Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can I Post My Gmer Rootkit Scan Here? If So, How?


  • Please log in to reply
4 replies to this topic

#1 ejames82

ejames82

  • Members
  • 404 posts
  • OFFLINE
  •  
  • Location:oswego, ny
  • Local time:07:13 PM

Posted 11 June 2008 - 11:25 PM

i have scanned with gmer rootkit scan and saved the logfile in my documents as a txt file. i don't know how to read it, so that i can see that i don't have a rootkit detected by gmer.
i don't know how to post the log, or even if i am allowed to.
could someone here please help me hopefully through the process of posting, and reviewing the log. any info will be permanently archived in a folder with the programme accompanied by a large collection of anti-malware tools i have accumulated.
thanks.

Mod Edit~ This topic has been moved to the "Am I Infected forum." This forum is better suited for the question you have asked.

Edited by rigel, 12 June 2008 - 08:31 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:13 PM

Posted 12 June 2008 - 09:18 PM

When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.

Important! Please do not select the "Show all" checkbox during the scan..

Edited by boopme, 12 June 2008 - 09:20 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ejames82

ejames82
  • Topic Starter

  • Members
  • 404 posts
  • OFFLINE
  •  
  • Location:oswego, ny
  • Local time:07:13 PM

Posted 13 June 2008 - 05:56 PM

i am unable to copy and paste the log. it is too large. i never check the "show all" box.
it is a text document on my desktop and i can't move it to here.
bleepingcomputer doesn't have a "manage attachments" button, at least that i notice.
i tried to drag and drop the log from desktop to here also, but it seems to open automatically, which is undesirable.
thanks for the reply.

#4 ejames82

ejames82
  • Topic Starter

  • Members
  • 404 posts
  • OFFLINE
  •  
  • Location:oswego, ny
  • Local time:07:13 PM

Posted 13 June 2008 - 09:33 PM

i came across this procedure at majorgeeks. is this necessary to use this tool and post?



Example of apply a fix with GMER

Close all open documents as this will reboot your PC
Double click on gmer.exe to launch GMER
If asked, allow the gmer.sys driver load
If it warns you about rootkit activity and asks if you want to run scan, click No/cancel
Click on the >>> tab
This will open up the rest of the tabs for you
Click on the CMD tab
Make sure CMD.EXE is selected
Now highlight the contents of the below codebox and copy it to the clipboard by pressing ctrl+c


Code:
gmer.exe -killall
gmer.exe -del service runtime
gmer.exe -del service runtime2
gmer.exe -del service core
gmer.exe -del file "C:\WINDOWS\System32\Drivers\hflt_ipf.sys"
gmer.exe -del file "C:\WINDOWS\system32\drivers\core.sys"
gmer.exe -del file "C:\WINDOWS\system32\drivers\core.cache.dsk"
gmer.exe -del file "C:\WINDOWS\System32\drivers\runtime.sys"
gmer.exe -del file "C:\WINDOWS\system32\drivers\runtime2.sys"
gmer.exe -del file "C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll:fork2"
gmer.exe -reboot

Now paste the contents into the top black box in GMER by using ctrl+v
Click Run, the script will run and then your PC will be rebooted
After rebooted, rerun GMER and attach the new log

#5 ejames82

ejames82
  • Topic Starter

  • Members
  • 404 posts
  • OFFLINE
  •  
  • Location:oswego, ny
  • Local time:07:13 PM

Posted 13 June 2008 - 10:08 PM

my apologies to the mods for successive posts. could this be the desired log? it is created before i scan.



GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-06-13 22:58:29
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateKey [0xF03819B0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateValueKey [0xF0381A60]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xF0391460]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Ip fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Threads - GMER 1.0.14 ----

Thread 4:444 FF6757D0
Thread 4:448 FF6757D0
Thread 4:452 FF646EB0
Thread 4:456 FF646EB0
Thread 4:460 FF646EB0

---- EOF - GMER 1.0.14 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users