Gmer 1.0.13 released

Discussion in 'other anti-malware software' started by SystemJunkie, Jun 30, 2007.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Gmer 1.0.13 released.

    Some results:

    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F73EE1DE] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F73EE1DE] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F73EE454] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F73EE1DE] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F73E1F4C] fltMgr.sys
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F73E1F4C] fltMgr.sys
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    What do these results mean? o_O
     
  3. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    If you want to analyze logs, you might want try eg Rootkit Revealer Forum.
    I just wish, that GMER will be Vista compatibile soon, well still waiting for it.
     
  4. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Hello

    It means that fltMgr.sys traces \FileSystem\Fastfat device.
    fltMgr.sys is "Microsoft Filesystem Filter Manager" so it should be whitelisted .

    It's an old technique used in i.e sysbus32.sys

    Did you try version 1.0.13 on VISTA x86 ?
     
  5. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Yes, I tried all new versions in this year, and I had the same problem all the time.
    When I start scanning, Vista will freeze in about 1-2 minutes, so I have to reset it.
     
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Hi Gmer, glad to see you back, here are some interesting results and I guess your tool is able to detect things that some other guys don´t think so:

    GMER 1.0.13.12551 - http://www.gmer.net
    Rootkit scan 2007-07-05 07:08:22
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.13 ----

