Metasploit mailing list archives
Re: gmer rootkit removal
From: "Michael D. Wood" <mike () itsecuritypros org>
Date: Sat, 09 Feb 2013 18:03:55 -0500
Gmer, to my knowledge, was only successful in removing the TDL family of rootkits. As I remember, I don't ever recall it submitting info to the developer? Are you saying it asked, or this is what you found gmer changing on the system? Did the executable come from the original source? http://www.gmer.net/ Did you find the system driver gmer installs called "catchme.sys"? ----- Reply message ----- From: "Chip" <jeffschips () gmail com> To: <framework () spool metasploit com> Subject: [framework] gmer rootkit removal Date: Sat, Feb 9, 2013 11:47 am Anybody familiar with Gmer rootkit removal product? http://www.pentestit.com/gmer-rootkit-removeal-tool/ The developer asks users to submit reports after running the software which include such entries as the following but then does not get back to the submitter. I'm wondering if the data sent, such as the following, could be used to remotely compromise a machine (the following entries have been altered to protect the innocent): Rootkit scan 2013-02-02 16:11:41 Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceDDEAL0-3 WDC_WD8754AAKS-95B4B0 rev.06.03B01 325.09GB Running: gmer.exe; Driver: C:\DOCUME~1\somename\LOCALS~1\Temp\agryypod.sys ---- System - GMER 2.0 ---- SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows (R) Win 7 DDK provider) ZwCreateKey [0xF87D0AJD] Code \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY] [67854088] pIofCallDriver Code \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY] [8764971E] pIofCompleteRequest ---- Kernel code sections - GMER 2.0 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xH6J843C0, 0x757UCA, 0xHYUK9820] ---- User code sections - GMER 2.0 ---- .text C:\WINDOWS\system32\SearchIndexer.exe[0976] kernel32.dll!WriteFile 9KLU765FF 7 Bytes JMP 987JHYT0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G}\0000@D5F_\x4456\x4456 5678435689 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G} ---- EOF - GMER 2.0 ----
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- gmer rootkit removal Chip (Feb 09)
- Re: gmer rootkit removal Joshua Smith (Feb 09)
- <Possible follow-ups>
- Re: gmer rootkit removal Michael D. Wood (Feb 09)
- Re: gmer rootkit removal Chip (Feb 09)
- Re: gmer rootkit removal Michael D. Wood (Feb 09)