GMER Rootkit detector

Discussion in 'other anti-malware software' started by blacknight, Mar 14, 2016.

  1. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,579
    Location:
    Europe
    For who liked this old rootkit detector not so easy to read, here the new version: http://www.gmer.net/. Some old version crashed my system when I used XP SP3 32-Bit. Tried on Seven 64-Bit and it seems to work.
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,853
    Location:
    Outer space
    Nice to see it is still being developed now that the dev is working for Avast. Which makes it more funny that the only vendor having a detection for it on VT is Avast :argh:
    @blacknight
    Your link is broken.
     
  3. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,561
    Location:
    Mexico
    Yeah it's broken. But here you go:
    http://www.gmer.net/

    Strange, I got this line in the Rootkit/Malware tab:
    C:\Windows\system32\csrss.exe [640:664] fffff960008802d0
     
    Last edited: Mar 14, 2016
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,554
    Location:
    U.S.A.
    Just ran it on my Win 7 x64 build and log said I was clean as a whistle.

    You might want to check these out:

    http://superuser.com/questions/872983/csrss-exe-anomalies-is-this-a-rootkit
    http://securityxploded.com/hidden-process-detection.php - scroll down to this section: HPD with CSRSS Process Handle Enumeration

    BTW - GMER installs a hidden service .......................... Plus drops a driver in %AppData%\temp

    GMER_service.png
     
    Last edited: Mar 14, 2016
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,225
    Location:
    The Netherlands
    I haven't used it in months, the spartan GUI annoyed me, and it behaved a bit weird.

    It should have looked like Tuluka: http://www.downloadcrew.com/article/22466-tuluka

    It's probably nothing malicious, but I would still investigate it.
     
  6. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,561
    Location:
    Mexico
    I did it and my symptoms are same as this guy found:
    http://superuser.com/questions/872983/csrss-exe-anomalies-is-this-a-rootkit
    (thanks to @itman for the link)
    Still don't know whether my pc is infected or not. Too complex for me though.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,225
    Location:
    The Netherlands
    I'm not sure but I think I had this same reading on my old Win XP PC. Perhaps it's caused by one of your security tools?
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,298
    was just looking at Gmer website today and see it supports windows 10 now. wonder if they got the ms signed driver?
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,298
    I just ran it in shadow mode and at first it showed a bunch of red entries and asked if I wanted to run a full scan. It said they were system modifications.
    I ran the full scan and boom , Gmer crashed.
     

    Attached Files:

  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,298
    I decided to run it again. the first screen shot with red marked entries is before the full scan. the second one run after selecting full scan shows it crashed some where in sys 32 appguard dlls. I had appguard set to off so not sure about this one.
     

    Attached Files:

  11. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,289
    The executable is not digitally signed, but i'm not sure if the driver is signed.
    It drops a driver to the temporary directory. To find out if it is digitally signed, you can go to the temporary directory and look in the file-properties of the dropped driver.