Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: gmer rootkit removal

From: "Michael D. Wood" <mike () itsecuritypros org>
Date: Sat, 09 Feb 2013 18:03:55 -0500
Gmer, to my knowledge, was only successful in removing the TDL family of rootkits.  As I remember,  I don't ever recall 
it submitting info to the developer?  Are you saying it asked, or this is what you found gmer changing on the system?  
Did the executable come from the original source?  http://www.gmer.net/
Did you find the system driver gmer installs called "catchme.sys"?

----- Reply message -----
From: "Chip" <jeffschips () gmail com>
To: <framework () spool metasploit com>
Subject: [framework] gmer rootkit removal
Date: Sat, Feb 9, 2013 11:47 am
Anybody familiar with Gmer 
rootkit removal product?



http://www.pentestit.com/gmer-rootkit-removeal-tool/



The developer asks users to submit reports after running the 
software which include such entries as the following but then does 
not get back to the submitter.  I'm wondering if the data sent, 
such as the following, could be used to remotely compromise a 
machine (the following entries have been altered to protect the 
innocent):







Rootkit scan 2013-02-02 
16:11:41

Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> 
\Device\Ide\IdeDeviceDDEAL0-3 WDC_WD8754AAKS-95B4B0 rev.06.03B01 
325.09GB

Running: gmer.exe; Driver: 
C:\DOCUME~1\somename\LOCALS~1\Temp\agryypod.sys





---- System - GMER 2.0 ----



SSDT   \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys 
(Immunet Self Protect Driver/Windows (R) Win 7 DDK provider)  
ZwCreateKey [0xF87D0AJD]



Code   \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY] 
[67854088]                                                               
pIofCallDriver

Code   \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY] 
[8764971E]                                                               
pIofCompleteRequest



---- Kernel code sections - GMER 2.0 ----



.text  
C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                          

section is writeable [0xH6J843C0, 0x757UCA, 0xHYUK9820]



---- User code sections - GMER 2.0 ----



.text  C:\WINDOWS\system32\SearchIndexer.exe[0976] 
kernel32.dll!WriteFile                                                
9KLU765FF 7 Bytes  JMP 987JHYT0C C:\WINDOWS\system32\MSSRCH.DLL 
(mssrch.dll/Microsoft Corporation)



---- Registry - GMER 2.0 ----



Reg    
HKLM\SYSTEM\CurrentControlSet\Control\Video\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G}\0000@D5F_\x4456\x4456 
         5678435689

Reg    HKCU\Software\Microsoft\Windows\CurrentVersion\Shell 
Extensions\Approved\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G}   




---- EOF - GMER 2.0 ----
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: