Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GMER insists on only scanning the system drive and it's OS.


  • This topic is locked This topic is locked
4 replies to this topic

#1 gmeruser123

gmeruser123

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 04 March 2014 - 08:12 PM

OS: Windows 7 SP1 Fully updated, 64-bit

GMER "always" complains about not being able to access registry files. Isn't that it's main purpose? GMER: "the process cannot access the file because it is being used by another process." "Okay...", so let's try this offline then. I mounted an image of my current OS... GMER responds by incessantly scanning my current running OS and system drive.

GMER will not scan my external hdd or my other internal hdd. It behaves this way on all of my PC's, in normal mode, in safe mode and even when using a live CD like Mini-XP. In fact, GMER scans Mini-XP's X: drive because it's the "current" OS. I've forgotten how, but in Mini-XP I've even got GMER to detect my decrypted OS image and it scanned it but failed with the same errors. Why does Hiren's BootCD even include it or many other programs that do not work for that matter?

aswMBR always crashes, with a typically useless default exception code of Oxc0000005 which could mean a number of things and displays "Avast Antirootkit has stopped working..."

catchme says it detected something. I'm not sure I believe that. It's probably detecting encryption hooks or KeyScrambler or some other security specific software. But it says:

detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQuery 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != -1375723995, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != -469754331, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 5
Initialization error

I thought perhaps this all might be caused by my OS being 64-bit. But GMER "Added full support for Windows x64."

I thought it might be because my OS is encrypted by Truecrypt and there may be some issue with it and other programs that try to read the mbr and fail as it's not a Windows mbr. That makes sense but the same behavior occurs with Mini-XP and my unencrypted OS.

sfc /scannow doesn't detect any changes.

The behavior above occurs on a freshly installed system as well.

Edited by gmeruser123, 04 March 2014 - 08:13 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 AM

Posted 04 March 2014 - 11:02 PM

GMER "always" complains about not being able to access registry files. Isn't that it's main purpose?

Not quite...GMER is an advanced stand-alone tool that will help investigate for the presence of rootkit activity. It will not actually tell you if you are infected or not unless you know what you're looking for. GMER compares the output from system function calls direcly into the operating system to output from calls generated by their own functions. Any differences between it's own implementation and that of the operating system is reported as a hidden file, service, registry key, or device. GMER also looks for hidden code modifications and API Kernel hooks as well as many other checks which are not discussed in public to safeguard the program from malware writers who would use that information for nefarious purposes.

Most of the log listings are dumps of raw memory data structures from the Windows Kernel which handles access to files, registry keys, hardware and from the system processor tables. Even with advanced training, trying to interpret GMER results can be confusing at best as there could be many legitimate entries in its log.

GMER is known for being extremely good at rootkit detection, but it is also known for occasionally being unstable on some computers. There are varying reasons GMER will not run properly. CD Emulators (Daemon Tools, Alchohol, Astroburn, AnyDVD) should always be disabled first if using them and sometimes you have to uncheck some of the scanning options in order to get it to run.

If you're unsure how to use a particular Anti-rootkit (ARK) tool or interpret the log it generates, then you probably should not be using it as most folks panic or become alarmed at the scan results without knowing what they mean. Some ARK tools like GMER are intended for advanced users or to be used under the guidance of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action.

Incorrectly removing legitimate entries could lead to disastrous problems with your operating system. Why? Not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.

What specific issues are you having that requires the use of running GMER?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 gmeruser123

gmeruser123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 04 March 2014 - 11:25 PM

I've created another topic http://www.bleepingcomputer.com/forums/t/526524/utorrent-seems-to-be-vulnerable-to-dos-attacks/ which explains the issue I'm having. With or without expert help, I'd like to be able to fully use GMER as I've been able to hunt down and manually remove infections in XP with it and Knoppix when the Antivirus programs were incapable of detecting or removing the Vundo virus, which was known to be "supposedly" impossible to recover from without wiping the hard drive. I, with these tools, rid myself of it without the necessity to reinstall the OS. In retrospect, I probably should have wiped the drive anyway.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 AM

Posted 05 March 2014 - 07:15 AM

If you want expert help, then you will need to create and post a DDS log for further investigation.

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running DDS which will create two logs. (Note: Windows 8.1 Users will not be able run DDS and create a log)
When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs, then still start the new topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 AM

Posted 05 March 2014 - 10:34 PM


Your log(s) is posted here.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log(s) you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take several days to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.

To avoid confusion, I am closing this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users