Metasploit mailing list archives
gmer rootkit removal
From: Chip <jeffschips () gmail com>
Date: Sat, 09 Feb 2013 11:47:54 -0500
Anybody familiar with Gmer rootkit removal product? http://www.pentestit.com/gmer-rootkit-removeal-tool/ The developer asks users to submit reports after running the software which include such entries as the following but then does not get back to the submitter. I'm wondering if the data sent, such as the following, could be used to remotely compromise a machine (the following entries have been altered to protect the innocent): Rootkit scan 2013-02-02 16:11:41 Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceDDEAL0-3 WDC_WD8754AAKS-95B4B0 rev.06.03B01 325.09GB Running: gmer.exe; Driver: C:\DOCUME~1\somename\LOCALS~1\Temp\agryypod.sys ---- System - GMER 2.0 ---- SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows (R) Win 7 DDK provider) ZwCreateKey [0xF87D0AJD] Code \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY] [67854088] pIofCallDriver Code \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY] [8764971E] pIofCompleteRequest ---- Kernel code sections - GMER 2.0 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xH6J843C0, 0x757UCA, 0xHYUK9820] ---- User code sections - GMER 2.0 ---- .text C:\WINDOWS\system32\SearchIndexer.exe[0976] kernel32.dll!WriteFile 9KLU765FF 7 Bytes JMP 987JHYT0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G}\0000@D5F_\x4456\x4456 5678435689 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G} ---- EOF - GMER 2.0 ----
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- gmer rootkit removal Chip (Feb 09)
- Re: gmer rootkit removal Joshua Smith (Feb 09)
- <Possible follow-ups>
- Re: gmer rootkit removal Michael D. Wood (Feb 09)
- Re: gmer rootkit removal Chip (Feb 09)
- Re: gmer rootkit removal Michael D. Wood (Feb 09)