    INT 0x00 ? F68A8B60
    INT 0x01 ? F68A8B68
    INT 0x02 ? F68A8FD0
    INT 0x03 ? F68A8B78
    INT 0x04 ? F68A8B80
    INT 0x05 ? F68A8B88
    INT 0x06 ? F68A8B90
    INT 0x07 ? F68A8B98
    INT 0x09 ? F68A8BA8
    INT 0x0A ? F68A8BB0
    INT 0x0B ? F68A8BB8
    INT 0x0C ? F68A8BC0
    INT 0x0D ? F68A8BC8
    INT 0x0E ? F68A8BD0
    INT 0x10 ? F68A8BE0
    INT 0x11 ? F68A8BE8
    INT 0x12 ? F68A9950
    INT 0x13 ? F68A8BF8
    INT 0x20 ? F68A90C0
    INT 0x21 ? F68A90C8
    INT 0x22 ? F68A90D0
    INT 0x23 ? F68A90D8
    INT 0x24 ? F68A90E0
    INT 0x25 ? F68A90E8
    INT 0x26 ? F68A90F0
    INT 0x27 ? F68A90F8
    INT 0x28 ? F68A9100
    INT 0x29 ? F68A9108
    INT 0x2A ? F68A9110
    INT 0x2B ? F68A9118
    INT 0x2C ? F68A9120
    INT 0x2D ? F68A9128
    INT 0x2E ? F66A8F10
    INT 0x2F ? F68A9138
    INT 0x30 ? F68A9140
    INT 0x31 ? F68A9148
    INT 0x32 ? F68A9150
    INT 0x33 ? F68A9158
    INT 0x34 ? F68A9160
    INT 0x35 ? F68A9168
    INT 0x36 ? F68A9170
    INT 0x37 ? F68A9178
    INT 0x38 ? F68A9180
    INT 0x39 ? F68A9188
    INT 0x3A ? F68A9190
    INT 0x3B ? F68A9198
    INT 0x3C ? F68A91A0
    INT 0x3D ? F68A91A8
    INT 0x3E ? F68A91B0
    INT 0x3F ? F68A91B8
    INT 0x40 ? F68A91C0
    INT 0x41 ? F68A91C8
    INT 0x42 ? F68A91D0
    INT 0x43 ? F68A91D8
    INT 0x44 ? F68A91E0
    INT 0x45 ? F68A91E8
    INT 0x46 ? F68A91F0
    INT 0x47 ? F68A91F8
    INT 0x48 ? F68A9200
    INT 0x49 ? F68A9208
    INT 0x4A ? F68A9210
    INT 0x4B ? F68A9218
    INT 0x4C ? F68A9220
    INT 0x4D ? F68A9228
    INT 0x4E ? F68A9230
    INT 0x4F ? F68A9238
    INT 0x50 ? F68A9240
    INT 0x51 ? F68A9248
    INT 0x52 ? F68A9250
    INT 0x53 ? F68A9258
    INT 0x54 ? F68A9260
    INT 0x55 ? F68A9268
    INT 0x56 ? F68A9270
    INT 0x57 ? F68A9278
    INT 0x58 ? F68A9280
    INT 0x59 ? F68A9288
    INT 0x5A ? F68A9290
    INT 0x5B ? F68A9298
    INT 0x5C ? F68A92A0
    INT 0x5D ? F68A92A8
    INT 0x5E ? F68A92B0
    INT 0x5F ? F68A92B8
    INT 0x60 ? F68A92C0
    INT 0x61 ? F68A92C8
    INT 0x62 ? F68A92D0
    INT 0x63 ? F68A92D8
    INT 0x64 ? F68A92E0
    INT 0x65 ? F68A92E8
    INT 0x66 ? F68A92F0
    INT 0x67 ? F68A92F8
    INT 0x68 ? F68A9300
    INT 0x69 ? F68A9308
    INT 0x6A ? F68A9310
    INT 0x6B ? F68A9318
    INT 0x6C ? F68A9320
    INT 0x6D ? F68A9328
    INT 0x6E ? F68A9330
    INT 0x6F ? F68A9338
    INT 0x70 ? F68A9340
    INT 0x71 ? F68A9348
    INT 0x72 ? F68A9350
    INT 0x73 ? F68A9358
    INT 0x74 ? F68A9360
    INT 0x75 ? F68A9368
    INT 0x76 ? F68A9370
    INT 0x77 ? F68A9378
    INT 0x78 ? F68A9380
    INT 0x79 ? F68A9388
    INT 0x7A ? F68A9390
    INT 0x7B ? F68A9398
    INT 0x7C ? F68A93A0
    INT 0x7D ? F68A93A8
    INT 0x7E ? F68A93B0
    INT 0x7F ? F68A93B8
    INT 0x80 ? F68A93C0
    INT 0x81 ? F68A93C8
    INT 0x82 ? F68A93D0
    INT 0x83 ? F68A93D8
    INT 0x84 ? F68A93E0
    INT 0x85 ? F68A93E8
    INT 0x86 ? F68A93F0
    INT 0x87 ? F68A93F8
    INT 0x88 ? F68A9400
    INT 0x89 ? F68A9408
    INT 0x8A ? F68A9410
    INT 0x8B ? F68A9418
    INT 0x8C ? F68A9420
    INT 0x8D ? F68A9428
    INT 0x8E ? F68A9430
    INT 0x8F ? F68A9438
    INT 0x90 ? F68A9440
    INT 0x91 ? F68A9448
    INT 0x92 ? F68A9450
    INT 0x93 ? F68A9458
    INT 0x94 ? F68A9460
    INT 0x95 ? F68A9468
    INT 0x96 ? F68A9470
    INT 0x97 ? F68A9478
    INT 0x98 ? F68A9480
    INT 0x99 ? F68A9488
    INT 0x9A ? F68A9490
    INT 0x9B ? F68A9498
    INT 0x9C ? F68A94A0
    INT 0x9D ? F68A94A8
    INT 0x9E ? F68A94B0
    INT 0x9F ? F68A94B8
    INT 0xA0 ? F68A94C0
    INT 0xA1 ? F68A94C8
    INT 0xA2 ? F68A94D0
    INT 0xA3 ? F68A94D8
    INT 0xA4 ? F68A94E0
    INT 0xA5 ? F68A94E8
    INT 0xA6 ? F68A94F0
    INT 0xA7 ? F68A94F8
    INT 0xA8 ? F68A9500
    INT 0xA9 ? F68A9508
    INT 0xAA ? F68A9510
    INT 0xAB ? F68A9518
    INT 0xAC ? F68A9520
    INT 0xAD ? F68A9528
    INT 0xAE ? F68A9530
    INT 0xAF ? F68A9538
    INT 0xB0 ? F68A9540
    INT 0xB1 ? F68A9548
    INT 0xB2 ? F68A9550
    INT 0xB3 ? F68A9558
    INT 0xB4 ? F68A9560
    INT 0xB5 ? F68A9568
    INT 0xB6 ? F68A9570
    INT 0xB7 ? F68A9578
    INT 0xB8 ? F68A9580
    INT 0xB9 ? F68A9588
    INT 0xBA ? F68A9590
    INT 0xBB ? F68A9598
    INT 0xBC ? F68A95A0
    INT 0xBD ? F68A95A8
    INT 0xBE ? F68A95B0
    INT 0xBF ? F68A95B8
    INT 0xC0 ? F68A95C0
    INT 0xC1 ? F68A95C8
    INT 0xC2 ? F68A95D0
    INT 0xC3 ? F68A95D8
    INT 0xC4 ? F68A95E0
    INT 0xC5 ? F68A95E8
    INT 0xC6 ? F68A95F0
    INT 0xC7 ? F68A95F8
    INT 0xC8 ? F68A9600
    INT 0xC9 ? F68A9608
    INT 0xCA ? F68A9610
    INT 0xCB ? F68A9618
    INT 0xCC ? F68A9620
    INT 0xCD ? F68A9628
    INT 0xCE ? F68A9630
    INT 0xCF ? F68A9638
    INT 0xD0 ? F68A9640
    INT 0xD1 ? F68A9648
    INT 0xD2 ? F68A9650
    INT 0xD3 ? F68A9658
    INT 0xD4 ? F68A9660
    INT 0xD5 ? F68A9668
    INT 0xD6 ? F68A9670
    INT 0xD7 ? F68A9678
    INT 0xD8 ? F68A9680
    INT 0xD9 ? F68A9688
    INT 0xDA ? F68A9690
    INT 0xDB ? F68A9698
    INT 0xDC ? F68A96A0
    INT 0xDD ? F68A96A8
    INT 0xDE ? F68A96B0
    INT 0xDF ? F68A96B8
    INT 0xE0 ? F68A96C0
    INT 0xE1 ? F68A96C8
    INT 0xE2 ? F68A96D0
    INT 0xE3 ? F68A96D8
    INT 0xE4 ? F68A96E0
    INT 0xE5 ? F68A96E8
    INT 0xE6 ? F68A96F0
    INT 0xE7 ? F68A96F8
    INT 0xE8 ? F68A9700
    INT 0xE9 ? F68A9708
    INT 0xEA ? F68A9710
    INT 0xEB ? F68A9718
    INT 0xEC ? F68A9720
    INT 0xED ? F68A9728
    INT 0xEE ? F68A9730
    INT 0xEF ? F68A9738
    INT 0xF0 ? F68A9740
    INT 0xF1 ? F68A9748
    INT 0xF2 ? F68A9750
    INT 0xF3 ? F68A9758
    INT 0xF4 ? F68A9760
    INT 0xF5 ? F68A9768
    INT 0xF6 ? F68A9770
    INT 0xF7 ? F68A9778
    INT 0xF8 ? F68A9780
    INT 0xF9 ? F68A9788
    INT 0xFA ? F68A9790
    INT 0xFB ? F68A9798
    INT 0xFC ? F68A97A0
    INT 0xFD ? F68A97A8
    INT 0xFE ? F68A97B0
    INT 0xFF ? F68A97B8

