Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is there a typical GMER log of an uninfected system?


  • Please log in to reply
3 replies to this topic

#1 surname

surname

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 27 June 2013 - 06:04 PM

Hi guys, I ran GMER on my computer earlier this month. I don't have an infection (I don't think) but I was curious to check. It found some user code sections and some threads for the .NET optimizer. I'm curious to know whether or not that's normal in a baseline system, or indicative of something sinister.

 

Here's the log. Thanks :)

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-06-11 15:25:44
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-6 SAMSUNG_SSD_830_Series rev.CXM03B1Q 119.24GB
Running: 2013.04.04 5qtb6cww.exe; Driver: C:\Users\HP_Owner\AppData\Local\Temp\pgddqpoc.sys


---- User code sections - GMER 2.1 ----

.text   c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1752] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69   0000000075f61465 2 bytes [F6, 75]
.text   c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1752] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155  0000000075f614bb 2 bytes [F6, 75]
.text   ...                                                                                                                                  * 2
.text   C:\Windows\SysWOW64\vmnat.exe[1888] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 26                                           00000000747813c6 2 bytes [78, 74]
.text   C:\Windows\SysWOW64\vmnat.exe[1888] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 74                                           00000000747813f6 2 bytes [78, 74]
.text   C:\Windows\SysWOW64\vmnat.exe[1888] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 257                                          00000000747814ad 2 bytes [78, 74]
.text   C:\Windows\SysWOW64\vmnat.exe[1888] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 303                                          00000000747814db 2 bytes [78, 74]
.text   ...                                                                                                                                  * 2
.text   C:\Windows\SysWOW64\vmnat.exe[1888] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 79                                           0000000074781577 2 bytes [78, 74]
.text   C:\Windows\SysWOW64\vmnat.exe[1888] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 175                                          00000000747815d7 2 bytes [78, 74]
.text   C:\Windows\SysWOW64\vmnat.exe[1888] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 620                                          0000000074781794 2 bytes [78, 74]
.text   C:\Windows\SysWOW64\vmnat.exe[1888] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 921                                          00000000747818c1 2 bytes [78, 74]
.text   C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[1244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69      0000000075f61465 2 bytes [F6, 75]
.text   C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[1244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155     0000000075f614bb 2 bytes [F6, 75]
.text   ...                                                                                                                                  * 2
.text   C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69      0000000075f61465 2 bytes [F6, 75]
.text   C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155     0000000075f614bb 2 bytes [F6, 75]
.text   ...                                                                                                                                  * 2
.text   C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69           0000000075f61465 2 bytes [F6, 75]
.text   C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155          0000000075f614bb 2 bytes [F6, 75]
.text   ...                                                                                                                                  * 2

---- Threads - GMER 2.1 ----

Thread  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2960:2980]                                                               0000000076ee7587
Thread  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2960:2984]                                                               0000000071c10cb3
Thread  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2960:3016]                                                               0000000077b82e25
Thread  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2960:4480]                                                               0000000077b83e45
Thread  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2960:2444]                                                               0000000077b83e45
Thread  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2960:3112]                                                               0000000077b87111
Thread  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2960:1484]                                                               0000000077b83e45

---- EOF - GMER 2.1 ----


Edited by Orange Blossom, 25 July 2013 - 11:08 PM.
Moved to general AV forum. ~ OB


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:25 AM

Posted 01 August 2013 - 08:27 AM

Sorry for the delay. Trying to interpret GMER results can be confusing at best as there could be many legitimate entries in there.

I can tell you that with VMware installed on my machine, I am receiving many of the same results you are. I am not using some of the apps listed, including Vmware shared folders, so not seeing results for those obviously.

My gut is that your log looks fine.

#3 surname

surname
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 01 August 2013 - 12:20 PM

Sorry for the delay. Trying to interpret GMER results can be confusing at best as there could be many legitimate entries in there.

I can tell you that with VMware installed on my machine, I am receiving many of the same results you are. I am not using some of the apps listed, including Vmware shared folders, so not seeing results for those obviously.

My gut is that your log looks fine.

 

Thanks for posting I appreciate it. You're probably right, it's fine. Always good to ask around though.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:25 AM

Posted 01 August 2013 - 02:38 PM

Gmer does provide example logs with infections here...but since there are so many different legitimate entries that may be present, I suspect he felt an example of an uninfected machine wasn't much use for anyone to look at.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users