can you shed some light on the GPU based rootkit ?

[pepsiman]

i came across the topic in system internal

the two tests the  man posted in that topic
apeared to be positive

so what avast can say about it ?

[Pondus]

the two tests the  man posted in that topic

do you have a link....so we know what you are talking about?

[pepsiman2]

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706_page10.html

forgot the pass on the frst account

Everyone:
Please run the following tests and post your results.
(These tests assume you have Vista or Win7 x64. XP or any 32bit Windows I cannot get valid answers from. Windows 8 I have no idea, it might work, try it out and let me know)

1) From Microsoft's own sysinternals.com get the program ProcessExplorer.
Run it (it's a standalone exe, no installer), you will see a taskmanager like screen with all processes expanded in a tree like display.
Collapse each of the trees so that you only see the process tree bases.
For example explorer.exe should have processes running from it, we dont care about those, explorer.exe is a base.
Now from the top process in the list right click and choose properties.
(system idle process and system you can skip)
You will see an area in the bottom half of the box that says "Parent:"
Some of the processes will show "<Non-existent Process>(xxx)"
This is normal for some but NOT ALL OF THEM.
If you see ALL process tree bases showing "Parent: <Non-existent Process>(xxx)" then it is very likely you have an infected machine.
These processes are in fact NOT non-existent but they are malicious process hosts running from the malicious hypervisor. Again, at least half of them WILL show non-existent because their parent was killed off in normal fashion. The point is that NOT ALL should show this.
I have observed a CLEAN machine so I know what to look for.

2) From Sourceforge get ProcessHacker (the exe installer).
Run the installer with default options, no changes. (need all plugins enabled and kernel mode driver set).
Run ProcessHacker (as admin if you can, I can't be sure we will see proper results otherwise but it might work).
Assuming you have the proper .NET version installed you should see tabs near the top, the one on the right is named Disk. Click the Disk tab and click the bar titled "Name" so that it will be sorted from Z to A.
(we need that to see things we are interested in showing up at the top)
We are now watching for "Unknown Process(xxx)" popping up accessing files.
Under NO CIRCUMSTANCES should you see "Unknown Process" showing up on a clean machine!!!
Open a web browser, IE and Firefox works in my tests. Go to a website, exit (close) the browser and watch the Disk tab! An infected machine will immediately show "Unknown Process" (more than 1) grabbing the browser cache files and other DLLs. If you see this you are infected!
You can also put a shortcut to ProcessHacker in your startup folder, reboot and as soon as it comes up after boot switch to the Disk tab, sort Z-A and just watch. If you are infected you WILL see "Unknown Process(xxx)" accessing
files.

What I need from you:
Please tell me your results of test #1.
If you see process tree bases with a real running parent please make note of that process name and it's parent name. Again, I'm only interested in the process tree BASES, NOT processes hanging off of a base.
Please tell me your results of test #2.

[pepsiman2]

Bump

  why people ignore my questions ?
this question exactly    i asked on a lot of forums
avira , kaspersky , norman 

noon answered

[Pondus]

Try   Wilders Security Forums    http://www.wilderssecurity.com/

[pepsiman2]

thanks

but what is avast view on this ?

[pepsiman2]

 

[mchain]

hi pepsiman2

Seems to be a mission misperception here.

Both Pondus and I are avast! users, like you.  avast! team members, however, are a completely different animal.  Wilders Forum is good for this sort of stuff, and avast! team members are known to go over there from time to time.

[pepsiman2]

well if this apear to be true

i don't care about anything
just  to get an anti infection > so i don't infect clean machine
and vaccine for the infected ones

please just  let someone professonal find out about it

[mchain]

That's what http://www.wilderssecurity.com/ is for.