    Code F668F2D3 Kei386EoiHelper

    ---- Kernel code sections - GMER 1.0.13 ----

    .text ntoskrnl.exe!ObfDereferenceObject 804D9190 7 Bytes [ B8, 44, 88, AC, F7, FF, E0 ]
    .text ntoskrnl.exe!ExAcquireResourceSharedLite + 10 804D9545 5 Bytes JMP F668E6A0
    .text ntoskrnl.exe!ExReleaseResourceLite + B 804DBBDB 5 Bytes JMP F668D310
    .text ntoskrnl.exe!KiDispatchInterrupt + E6 804DBEE9 5 Bytes JMP F668CEE8
    .text ntoskrnl.exe!KiDispatchInterrupt + 410 804DC213 5 Bytes JMP F668C280
    .text ntoskrnl.exe!KiDispatchInterrupt + 429 804DC22C 5 Bytes JMP F668F220
    .text ntoskrnl.exe!ZwYieldExecution + BA7 804DF07C 5 Bytes JMP F668C338
    .text ntoskrnl.exe!Kei386EoiHelper 804DF8FB 5 Bytes JMP F668F2D8
    .text ntoskrnl.exe!Kei386EoiHelper + 40 804DF93B 1 Byte [ CC ]
    .text ntoskrnl.exe!Kei386EoiHelper + 1DB3 804E16AE 1 Byte [ CC ]
    .text ntoskrnl.exe!Kei386EoiHelper + 1FD9 804E18D4 5 Bytes JMP F669E8A0
    .text ntoskrnl.exe!KiCoprocessorError + 29 804E2825 5 Bytes JMP F668F070
    .text ntoskrnl.exe!_abnormal_termination + 518 804E31E9 5 Bytes JMP F66D2620
    .text ntoskrnl.exe!_abnormal_termination + 60B 804E32DC 5 Bytes JMP F668E548
    .text ntoskrnl.exe!ZwCallbackReturn + 3B 804E337B 5 Bytes JMP F66D27C8
    .text ntoskrnl.exe!ExfInterlockedAddUlong + 1 804E34A3 5 Bytes JMP F66D1878
    .text ntoskrnl.exe!ExfInterlockedRemoveHeadList + 1 804E34F2 5 Bytes JMP F66CA500
    .text ntoskrnl.exe!ExAcquireResourceExclusiveLite + F 804E3B54 1 Byte [ CC ]
    .text ntoskrnl.exe!KeInitializeDpc + 110 804E6106 1 Byte [ CC ]
    .text ntoskrnl.exe!KeInitializeDpc + 117 804E610D 1 Byte [ CC ]
    .text ntoskrnl.exe!KeInitializeDpc + 11E 804E6114 1 Byte [ CC ]
    .text ntoskrnl.exe!KeInitializeDpc + 125 804E611B 1 Byte [ CC ]
    .text ntoskrnl.exe!KeRestoreFloatingPointState + 4F 804ECDAE 5 Bytes JMP F66D2418
    .text ntoskrnl.exe!KeSaveFloatingPointState + 52 804ECE88 5 Bytes JMP F66D2158
    .text ntoskrnl.exe!MmMapLockedPagesSpecifyCache + 551 804EF1DC 5 Bytes JMP F66C7E68
    .text ntoskrnl.exe!ExAcquireSharedStarveExclusive + F 804F0C78 1 Byte [ CC ]
    .text ntoskrnl.exe!ExSetResourceOwnerPointer + C 804F0E29 5 Bytes JMP F66C3928
    .text ntoskrnl.exe!FsRtlGetNextLargeMcbEntry + 125 804F1570 5 Bytes JMP F668D868
    .text ntoskrnl.exe!IoPageRead + AED 804FBC61 5 Bytes JMP F668EBB8
    .text ntoskrnl.exe!IoPageRead + B57 804FBCCB 1 Byte [ CC ]
    .text ntoskrnl.exe!IoPageRead + BBB 804FBD2F 5 Bytes JMP F668EF30
    .text ntoskrnl.exe!KeRemoveQueueDpc + 6 804FD0AE 5 Bytes JMP F66D2970
    .text ntoskrnl.exe!Ke386IoSetAccessProcess + 76E 8051105C 5 Bytes JMP F66D1FF8
    .text ntoskrnl.exe!PoSetSystemState + F7D4 80527D8F 1 Byte [ CC ]
    .text ntoskrnl.exe!KeSaveStateForHibernate + 8B3 80534DA4 1 Byte [ CC ]
    PAGE ntoskrnl.exe!ObInsertObject 805648A3 7 Bytes [ B8, E4, 86, AC, F7, FF, E0 ]
    PAGE ntoskrnl.exe!ObCreateObject 80564DCE 7 Bytes [ B8, 12, 82, AC, F7, FF, E0 ]
    PAGE ntoskrnl.exe!MmMapViewOfSection 80573B01 7 Bytes [ B8, D0, 82, AC, F7, FF, E0 ]
     
  7. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    SYSENTER/Int 2E, Type: System Call at address 0x00000000 hook handler located in [0x00000000 - [?_empty_?]

    Should that be a new variant or either fp?

    Maybe it´s the story that EP has talked about.
    This empty is a modified copy of dxgthk.sys (directx), maybe hooking into atapi, I am not sure.
    I always wonder about this dump_atapi.sys, it may be usual, but why is there atapi.sys and dump_atapi.sys,
    wouldn´t it be enough if there were only atapi.sys?

    Some other interesting log:

    ---- Kernel code sections - GMER 1.0.13 ----

    .text ntoskrnl.exe!_abnormal_termination + D7 804E2DA8 24 Bytes [ 79, 28, 5D, F8, 83, 28, 5D, ... ]
    .text ntoskrnl.exe!_abnormal_termination + F3 804E2DC4 6 Bytes [ B5, 28, 5D, F8, BF, 28 ]
    .text ntoskrnl.exe!_abnormal_termination + FA 804E2DCB 9 Bytes [ F8, C9, 28, 5D, F8, D3, 28, ... ]
    .text ntoskrnl.exe!_abnormal_termination + 107 804E2DD8 12 Bytes [ DD, 28, 5D, F8, E7, 28, 5D, ... ]
    .text ntoskrnl.exe!_abnormal_termination + 117 804E2DE8 18 Bytes [ FB, 28, 5D, F8, 05, 29, 5D, ... ]
    .text ...

    Probably fp´s.
     
    Last edited: Jul 8, 2007
  8. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    @SystemJunkie

    Code:
    INT 0x00 ? F68A8B60
    INT 0x01 ? F68A8B68
    ...
    INT 0x03 ? F68A8B78
    ...
    INT 0xFF ? F68A97B8
    
    Where did you find it ? Looks like total Interrupt Descriptor Table hook ? You can also check it with IceSword:
    Menu -> Dump -> GDT/IDT & look into IDT.log file.

    These "1 Byte [ CC ]" - INT 0x03 hooks looks interesting, and I wonder if INT 0x01 also plays in this team :)

    http://msdn2.microsoft.com/En-US/library/aa508892.aspx
     
  9. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    It´s from inside a virtual machine I installed some days ago. Seems either the intruders forgot to immunise their rootkit against this vm or it is a false positive. But I think it is first option, beside thanks for the link.
    Do you think this is the way a usual system works? (The Black Ice Indicator)
    http://i9.tinypic.com/62fo7et.png
    Actually IceSword fails to work inside this vm. Beside this Black Ice story is as old as the moon is.
    (nearly 10 years) Seems really that we have to step deep inside the matrix to beat the matrix.

