foxsteve
Premium
join:2001-12-28
Campbell, CA
1 edit | reply to gmer
Re: One in Five PC's Infected With Rootkits
Sorry, I do not understand your message. Is it recommendation for me or you need copy of this kind of file?
Edit. At each start of gmer.exe, WindowsUpdate.log is increased on 1210 bytes. I would like to ask, how GMER is related to WindowsUpdate.log? |
|
gmer
join:2006-07-01
Poland | reply to foxsteve
@foxsteve
Please do not change anything on "Setting Tab" - it's not necessary to detect rootkits !
Just press "Scan" on Rootkit tab and when it ends use "Copy" or "Save..." button to save content as a text file. |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
| reply to gmer
Thank you for your answer.
I have repeated test your program at unticked "Sections" option. Program was not collapsed as before at strange address 0x72013668, but I did not get any gmer.log file, although gmer.ini file was edited
I hope my testing may help you in development of your important anti-rootkit program. |
|
gmer
join:2006-07-01
Poland
| reply to foxsteve
Hi Foxsteve, hi everyone
I see that new BETA of GMER doesn't work correctly on your machine . It's probably a bug in sections scan so I need to check this part of code .
If you would like to scan your computer with this version I can only suggest to untick "Sections" option on "Rootkit" tab and rescan again. I hope it helps.
@fcukdat
Thank you for keeping me informed .
Regards |
|
fatdcuk
Premium
join:2005-02-20
England
| reply to foxsteve
Hi,
Well The Beta version has been stable for my research setup both in clean mode and hosed but that dose not mean that it will be stable on all setup's.
Still this tool is in Beta testing phase which is not a final release and i have relayed your bug report to the software author(GMER):) |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
3 edits | reply to fatdcuk
I followed your recommendation and downloaded gmer.exe file (753,664 bytes) from that link »www2.gmer.net/beta/, then started that file and press "Scan". For security I tested that file under monitoring. Here is result.
On the first step program created 5 files:
C:\Wimdows\gmer.exe (753664 bytes)
C:\Windows\gmer.dll (811008 bytes)
C:\Windows\gmer.ini (250 bytes)
C:\Windows\gmer_uninstall.cmd (80 bytes)
C:\Windows\system32\drivers\gmer.sys (85073 bytes)
and series of keys in the next Registry directories:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GMER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gmer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GMER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer
On the second step program started scanning my system, but at scanning C:\Windows\system32\drivers\FILEM.SYS file, stopped with message as on the attached picture.
I pressed "OK" and program collapsed without any C:\Windows\gmer.log file.
What is your next recommendation?
PS. Here are codes gmer.ini and gmer_uninstall.cmd files
gmer.ini
gmer_uninstall.cmd
|
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to Bubba17
said by Bubba17  :said by AB :I think I owe a debt of gratitude to SipSizurp's and the others' clients though, that shouldered the burden and helped to keep me in that other 75 or 80% percentile. Whew! Close one! You found something? Nope. Not a thing.
This is why I'm in that 'other percentile'.  |
|
Bubba17
Less is More
Premium
join:2006-09-21
| reply to AB
said by AB :I think I owe a debt of gratitude to SipSizurp's and the others' clients though, that shouldered the burden and helped to keep me in that other 75 or 80% percentile. Whew! Close one! You found something? And, successfully eradicated it?
You used RkU? Did you try GMER?
--
HN7000s | Horizons 1 (127W) | Gateway: 1110Mhz | Dish: .98m 2 Watt | Pro+
"Fast is fine, but accuracy is everything" --Wyatt Earp |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to Bubba17
said by Bubba17 :Notice ... I didn't announce I was clean. Yes, I notice that.
Well, allow me to announce-- my machine is clean!
Yeah, baby! Yee-haaa!
I think I owe a debt of gratitude to SipSizurp's and the others' clients though, that shouldered the burden and helped to keep me in that other 75 or 80% percentile.
Whew! Close one!
Thanks, gents! |
|
fatdcuk
Premium
join:2005-02-20
England
2 edits | reply to foxsteve
said by foxsteve :Ok, thank you very much! What do you know about new development with RkU? As far as i am aware RKU is no longer under public developement.As an ARK forensic tool it is becoming less effective than it once was.This has been highlighted by some of the recent ITW RK malware.IRC the latest DNS changer trojan RK is not detected by RKU nor is Nulprot so that is 2 for definite that the tool is confirmed as blind too but they will almost certainly be more out there ITW.
FWIW if ARK tools are not in constant state of developement like the rootkit malwares they are targeting then they are losing ground on effectiveness.The battle is ongoing between mal writers and the defenders,alas the defenders will always be playing catchup.
IMHO GMER has now superceded RKU as forensic tool as the best available samedrive tool.It has incorperated the best of IceSword and RKU functionability with a few added extra's thrown in.The problem then arises then with *ease of use/data returned* which is where GMER will fall down for most folks.
That said dose new GMER see them all....well there is a very high probability not,the battle still goes on! |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA | reply to Elite
Ok, thank you very much!
What do you know about new development with RkU? |
|
Elite
join:2002-10-03
Orange, CT | reply to foxsteve
Your machine is clean then.
--
QUAD!!!! |
|
fatdcuk
Premium
join:2005-02-20
England
1 edit | reply to foxsteve
N/M |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA | reply to Elite
According to Report, RkU did not find hidden processes, drivers or files. |
|
Elite
join:2002-10-03
Orange, CT | reply to daveinpoway
Code hook is just Windows kernel splicing. No need to be alarmed.
As for SSDT, this could very well be Symantec hooking your SSDT.
Any hidden process, drivers, or files?
--
QUAD!!!! |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
| reply to Elite
How to clean system if
- services are hooked by "Unknown module filename" and
- ntoskrnl.exe is hooked "Inline - Relative Jump"? |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
 ·RoadRunner Cable
| reply to Elite
said by Elite :Probably a bunch of stupid mutexes to prevent deletion. That's what I had figured since the file count was transient. I delivered it back into operation. The secretary was very delighted with the repair, and I am very delighted with my nice new shiny nuclear bomb ! Thanks again ! |
|
youveshutmedown
@sbcglobal.net | reply to fatdcuk
Thanks for the continued tests. It pretty much reinforces what I was already assuming to be the case, just nice to have some third party confirmation.  |
|
fatdcuk
Premium
join:2005-02-20
England
1 edit | reply to daveinpoway
Here the next pair of ARK's tested versus the test malware rootkits.
Mcafee Rootkit Detective 1.1
Testset 1= 3/5*
*Both Rustock B and Runtime2 were flagged by their hidden registry values.Runtime 2 SSDT hooks also seen.
Blind to Srizbi and Nulprot.
Testset2= 3/4*
*Rustock A only caught by hidden registry data.
Blind to Allinone.
F-Secure Blacklight Rootkit Eliminator
Testset1=3/5
Blind to Rustock B and Nulprot.
Testset2= 3/4
Blind to Rustock A
 |
|
Elite
join:2002-10-03
Orange, CT
·Optimum Online
| reply to SipSizzurp
Probably a bunch of stupid mutexes to prevent deletion.
Can't name any malware that can hold it's own against RkU though...
As long as there are no more hidden processes, hidden files, or SSDT hooks, the machine should be clean minus all the files it dumped on disk and all the crap it put in the registry.
--
QUAD!!!! |
|
