Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gmer & red folders


  • Please log in to reply
6 replies to this topic

#1 bluemonkey50

bluemonkey50

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:it
  • Local time:12:52 AM

Posted 21 February 2017 - 11:04 AM

Hi there,
I had pc slowing down I had the old spybot, Avira, Malawarebytes and Virit scanning the system but nothing... so I used Combofix and Gmer that I saw those red folders and files (see jpeg attached)... since I had an experience with infection in the MBR I passed Killdisk twice and reinstall.. but after all the OS updating Gmer still show red folders and seemingly are the same as before... Is it possible that the infection is so deep couldn't be cleaned by Killdisk? Last time did work and came out clean; but was on XP which still I have and run Kiildisk for the interested HD; then I re-checked with Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer which gave :

device: opened successfully

user: error reading MBR 
error: Read  Handle non valido.
kernel: error reading MBR 

I've been try to search in the forum but I shouldn't find much so now I'm really in the blind spot, don't really know what the next step should be...

Thank you...

Attached Files


Edited by hamluis, 21 February 2017 - 11:38 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 bluemonkey50

bluemonkey50
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:it
  • Local time:12:52 AM

Posted 22 February 2017 - 05:14 AM

I googled around, Gmer seems a bit outdated cause gives false positive... perhaps PC seems working properly. But still having doubts about the Stealth MBR detector results.



#3 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:52 PM

Posted 23 February 2017 - 09:22 AM

If you still think your infected, I would post in the Virus removal forum.  Make sure you don't run anymore scans with gmer and don't run ComboFix again.  


Microsoft MVP Consumer Security--2007-2010

#4 bluemonkey50

bluemonkey50
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:it
  • Local time:12:52 AM

Posted 23 February 2017 - 11:19 AM

If you still think your infected, I would post in the Virus removal forum.  Make sure you don't run anymore scans with gmer and don't run ComboFix again.  

THANK YOU FOR REPLAY

after installation I didn't run ComboFix... Gmer scanning only.
Spybot' finds: deleted... Malawarebytes don't find anything .. Avira and Virit have been removed and MSE is running as AV. Also turn service with OpenDNS and mostly I use Chrome... for now is working fine. Should I run some other specific AM or else (new) test the MBR maybe?

 



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:52 PM

Posted 24 February 2017 - 10:37 PM

GMER is an older advanced stand-alone tool which will help investigate for the presence of rootkit and malicious activity. It will not actually tell you if you are infected or not unless you know what you're looking for. GMER compares the output from system function calls directly into the operating system to output from calls generated by their own functions. Any differences between it's own implementation and that of the operating system is reported as a hidden file, service, registry key, or device. GMER also looks for hidden code modifications and API Kernel hooks as well as many other checks which are not discussed in public to safeguard the program from malware writers who would use that information for nefarious purposes.

Most of the log listings are dumps of raw memory data structures from the Windows Kernel which handles access to files, registry keys, hardware and from the system processor tables. Even with advanced training, trying to interpret GMER results can be confusing at best as there could be many legitimate entries in its log.

GMER is known for being extremely good at rootkit detection, but it is also known for occasionally being unstable on some computers. There are varying reasons GMER will not run properly. CD Emulators (Daemon Tools, Alchohol, Astroburn, AnyDVD) should always be disabled first if using them and sometimes you have to uncheck some of the scanning options in order to get it to run.

I am a firm believer that if someone is unsure how to use a particular security tool or interpret any logs it generates, then they probably should not be using it. Folks often panic when they see scanning log results they do not understand after using tools they no very little about. Some security tools are intended for advanced users, those who are knowledgeable of the Windows registry or to be used under the guidance of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action. Security tools will show everything they find that is a possible problem (good and bad) but you need to know what to remove and what not to remove. Incorrectly removing legitimate entries could lead to disastrous problems with your operating system.

As for ComboFix, you may want to read ComboFix usage, Questions, Help? - Look here

If you want a comprehensive look at your system for possible malware by experts, there are other advanced tools which can be used to investigate but they are not permitted in this forum. Please follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

If you choose to post a log, please reply back in this thread with a link to the new topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 bluemonkey50

bluemonkey50
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:it
  • Local time:12:52 AM

Posted 25 February 2017 - 12:17 AM

Thanks a lot quiteman7,
for your exhaustive and well extended answer, very much appreciated.  :clapping:

You are absolutely right on: if you don't know how to, should not use! But in order to defend myself from "nefarious purposes" I have to do something, even if I encounter disastrous problems. Back in 2009 I didn't know anything about PC's, I already repaired my old one twice and have build this last from zero... Altough I understand what could be avoided is simply a way in which I may save time but stumble few times has been welcomed cause I don't even have a basic knowledge in computer engineering. Also cannot afford $80 per hour for a technician; so trail and error is my only choice.
I will give an attentive look at the page you handed me... did it already but I need beating the head longer... and I'll do what you've proposed.
Thanks again
 



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:52 PM

Posted 25 February 2017 - 06:24 AM

Not a problem.

If you have not done so already, you may want to read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users