    This is unusual IDT fragment from a actual system (not the one from the vm log above):

    032 0008:00000000 0 00 N
    033 00C7:000004E6 7 03 P
    034 0008:00000000 0 00 N
    035 0008:00000000 0 00 N
    036 0008:00000000 0 00 N
    037 0008:00000000 0 00 N
    038 0008:00000000 0 00 N
    039 0008:00000000 0 00 N
    040 0008:00000000 0 00 N
    041 0008:00000000 0 00 N
    042 0008:80540C1E E 03 P

    But EP told me that this is a false positive of IceSword, I really don´t know.

    Icesword always creates a 2nd random driver, probably usual, but dazzling
    "\SystemRoot\System32\Drivers\aflvzw.sys" / KeBugCheckEx

    I tested another app that checks autoruns, trying to remove different entries again comes: Not admin log in as admin, but I am in admin mode, process monitor shows this: "26","<unknown>","0x1","0x1",""

    Unknown at 0x1 that´s the beast.
     
    Last edited: Jul 12, 2007
  10. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    If it would be possible I'd like to see "Kernel Memory Dump" ( %SystemRoot%\MEMORY.DMP ) , go to "Setup and Recovery" -> "System failure" settings & generate BSOD.
     
  11. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Do you mean system properties?

    Here is another computer IDT, I assume it is infected with the same (restricted rights in admin mode). (VM actually crashed I will try to reinstall it)

