GMER "always" complains about not being able to access registry files. Isn't that it's main purpose?
is an advanced stand-alone tool that will help investigate for the presence of rootkit activity
. It will not actually tell you if you are infected or not unless you know what you're looking for. GMER compares the output from system function calls direcly into the operating system to output from calls generated by their own functions. Any differences between it's own implementation and that of the operating system is reported as a hidden file, service, registry key, or device. GMER also looks for hidden code modifications and API Kernel hooks as well as many other checks which are not discussed in public to safeguard the program from malware writers who would use that information for nefarious purposes.
Most of the log listings are dumps of raw memory data structures from the Windows Kernel which handles access to files, registry keys, hardware and from the system processor tables. Even with advanced training, trying to interpret GMER results can be confusing at best as there could be many legitimate entries in its log.
GMER is known for being extremely good at rootkit detection, but it is also known for occasionally being unstable on some computers
. There are varying reasons GMER will not run properly. CD Emulators (Daemon Tools, Alchohol, Astroburn, AnyDVD) should always be disabled first if using them and sometimes you have to uncheck some of the scanning options in order to get it to run.
If you're unsure how to use a particular Anti-rootkit (ARK) tool or interpret the log it generates, then you probably should not
be using it as most folks panic or become alarmed at the scan results without knowing what they mean. Some ARK tools like GMER are intended for advanced users
or to be used under the guidance
of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action.
Incorrectly removing legitimate entries could lead to disastrous problems
with your operating system. Why? Not all hidden components detected
by anti-rootkit (ARK) scanners and security tools are malicious
. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators
sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.
API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found
. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.
In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.
What specific issues are you having that requires the use of running GMER?