Metasploit mailing list archives

Re: gmer rootkit removal

From: Joshua Smith <lazydj98 () gmail com>
Date: Sat, 9 Feb 2013 13:52:45 -0600

I've seen gmer used to remove security products that supposedly could not be removed with "just a shell", but I don't 
know anything about the author's proclivities. 

-Josh

On Feb 9, 2013, at 10:47, Chip <jeffschips () gmail com> wrote:

Anybody familiar with Gmer rootkit removal product?

http://www.pentestit.com/gmer-rootkit-removeal-tool/

The developer asks users to submit reports after running the software which include such entries as the following but 
then does not get back to the submitter.  I'm wondering if the data sent, such as the following, could be used to 
remotely compromise a machine (the following entries have been altered to protect the innocent):



Rootkit scan 2013-02-02 16:11:41
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceDDEAL0-3 WDC_WD8754AAKS-95B4B0 
rev.06.03B01 325.09GB
Running: gmer.exe; Driver: C:\DOCUME~1\somename\LOCALS~1\Temp\agryypod.sys


---- System - GMER 2.0 ----

SSDT   \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows (R) Win 7 DDK 
provider)  ZwCreateKey [0xF87D0AJD]

Code   \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY] [67854088]                                                            
         pIofCallDriver
Code   \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY] [8764971E]                                                            
         pIofCompleteRequest

---- Kernel code sections - GMER 2.0 ----

.text  C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                       
          section is writeable [0xH6J843C0, 0x757UCA, 0xHYUK9820]

---- User code sections - GMER 2.0 ----

.text  C:\WINDOWS\system32\SearchIndexer.exe[0976] kernel32.dll!WriteFile                                             
         9KLU765FF 7 Bytes  JMP 987JHYT0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Registry - GMER 2.0 ----

Reg    HKLM\SYSTEM\CurrentControlSet\Control\Video\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G}\0000@D5F_\x4456\x4456       
   5678435689
Reg    HKCU\Software\Microsoft\Windows\CurrentVersion\Shell 
Extensions\Approved\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G}   

---- EOF - GMER 2.0 ----
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

gmer rootkit removal Chip (Feb 09)
- Re: gmer rootkit removal Joshua Smith (Feb 09)
- <Possible follow-ups>
- Re: gmer rootkit removal Michael D. Wood (Feb 09)
  - Re: gmer rootkit removal Chip (Feb 09)
- Re: gmer rootkit removal Michael D. Wood (Feb 09)