prevx says clean but gmer shows rootkit modification

Discussion in 'Prevx Releases' started by thathagat, Jul 29, 2009.

Thread Status:
Not open for further replies.
  1. thathagat

    thathagat Guest

    well prevx and dr web av 5 realtime give this pc a clean bill of health but gmer scan has a scary tale to tell....so can i trust prevx or am i missing something ?
    screen shot:
     

    Attached Files:

  2. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi, not really scary, but if you're not used to ARK's then they sure can be !

    Looks like legit entries to me.

    sr.sys = Sytem Restore which appears to be disabled ?

    svchost = i imagine are normal windows files

    You could always upload them to VT & Jotti to check
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I agree with SteveO - this looks like a false positive from GMER because the files are in the correct paths and under the correct service names. It might be worth installing and trying another antirootkit program to see if it finds anything as well.

    Also note that some system protection programs (not Prevx, however) prevent antirootkit programs from functioning properly so you may want to double check with them disabled/uninstalled.

    Let me know what you find :)
     
  4. thathagat

    thathagat Guest

    well panda antirootkit and rootkit revealer did not reveal any rootkit but there was one more entry in red by gmer that is not seen in the screen shot it was.
    but now i bid adieu to gmer for good its a bit too much for my tender heart;)
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Could you let us know what other security software you're using? (Mostly just so we prevent any FPs in the future which could be similar to GMER's :D)
     
  6. thathagat

    thathagat Guest

    oh well this was an old laptop xp sp3 which i dusted out to use so it won't feel neglected it has dr web av v5 /rollback but then i put my fav green eye ;) alias prevx to check its wellbeing all seemed well but windows update icon in the tool bar with 0% update got the hercule poirot in me to investigate the net result ....o_O to:doubt: too_O
    i think i need to look for something else than rollback rx for my pcs it seems to cause a lot more fp warnings any suggestions?
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Are you sure there are false positives?
    @thathagat
    can you scan with MBAM, SAS, HitmanPro and esp pls try RootRepeal.
     
  8. thathagat

    thathagat Guest

    here..........hope the mods don't Repeal this post
    SAS:quick scan clean
    Mbam:quick scan clean
    Hitman pro:clean
    RootRepeal:Among other hidden files about prevx/dr web this too
    Gmer:Oh once again:doubt:
     
  9. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Often when using ARK's they highlight normal files etc that can behave in an RK fashion. Nothing to worry about generally, but i agree it's very alarming at first until you get more used to it. The danger is, deleting legit files that show up. Always try and cross reference with other Apps, and using a search www before even thinking of doing anything.

    I still feel they are FP's, but if you send them to Prevx they'll soon tell you. Try to copy them to a new folder etc, via one of your ARK's.

    PSCHED.SYS = Safe to use

    The filename PSCHED.SYS is used by objects that are classified as safe. It has not yet been seen to be associated with malicious software.

    http://www.prevx.com/filenames/3388485042604800442-X1/PSCHED.SYS.html


    cryptsvc = Microsoft

    seclogon = Secondary Logon Microsoft
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I agree that these are most likely FPs - thathagat: can you try removing the other security software you have installed to see if they are FPs caused by other product's protection? We had an FP a while back with our rootkit detection because of Comodo's disk protection making us think that files were rootkits which may be similar to what is happening here.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks. I just wonder why gmer is doing this. I will still like to post it over sysinternals.
     
  12. thathagat

    thathagat Guest

    well instead of un-installing softwares i went to base installation snapshot which has no av/as/am nothing and ran gmer+rootrepeal
    gmer-now shows only one entry no hidden services etc
    rootrepeal: shows no hidden sevices only this file
    gmer screen shot:
     

    Attached Files:

  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    What program are you using for taking installation snapshots? Many of them hide the MBR which would explain the warning you're receiving.
     
  14. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    From the screenshot looks like he's using Returnil, which would explain the false positive
     
  15. kasperking

    kasperking Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    406
    its rollback rx the tray icon is oh so unmistakeably horrendous... at least for me
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Rollback Rx would most likely be the culprit for the rootkit warning as it does hide the MBR.

    A word of caution: don't use the fix MBR utilities on your system as you may lose your snapshots if they think they're cleaning the rootkit which is actually your rollback software :)
     
Thread Status:
Not open for further replies.