    IDT Base:0x8003F400 , IDT Limit:0x7FF
    Index Selector:Offset Type DPL P bit
    000 0008:804DFBFF E 00 P
    001 0008:804DFD7C E 00 P
    002 0058:0000112E 5 00 P
    003 0008:804E015B E 03 P
    004 0008:804E02E0 E 03 P
    005 0008:804E0441 E 00 P
    006 0008:804E05BF E 00 P
    007 0008:804E0C33 E 00 P
    008 0050:00001188 5 00 P
    009 0008:804E1060 E 00 P
    010 0008:804E1185 E 00 P
    011 0008:804E12CA E 00 P
    012 0008:804E1530 E 00 P
    013 0008:804E1827 E 00 P
    014 0008:804E1F25 E 00 P
    015 0008:804E225A E 00 P
    016 0008:804E237F E 00 P
    017 0008:804E24BD E 00 P
    018 00A0:804E225A 5 00 P
    019 0008:804E262B E 00 P
    020 0008:804E225A E 00 P
    021 0008:804E225A E 00 P
    022 0008:804E225A E 00 P
    023 0008:804E225A E 00 P
    024 0008:804E225A E 00 P
    025 0008:804E225A E 00 P
    026 0008:804E225A E 00 P
    027 0008:804E225A E 00 P
    028 0008:804E225A E 00 P
    029 0008:804E225A E 00 P
    030 0008:804E225A E 00 P
    031 0008:804E225A E 00 P
    032 0008:00000000 0 00 N
    033 0008:00000000 0 00 N
    034 0008:00000000 0 00 N
    035 0008:00000000 0 00 N
    036 0008:00000000 0 00 N
    037 0008:00000000 0 00 N
    038 0008:00000000 0 00 N
    039 0008:00000000 0 00 N
    040 0008:00000000 0 00 N
    041 0008:00000000 0 00 N
    042 0008:804DF417 E 03 P
    043 0008:804DF522 E 03 P
    044 0008:804DF6C7 E 03 P
    045 0008:804E0032 E 03 P
    046 0008:804DEEA6 E 03 P
    047 0008:804E225A E 00 P
    048 0008:806F3D50 E 00 P
    049 0008:82CF5DD4 E 00 P
    050 0008:804DE574 E 00 P
    051 0008:82DDACD4 E 00 P
    052 0008:82B83DD4 E 00 P
    053 0008:82CE36B4 E 00 P
    054 0008:804DE59C E 00 P
    055 0008:804DE5A6 E 00 P
    056 0008:806EDEF0 E 00 P
    057 0008:82FA68DC E 00 P
    058 0008:82CFFDD4 E 00 P
    059 0008:82EA0BC4 E 00 P
    060 0008:804DE5D8 E 00 P
    061 0008:804DE5E2 E 00 P
    062 0008:82F924DC E 00 P
    063 0008:82B9F044 E 00 P
    064 0008:804DE600 E 00 P
    065 0008:804DE60A E 00 P
    066 0008:804DE614 E 00 P
    067 0008:804DE61E E 00 P
    068 0008:804DE628 E 00 P
    069 0008:804DE632 E 00 P
    070 0008:804DE63C E 00 P
    071 0008:804DE646 E 00 P
    072 0008:804DE650 E 00 P
    073 0008:804DE65A E 00 P
    074 0008:804DE664 E 00 P
    075 0008:804DE66E E 00 P
    076 0008:804DE678 E 00 P
    077 0008:804DE682 E 00 P
    078 0008:804DE68C E 00 P
    079 0008:804DE696 E 00 P
    080 0008:804DE6A0 E 00 P
    081 0008:804DE6AA E 00 P
    082 0008:804DE6B4 E 00 P
    083 0008:804DE6BE E 00 P
    084 0008:804DE6C8 E 00 P
    085 0008:804DE6D2 E 00 P
    086 0008:804DE6DC E 00 P
    087 0008:804DE6E6 E 00 P
    088 0008:804DE6F0 E 00 P
    089 0008:804DE6FA E 00 P
    090 0008:804DE704 E 00 P
    091 0008:804DE70E E 00 P
    092 0008:804DE718 E 00 P
    093 0008:804DE722 E 00 P
    094 0008:804DE72C E 00 P
    095 0008:804DE736 E 00 P
    096 0008:804DE740 E 00 P
    097 0008:804DE74A E 00 P
    098 0008:804DE754 E 00 P
    099 0008:804DE75E E 00 P
    100 0008:804DE768 E 00 P
    101 0008:804DE772 E 00 P
    102 0008:804DE77C E 00 P
    103 0008:804DE786 E 00 P
    104 0008:804DE790 E 00 P
    105 0008:804DE79A E 00 P
    106 0008:804DE7A4 E 00 P
    107 0008:804DE7AE E 00 P
    108 0008:804DE7B8 E 00 P
    109 0008:804DE7C2 E 00 P
    110 0008:804DE7CC E 00 P
    111 0008:804DE7D6 E 00 P
    112 0008:804DE7E0 E 00 P
    113 0008:804DE7EA E 00 P
    114 0008:804DE7F4 E 00 P
    115 0008:804DE7FE E 00 P
    116 0008:804DE808 E 00 P
    117 0008:804DE812 E 00 P
    118 0008:804DE81C E 00 P
    119 0008:804DE826 E 00 P
    120 0008:804DE830 E 00 P
    121 0008:804DE83A E 00 P
    122 0008:804DE844 E 00 P
    123 0008:804DE84E E 00 P
    124 0008:804DE858 E 00 P
    125 0008:804DE862 E 00 P
    126 0008:804DE86C E 00 P
    127 0008:804DE876 E 00 P
    128 0008:804DE880 E 00 P
    129 0008:804DE88A E 00 P
    130 0008:804DE894 E 00 P
    131 0008:804DE89E E 00 P
    132 0008:804DE8A8 E 00 P
    133 0008:804DE8B2 E 00 P
    134 0008:804DE8BC E 00 P
    135 0008:804DE8C6 E 00 P
    136 0008:804DE8D0 E 00 P
    137 0008:804DE8DA E 00 P
    138 0008:804DE8E4 E 00 P
    139 0008:804DE8EE E 00 P
    140 0008:804DE8F8 E 00 P
    141 0008:804DE902 E 00 P
    142 0008:804DE90C E 00 P
    143 0008:804DE916 E 00 P
    144 0008:804DE920 E 00 P
    145 0008:804DE92A E 00 P
    146 0008:804DE934 E 00 P
    147 0008:804DE93E E 00 P
    148 0008:804DE948 E 00 P
    149 0008:804DE952 E 00 P
    150 0008:804DE95C E 00 P
    151 0008:804DE966 E 00 P
    152 0008:804DE970 E 00 P
    153 0008:804DE97A E 00 P
    154 0008:804DE984 E 00 P
    155 0008:804DE98E E 00 P
    156 0008:804DE998 E 00 P
    157 0008:804DE9A2 E 00 P
    158 0008:804DE9AC E 00 P
    159 0008:804DE9B6 E 00 P
    160 0008:804DE9C0 E 00 P
    161 0008:804DE9CA E 00 P
    162 0008:804DE9D4 E 00 P
    163 0008:804DE9DE E 00 P
    164 0008:804DE9E8 E 00 P
    165 0008:804DE9F2 E 00 P
    166 0008:804DE9FC E 00 P
    167 0008:804DEA06 E 00 P
    168 0008:804DEA10 E 00 P
    169 0008:804DEA1A E 00 P
    170 0008:804DEA24 E 00 P
    171 0008:804DEA2E E 00 P
    172 0008:804DEA38 E 00 P
    173 0008:804DEA42 E 00 P
    174 0008:804DEA4C E 00 P
    175 0008:804DEA56 E 00 P
    176 0008:804DEA60 E 00 P
    177 0008:804DEA6A E 00 P
    178 0008:804DEA74 E 00 P
    179 0008:804DEA7E E 00 P
    180 0008:804DEA88 E 00 P
    181 0008:804DEA92 E 00 P
    182 0008:804DEA9C E 00 P
    183 0008:804DEAA6 E 00 P
    184 0008:804DEAB0 E 00 P
    185 0008:804DEABA E 00 P
    186 0008:804DEAC4 E 00 P
    187 0008:804DEACE E 00 P
    188 0008:804DEAD8 E 00 P
    189 0008:804DEAE2 E 00 P
    190 0008:804DEAEC E 00 P
    191 0008:804DEAF6 E 00 P
    192 0008:804DEB00 E 00 P
    193 0008:804DEB0A E 00 P
    194 0008:804DEB14 E 00 P
    195 0008:804DEB1E E 00 P
    196 0008:804DEB28 E 00 P
    197 0008:804DEB32 E 00 P
    198 0008:804DEB3C E 00 P
    199 0008:804DEB46 E 00 P
    200 0008:804DEB50 E 00 P
    201 0008:804DEB5A E 00 P
    202 0008:804DEB64 E 00 P
    203 0008:804DEB6E E 00 P
    204 0008:804DEB78 E 00 P
    205 0008:804DEB82 E 00 P
    206 0008:804DEB8C E 00 P
    207 0008:804DEB96 E 00 P
    208 0008:804DEBA0 E 00 P
    209 0008:804DEBAA E 00 P
    210 0008:804DEBB4 E 00 P
    211 0008:804DEBBE E 00 P
    212 0008:804DEBC8 E 00 P
    213 0008:804DEBD2 E 00 P
    214 0008:804DEBDC E 00 P
    215 0008:804DEBE6 E 00 P
    216 0008:804DEBF0 E 00 P
    217 0008:804DEBFA E 00 P
    218 0008:804DEC04 E 00 P
    219 0008:804DEC0E E 00 P
    220 0008:804DEC18 E 00 P
    221 0008:804DEC22 E 00 P
    222 0008:804DEC2C E 00 P
    223 0008:804DEC36 E 00 P
    224 0008:804DEC40 E 00 P
    225 0008:804DEC4A E 00 P
    226 0008:804DEC54 E 00 P
    227 0008:804DEC5E E 00 P
    228 0008:804DEC68 E 00 P
    229 0008:804DEC72 E 00 P
    230 0008:804DEC7C E 00 P
    231 0008:804DEC86 E 00 P
    232 0008:804DEC90 E 00 P
    233 0008:804DEC9A E 00 P
    234 0008:804DECA4 E 00 P
    235 0008:804DECAE E 00 P
    236 0008:804DECB8 E 00 P
    237 0008:804DECC2 E 00 P
    238 0008:804DECC9 E 00 P
    239 0008:804DECD0 E 00 P
    240 0008:804DECD7 E 00 P
    241 0008:804DECDE E 00 P
    242 0008:804DECE5 E 00 P
    243 0008:804DECEC E 00 P
    244 0008:804DECF3 E 00 P
    245 0008:804DECFA E 00 P
    246 0008:804DED01 E 00 P
    247 0008:804DED08 E 00 P
    248 0008:804DED0F E 00 P
    249 0008:804DED16 E 00 P
    250 0008:804DED1D E 00 P
    251 0008:804DED24 E 00 P
    252 0008:804DED2B E 00 P
    253 0008:804DED32 E 00 P
    254 0008:804DED39 E 00 P
    255 0008:804DED40 E 00 P

