Does anyone understand the rootkit removal tool Gmer with Win 11?

[TheodoreM]

****edit

Sorry, please forgive me.. when I saw "other tools", I immediately mistook it to mean discussion of any tool BUT Malwarebytes, and after posting I read the sub text and I feel so stupid!

 

I am sincerely sorry. If there is nowhere appropriate fore this topic to be moved to, feel free to delete it.*************

 

 

Hi

I am a bit paranoid because of something I have done and would appreciate some assistance.

I am using Kaspersky standard these days as my anti malware tool

For some reason I decided to download Gmer as I was curious about rootkits.

On first run it detected the Riva Tuner file in MSi Afterburner folder as a rootkit. Every time I ran the scan it was persistent. Sometimes the scan would crash (maybe because I am using Win 11 latest and Gmer is not certified compatible with Windows 11).

After I uninstalled Afterburner it scanned clean.

I re download Afterburner, made extra triple sure I was getting it direct from MSI as I did the first time, and installed it. Same thing with Gmer.

I know what it was picking up was the legitimate RTCore64 service in the Afterburner install folder, but I was still paranoid so I scanned with kaspersky, then installed malwarebytes (which kaspersky hates) and did a full scan including archives and rootkit scan selected,  sophos hitman pro demo scan (never used it prior today), and full emsisoft emergency kit scan and all found everything absolutely clean, but Gmer persisted..

Oh, I did a Defender scan also but that was later on, and took hours. The only thing Defender detected as a PUP was Gmer itself LOL! But I know it's safe as I got it direct from gmer website, so I let it ignore that.

In any case:

After a reboot, it would no longer pick up the afterburner service as a rootkit. But I checked and all the files are still there i.e. the files it initially detected as hidden services or rootkits. I have never told Gamer to delete anything, i.e. I never right click and told it to delete a service or even stop a service. All I did after scan was exit.

This is where it gets weird.

I opened Microsoft store and did check for updates, and it did one update, Microsoft gaming services.

Gmer then found THAT to be a rootkit (gamingservices exe in windowsapps folder) but after reboot, same thing. It doesn't detect it as any issue now, but the exact same gaming services it initially said was a rootkit is still present and RUNNING. Multiple scans later and even with full drive scanning checked and Gmer only finds a clean system.

My questions:

Does Gmer delete anything if you don't specifically tell it to?

Does Gmer crashing mid scan possibly corrupt anything?

Do you think this is just because Win 11 has certain services that might behave differently, and Gmer hasn't been updated for so long?

I did an sfc scannow and dism restore health just to be on the safe side and I had zero corruption there, thankfully.

Any thoughts?

I wish I never downloaded it to be honest. I wasn't having any weird issues, it was just morbid curiosity, and now I have spent hours scanning with a bunch of tools and made myself paranoid.

Any insight greatly appreciated.

Edited August 31, 2023 by TheodoreM

[TheodoreM]

Sorry, please forgive me.. when I saw "other tools", I immediately mistook it to mean discussion of any tool BUT Malwarebytes, and after posting I read the sub text and I feel so stupid!

 

I am sincerely sorry. If there is nowhere appropriate fore this topic to be moved to, feel free to delete it.

 

 

[Porthos]

1 hour ago, TheodoreM said:

I wish I never downloaded it to be honest. I wasn't having any weird issues, it was just morbid curiosity, and now I have spent hours scanning with a bunch of tools and made myself paranoid.

Any insight greatly appreciated.

Stop looking for things that are not even an issue. Do not download specialty tools unless you have been trained on how to interpret the results.

[TheodoreM]

 I thought running a little 387Kb well known exe file that is meant to be stellar for rootkit detection would simply show nothing on my system, then I'd delete it. I was curious. Kaspersky doesn't even have rootkit settings in scan settings that I can see but I have read it does it, however I wanted to try something dedicated to it. Never did I expect it to start flagging legitimate processes LOL.

 

[TheodoreM]

Just to clarify, and this can be closed, I have ran it 50 times since then and it has never found anything again. I guess those two processes gave reason temporarily for gmer to think they were hidden when they were legitimate. It is what it is.

 

Sorry about this topic. I am sorry for being an OCD doofus sometimes, but I really am. It's all related to my OCD which has plagued me since childhood. I have to have everything perfect all the time.