25. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Well, after I send all the logs and info that the GMER support ask me, it appears that it is a false positive and there is nothing bad on my system...

    I can also say that it appears to be Rollback RX wich provocing this false positive. Today, I have to uninstall Rollback Rx to install the latest version and after I completely removed Rollback, I try again GMER and it found nothing. I intall the new build of Rollback Rx and now GMER still found a rootkit-like behavior but this time is in sector 23.

    I can only hope that the support of GMER will rectify this false positive soon...

    Best regards,
    Atomas31
     
Loading...
Thread Status:
Not open for further replies.