    ---- Kernel code sections - GMER 1.0.13 ----

    .text ntoskrnl.exe!_abnormal_termination + D7 804E2DA8 24 Bytes [ 79, 28, 5D, F8, 83, 28, 5D, ... ]
    .text ntoskrnl.exe!_abnormal_termination + F3 804E2DC4 6 Bytes [ CE, 17, A5, F8, BF, 28 ]
    .text ntoskrnl.exe!_abnormal_termination + FA 804E2DCB 9 Bytes [ F8, C9, 28, 5D, F8, D3, 28, ... ]
    .text ntoskrnl.exe!_abnormal_termination + 107 804E2DD8 12 Bytes [ DD, 28, 5D, F8, E7, 28, 5D, ... ]
    .text ntoskrnl.exe!_abnormal_termination + 117 804E2DE8 18 Bytes [ FB, 28, 5D, F8, 05, 29, 5D, ... ]
    .text ...
    PAGE ntoskrnl.exe!NtOpenProcess 8057459E 5 Bytes JMP F1A1859C \SystemRoot\System32\Drivers\IsDrv120.sys
    PAGE ntoskrnl.exe!ZwTerminateThread 8057E97C 5 Bytes JMP F1A18522 \SystemRoot\System32\Drivers\IsDrv120.sys
    PAGE ntoskrnl.exe!ZwCreateThread 8057F262 5 Bytes JMP F1A189B6 \SystemRoot\System32\Drivers\IsDrv120.sys
    PAGE ntoskrnl.exe!ZwCreateProcessEx 805885D3 5 Bytes JMP F1A18814 \SystemRoot\System32\Drivers\IsDrv120.sys
    PAGE ntoskrnl.exe!ZwTerminateProcess 8058AE1E 5 Bytes JMP F1A18374 \SystemRoot\System32\Drivers\IsDrv120.sys
    PAGE ntoskrnl.exe!NtOpenThread 80597C0A 5 Bytes JMP F1A18626 \SystemRoot\System32\Drivers\IsDrv120.sys
    ? C:\WINDOWS\system32\drivers\SnopFree.sys Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.
    ? System32\Drivers\IsDrv122.sys Das System kann die angegebene Datei nicht finden.
    ? C:\WINDOWS\system32\Drivers\PROCMON11.SYS Das System kann die angegebene Datei nicht finden.
    ? System32\Drivers\rkhdrv40.SYS Das System kann die angegebene Datei nicht finden.
    ? System32\Drivers\IsDrv120.sys Das System kann die angegebene Datei nicht finden.

    I tested the other app that checks autoruns, trying to remove different entries again comes: Not admin log in as admin, but I am in admin mode, process monitor shows again: <unknown>","0x1","0x1",""

    http://i12.tinypic.com/4vo77lx.png
     
    Last edited: Jul 13, 2007
  12. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Try this ...

     

    Attached Files:

    • sys.jpg
      sys.jpg
      File size:
      38.8 KB
      Views:
      1,068
  13. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    That´s the IDT from inside the VM (the INT 0x.. ? system):

