Bubba17
Less is More
Premium
join:2006-09-21
| reply to AB
Re: One in Five PC's Infected With Rootkits
said by AB  :I think I owe a debt of gratitude to SipSizurp's and the others' clients though, that shouldered the burden and helped to keep me in that other 75 or 80% percentile. Whew! Close one! You found something? And, successfully eradicated it?
You used RkU? Did you try GMER?
--
HN7000s | Horizons 1 (127W) | Gateway: 1110Mhz | Dish: .98m 2 Watt | Pro+
"Fast is fine, but accuracy is everything" --Wyatt Earp |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| said by Bubba17 :said by AB :I think I owe a debt of gratitude to SipSizurp's and the others' clients though, that shouldered the burden and helped to keep me in that other 75 or 80% percentile. Whew! Close one! You found something? Nope. Not a thing.
This is why I'm in that 'other percentile'.  |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
3 edits | reply to fatdcuk
I followed your recommendation and downloaded gmer.exe file (753,664 bytes) from that link »www2.gmer.net/beta/, then started that file and press "Scan". For security I tested that file under monitoring. Here is result.
On the first step program created 5 files:
C:\Wimdows\gmer.exe (753664 bytes)
C:\Windows\gmer.dll (811008 bytes)
C:\Windows\gmer.ini (250 bytes)
C:\Windows\gmer_uninstall.cmd (80 bytes)
C:\Windows\system32\drivers\gmer.sys (85073 bytes)
and series of keys in the next Registry directories:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GMER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gmer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GMER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer
On the second step program started scanning my system, but at scanning C:\Windows\system32\drivers\FILEM.SYS file, stopped with message as on the attached picture.
I pressed "OK" and program collapsed without any C:\Windows\gmer.log file.
What is your next recommendation?
PS. Here are codes gmer.ini and gmer_uninstall.cmd files
gmer.ini
gmer_uninstall.cmd
|
|
fatdcuk
Premium
join:2005-02-20
England
| Hi,
Well The Beta version has been stable for my research setup both in clean mode and hosed but that dose not mean that it will be stable on all setup's.
Still this tool is in Beta testing phase which is not a final release and i have relayed your bug report to the software author(GMER):) |
|
gmer
join:2006-07-01
Poland
| reply to foxsteve
Hi Foxsteve, hi everyone
I see that new BETA of GMER doesn't work correctly on your machine . It's probably a bug in sections scan so I need to check this part of code .
If you would like to scan your computer with this version I can only suggest to untick "Sections" option on "Rootkit" tab and rescan again. I hope it helps.
@fcukdat
Thank you for keeping me informed .
Regards |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
| Thank you for your answer.
I have repeated test your program at unticked "Sections" option. Program was not collapsed as before at strange address 0x72013668, but I did not get any gmer.log file, although gmer.ini file was edited
I hope my testing may help you in development of your important anti-rootkit program. |
|
gmer
join:2006-07-01
Poland | @foxsteve
Please do not change anything on "Setting Tab" - it's not necessary to detect rootkits !
Just press "Scan" on Rootkit tab and when it ends use "Copy" or "Save..." button to save content as a text file. |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
1 edit | Sorry, I do not understand your message. Is it recommendation for me or you need copy of this kind of file?
Edit. At each start of gmer.exe, WindowsUpdate.log is increased on 1210 bytes. I would like to ask, how GMER is related to WindowsUpdate.log? |
|
