Metasploit mailing list archives

gmer rootkit removal

From: Chip <jeffschips () gmail com>
Date: Sat, 09 Feb 2013 11:47:54 -0500

Anybody familiar with Gmer rootkit removal product?

http://www.pentestit.com/gmer-rootkit-removeal-tool/

The developer asks users to submit reports after running the software
which include such entries as the following but then does not get back
to the submitter.  I'm wondering if the data sent, such as the
following, could be used to remotely compromise a machine (the following
entries have been altered to protect the innocent):



Rootkit scan 2013-02-02 16:11:41
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 ->
\Device\Ide\IdeDeviceDDEAL0-3 WDC_WD8754AAKS-95B4B0 rev.06.03B01 325.09GB
Running: gmer.exe; Driver: C:\DOCUME~1\somename\LOCALS~1\Temp\agryypod.sys


---- System - GMER 2.0 ----

SSDT   \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self
Protect Driver/Windows (R) Win 7 DDK provider)  ZwCreateKey [0xF87D0AJD]

Code   \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY]
[67854088]                                                              
pIofCallDriver
Code   \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY]
[8764971E]                                                              
pIofCompleteRequest

---- Kernel code sections - GMER 2.0 ----

.text 
C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                         
section is writeable [0xH6J843C0, 0x757UCA, 0xHYUK9820]

---- User code sections - GMER 2.0 ----

.text  C:\WINDOWS\system32\SearchIndexer.exe[0976]
kernel32.dll!WriteFile                                               
9KLU765FF 7 Bytes  JMP 987JHYT0C C:\WINDOWS\system32\MSSRCH.DLL
(mssrch.dll/Microsoft Corporation)

---- Registry - GMER 2.0 ----

Reg   
HKLM\SYSTEM\CurrentControlSet\Control\Video\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G}\0000@D5F_\x4456\x4456
         5678435689
Reg    HKCU\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G}  

---- EOF - GMER 2.0 ----

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

gmer rootkit removal Chip (Feb 09)
- Re: gmer rootkit removal Joshua Smith (Feb 09)
- <Possible follow-ups>
- Re: gmer rootkit removal Michael D. Wood (Feb 09)
  - Re: gmer rootkit removal Chip (Feb 09)
- Re: gmer rootkit removal Michael D. Wood (Feb 09)