    IDT Base:0xF780F090 , IDT Limit:0x7FF
    Index Selector:Offset Type DPL P bit
    000 FFF8:F7CEAB60 E 00 P
    001 FFF8:F7CEAB68 E 00 P
    002 FFF8:F7CEAFD0 E 00 P
    003 FFF8:F7CEAB78 E 03 P
    004 FFF8:F7CEAB80 E 00 P
    005 FFF8:F7CEAB88 E 00 P
    006 FFF8:F7CEAB90 E 00 P
    007 FFF8:F7CEAB98 E 00 P
    008 FFD8:00000000 5 00 P
    009 FFF8:F7CEABA8 E 00 P
    010 FFF8:F7CEABB0 E 00 P
    011 FFF8:F7CEABB8 E 00 P
    012 FFF8:F7CEABC0 E 00 P
    013 FFF8:F7CEABC8 E 00 P
    014 FFF8:F7CEABD0 E 00 P
    015 0000:00000000 0 00 N
    016 FFF8:F7CEABE0 E 00 P
    017 FFF8:F7CEABE8 E 00 P
    018 FFF8:F7CEB950 E 00 P
    019 FFF8:F7CEABF8 E 00 P
    020 0000:00000000 0 00 N
    021 0000:00000000 0 00 N
    022 0000:00000000 0 00 N
    023 0000:00000000 0 00 N
    024 0000:00000000 0 00 N
    025 0000:00000000 0 00 N
    026 0000:00000000 0 00 N
    027 0000:00000000 0 00 N
    028 0000:00000000 0 00 N
    029 0000:00000000 0 00 N
    030 0000:00000000 0 00 N
    031 0000:00000000 0 00 N
    032 FFF8:F7CEB0C0 E 00 P
    033 FFF8:F7CEB0C8 E 00 P
    034 FFF8:F7CEB0D0 E 00 P
    035 FFF8:F7CEB0D8 E 00 P
    036 FFF8:F7CEB0E0 E 00 P
    037 FFF8:F7CEB0E8 E 00 P
    038 FFF8:F7CEB0F0 E 00 P
    039 FFF8:F7CEB0F8 E 00 P
    040 FFF8:F7CEB100 E 00 P
    041 FFF8:F7CEB108 E 00 P
    042 FFF8:F7CEB110 E 00 P
    043 FFF8:F7CEB118 E 00 P
    044 FFF8:F7CEB120 E 00 P
    045 FFF8:F7CEB128 E 00 P
    046 FFF8:F7CEB130 E 00 P
    047 FFF8:F7CEB138 E 00 P
    048 FFF8:F7CEB140 E 00 P
    049 FFF8:F7CEB148 E 00 P
    050 FFF8:F7CEB150 E 00 P
    051 FFF8:F7CEB158 E 00 P
    052 FFF8:F7CEB160 E 00 P
    053 FFF8:F7CEB168 E 00 P
    054 FFF8:F7CEB170 E 00 P
    055 FFF8:F7CEB178 E 00 P
    056 FFF8:F7CEB180 E 00 P
    057 FFF8:F7CEB188 E 00 P
    058 FFF8:F7CEB190 E 00 P
    059 FFF8:F7CEB198 E 00 P
    060 FFF8:F7CEB1A0 E 00 P
    061 FFF8:F7CEB1A8 E 00 P
    062 FFF8:F7CEB1B0 E 00 P
    063 FFF8:F7CEB1B8 E 00 P
    064 FFF8:F7CEB1C0 E 00 P
    065 FFF8:F7CEB1C8 E 00 P
    066 FFF8:F7CEB1D0 E 00 P
    067 FFF8:F7CEB1D8 E 00 P
    068 FFF8:F7CEB1E0 E 00 P
    069 FFF8:F7CEB1E8 E 00 P
    070 FFF8:F7CEB1F0 E 00 P
    071 FFF8:F7CEB1F8 E 00 P
    072 FFF8:F7CEB200 E 00 P
    073 FFF8:F7CEB208 E 00 P
    074 FFF8:F7CEB210 E 00 P
    075 FFF8:F7CEB218 E 00 P
    076 FFF8:F7CEB220 E 00 P
    077 FFF8:F7CEB228 E 00 P
    078 FFF8:F7CEB230 E 00 P
    079 FFF8:F7CEB238 E 00 P
    080 FFF8:F7CEB240 E 00 P
    081 FFF8:F7CEB248 E 00 P
    082 FFF8:F7CEB250 E 00 P
    083 FFF8:F7CEB258 E 00 P
    084 FFF8:F7CEB260 E 00 P
    085 FFF8:F7CEB268 E 00 P
    086 FFF8:F7CEB270 E 00 P
    087 FFF8:F7CEB278 E 00 P
    088 FFF8:F7CEB280 E 00 P
    089 FFF8:F7CEB288 E 00 P
    090 FFF8:F7CEB290 E 00 P
    091 FFF8:F7CEB298 E 00 P
    092 FFF8:F7CEB2A0 E 00 P
    093 FFF8:F7CEB2A8 E 00 P
    094 FFF8:F7CEB2B0 E 00 P
    095 FFF8:F7CEB2B8 E 00 P
    096 FFF8:F7CEB2C0 E 00 P
    097 FFF8:F7CEB2C8 E 00 P
    098 FFF8:F7CEB2D0 E 00 P
    099 FFF8:F7CEB2D8 E 00 P
    100 FFF8:F7CEB2E0 E 00 P
    101 FFF8:F7CEB2E8 E 00 P
    102 FFF8:F7CEB2F0 E 00 P
    103 FFF8:F7CEB2F8 E 00 P
    104 FFF8:F7CEB300 E 00 P
    105 FFF8:F7CEB308 E 00 P
    106 FFF8:F7CEB310 E 00 P
    107 FFF8:F7CEB318 E 00 P
    108 FFF8:F7CEB320 E 00 P
    109 FFF8:F7CEB328 E 00 P
    110 FFF8:F7CEB330 E 00 P
    111 FFF8:F7CEB338 E 00 P
    112 FFF8:F7CEB340 E 00 P
    113 FFF8:F7CEB348 E 00 P
    114 FFF8:F7CEB350 E 00 P
    115 FFF8:F7CEB358 E 00 P
    116 FFF8:F7CEB360 E 00 P
    117 FFF8:F7CEB368 E 00 P
    118 FFF8:F7CEB370 E 00 P
    119 FFF8:F7CEB378 E 00 P
    120 FFF8:F7CEB380 E 00 P
    121 FFF8:F7CEB388 E 00 P
    122 FFF8:F7CEB390 E 00 P
    123 FFF8:F7CEB398 E 00 P
    124 FFF8:F7CEB3A0 E 00 P
    125 FFF8:F7CEB3A8 E 00 P
    126 FFF8:F7CEB3B0 E 00 P
    127 FFF8:F7CEB3B8 E 00 P
    128 FFF8:F7CEB3C0 E 00 P
    129 FFF8:F7CEB3C8 E 00 P
    130 FFF8:F7CEB3D0 E 00 P
    131 FFF8:F7CEB3D8 E 00 P
    132 FFF8:F7CEB3E0 E 00 P
    133 FFF8:F7CEB3E8 E 00 P
    134 FFF8:F7CEB3F0 E 00 P
    135 FFF8:F7CEB3F8 E 00 P
    136 FFF8:F7CEB400 E 00 P
    137 FFF8:F7CEB408 E 00 P
    138 FFF8:F7CEB410 E 00 P
    139 FFF8:F7CEB418 E 00 P
    140 FFF8:F7CEB420 E 00 P
    141 FFF8:F7CEB428 E 00 P
    142 FFF8:F7CEB430 E 00 P
    143 FFF8:F7CEB438 E 00 P
    144 FFF8:F7CEB440 E 00 P
    145 FFF8:F7CEB448 E 00 P
    146 FFF8:F7CEB450 E 00 P
    147 FFF8:F7CEB458 E 00 P
    148 FFF8:F7CEB460 E 00 P
    149 FFF8:F7CEB468 E 00 P
    150 FFF8:F7CEB470 E 00 P
    151 FFF8:F7CEB478 E 00 P
    152 FFF8:F7CEB480 E 00 P
    153 FFF8:F7CEB488 E 00 P
    154 FFF8:F7CEB490 E 00 P
    155 FFF8:F7CEB498 E 00 P
    156 FFF8:F7CEB4A0 E 00 P
    157 FFF8:F7CEB4A8 E 00 P
    158 FFF8:F7CEB4B0 E 00 P
    159 FFF8:F7CEB4B8 E 00 P
    160 FFF8:F7CEB4C0 E 00 P
    161 FFF8:F7CEB4C8 E 00 P
    162 FFF8:F7CEB4D0 E 00 P
    163 FFF8:F7CEB4D8 E 00 P
    164 FFF8:F7CEB4E0 E 00 P
    165 FFF8:F7CEB4E8 E 00 P
    166 FFF8:F7CEB4F0 E 00 P
    167 FFF8:F7CEB4F8 E 00 P
    168 FFF8:F7CEB500 E 00 P
    169 FFF8:F7CEB508 E 00 P
    170 FFF8:F7CEB510 E 00 P
    171 FFF8:F7CEB518 E 00 P
    172 FFF8:F7CEB520 E 00 P
    173 FFF8:F7CEB528 E 00 P
    174 FFF8:F7CEB530 E 00 P
    175 FFF8:F7CEB538 E 00 P
    176 FFF8:F7CEB540 E 00 P
    177 FFF8:F7CEB548 E 00 P
    178 FFF8:F7CEB550 E 00 P
    179 FFF8:F7CEB558 E 00 P
    180 FFF8:F7CEB560 E 00 P
    181 FFF8:F7CEB568 E 00 P
    182 FFF8:F7CEB570 E 00 P
    183 FFF8:F7CEB578 E 00 P
    184 FFF8:F7CEB580 E 00 P
    185 FFF8:F7CEB588 E 00 P
    186 FFF8:F7CEB590 E 00 P
    187 FFF8:F7CEB598 E 00 P
    188 FFF8:F7CEB5A0 E 00 P
    189 FFF8:F7CEB5A8 E 00 P
    190 FFF8:F7CEB5B0 E 00 P
    191 FFF8:F7CEB5B8 E 00 P
    192 FFF8:F7CEB5C0 E 00 P
    193 FFF8:F7CEB5C8 E 00 P
    194 FFF8:F7CEB5D0 E 00 P
    195 FFF8:F7CEB5D8 E 00 P
    196 FFF8:F7CEB5E0 E 00 P
    197 FFF8:F7CEB5E8 E 00 P
    198 FFF8:F7CEB5F0 E 00 P
    199 FFF8:F7CEB5F8 E 00 P
    200 FFF8:F7CEB600 E 00 P
    201 FFF8:F7CEB608 E 00 P
    202 FFF8:F7CEB610 E 00 P
    203 FFF8:F7CEB618 E 00 P
    204 FFF8:F7CEB620 E 00 P
    205 FFF8:F7CEB628 E 00 P
    206 FFF8:F7CEB630 E 00 P
    207 FFF8:F7CEB638 E 00 P
    208 FFF8:F7CEB640 E 00 P
    209 FFF8:F7CEB648 E 00 P
    210 FFF8:F7CEB650 E 00 P
    211 FFF8:F7CEB658 E 00 P
    212 FFF8:F7CEB660 E 00 P
    213 FFF8:F7CEB668 E 00 P
    214 FFF8:F7CEB670 E 00 P
    215 FFF8:F7CEB678 E 00 P
    216 FFF8:F7CEB680 E 00 P
    217 FFF8:F7CEB688 E 00 P
    218 FFF8:F7CEB690 E 00 P
    219 FFF8:F7CEB698 E 00 P
    220 FFF8:F7CEB6A0 E 00 P
    221 FFF8:F7CEB6A8 E 00 P
    222 FFF8:F7CEB6B0 E 00 P
    223 FFF8:F7CEB6B8 E 00 P
    224 FFF8:F7CEB6C0 E 00 P
    225 FFF8:F7CEB6C8 E 00 P
    226 FFF8:F7CEB6D0 E 00 P
    227 FFF8:F7CEB6D8 E 00 P
    228 FFF8:F7CEB6E0 E 00 P
    229 FFF8:F7CEB6E8 E 00 P
    230 FFF8:F7CEB6F0 E 00 P
    231 FFF8:F7CEB6F8 E 00 P
    232 FFF8:F7CEB700 E 00 P
    233 FFF8:F7CEB708 E 00 P
    234 FFF8:F7CEB710 E 00 P
    235 FFF8:F7CEB718 E 00 P
    236 FFF8:F7CEB720 E 00 P
    237 FFF8:F7CEB728 E 00 P
    238 FFF8:F7CEB730 E 00 P
    239 FFF8:F7CEB738 E 00 P
    240 FFF8:F7CEB740 E 00 P
    241 FFF8:F7CEB748 E 00 P
    242 FFF8:F7CEB750 E 00 P
    243 FFF8:F7CEB758 E 00 P
    244 FFF8:F7CEB760 E 00 P
    245 FFF8:F7CEB768 E 00 P
    246 FFF8:F7CEB770 E 00 P
    247 FFF8:F7CEB778 E 00 P
    248 FFF8:F7CEB780 E 00 P
    249 FFF8:F7CEB788 E 00 P
    250 FFF8:F7CEB790 E 00 P
    251 FFF8:F7CEB798 E 00 P
    252 FFF8:F7CEB7A0 E 00 P
    253 FFF8:F7CEB7A8 E 00 P
    254 FFF8:F7CEB7B0 E 00 P
    255 FFF8:F7CEB7B8 E 00 P

    Do you recognize something special?
     
  14. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Does not function in virtual machine, but I found something interesting in this Parameters key: LayerDriver JPN kbd101.dll, Layer Driver KOR kbd101a.dll.

    Japan and Korea!!o_O??

    i8042prt\Enum\0 ACPI\PNP0303\4&102163c3&0
    i8042prt\Parameters\LayerDriver JPN kbd101.dll
    i8042prt\Parameters\Layer Driver KOR kbd101a.dll.

    But I know how to create bsod, only need to start deep monitor :D:D:D
     
    Last edited: Jul 13, 2007
  15. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
  16. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I will send you a new dump when I find the time, I then reinstall a fresh win xp in virtual machine. If you want to stay informed about new revelations and some wicked beasty screens check this link
     
  18. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    @Gmer the dump has been sent to you some days ago.
    Would be cool if you´d find some anomalies to implement for the next Gmer version. If so then give a sign.
    Maybe VMs generally creates those anomalies, but sysenter 0000000 looks really strange.
     
  19. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86

    Attached Files:

    • kd.txt
      File size:
      140.7 KB
      Views:
      18
  20. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Hi Gmer, thanks for information, so we can consider the whole as false positives related to Gmer in virtual box.

    But what about that:

    20: 00000000
    21: 00000000
    22: 00000000
    23: 00000000
    24: 00000000
    25: 00000000
    26: 00000000
    27: 00000000
    28: 00000000
    29: 00000000

    But one thing Russinovich does not explain is the fact of these <unknown>´s:

    http://i19.tinypic.com/4ygz9c2.png
     
    Last edited: Aug 10, 2007
  21. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    That is interesting, beside Gmer your tool received Nr.1 rank in german computer magazine, EPs RkU only rank 3 because of too many BSODs it was downgraded what a irony.. lool.

    1. Gmer 1.0.13
    2. AVG
    3. RkU 3.37
     
Loading...
Thread Status:
Not open for further replies.