GMER Questions

Discussion in 'other anti-malware software' started by WilliamP, Nov 29, 2006.

Thread Status:
Not open for further replies.
  1. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    When you run a scan for Root Kits with gmer will all hidden entries be identified as hidden? I certainly would love to know how to use gmer to it's fullest. The same holds true for SSM.
     
  2. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
  3. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Thank you for that link. I have 2 computers and have downloaded gmer on both. It does different on both. On my older computer XP Home the scan produced a long list. On the new XP Pro it seems to have scanned everything but the list produced was short. Also I can't click on Show All on either computer.
     
  4. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
  5. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    @WilliamP

    GMER marks as rootkits only hidden processes, modules, services or files.

    All other stuff like SSDT, IRP, IDT, inline hooks may be usefull to catch malware that doesn’t hide anything.

    Example: Rustock.B

    Hidden: NTFS Stream (ADS) + Module + Service

    SYSENTER hook to cheat registry.
    IoCallDriver hook to hide NTFS Stream.
    tcpip.sys + wanarp.sys inline hooks to bypass firewall.

    Code:
    GMER 1.0.12.11883 - http://www.gmer.net
    Rootkit scan 2006-11-06 12:51:38
    Windows 5.1.2600 Service Pack 2
    
    
    ---- System - GMER 1.0.12 ----
    
    SYSENTER  ?                                                F89F1FAF
    
    Code      F89F0A5E                                         pIofCallDriver
    
    ---- Kernel code sections - GMER 1.0.12 ----
    
    .text     ntoskrnl.exe!Kei386EoiHelper + 1269              804D8DF0 3 Bytes 
    .text     tcpip.sys!IPTransmit + 4279                      FAC00CFA 6 Bytes  CALL F89F3D60 
    .text     tcpip.sys!IPTransmit + 9433                      FAC0211C 6 Bytes  CALL F89F3D60 
    .text     tcpip.sys!IPTransmit + 18018                     FAC042A5 6 Bytes  CALL F89F3D60 
    .text     wanarp.sys                                       FC6A03FD 7 Bytes  CALL F89F3D6A 
    
    ---- Modules - GMER 1.0.12 ----
    
    Module    (noname) (*** hidden *** )                       F89ED000                          
    
    ---- Services - GMER 1.0.12 ----
    
    Service   D:\WINDOWS\system32:lzx32.sys (*** hidden *** )  [SYSTEM] pe386                     <-- ROOTKIT !!!
    
    ---- Files - GMER 1.0.12 ----
    
    ADS       D:\WINDOWS\system32:lzx32.sys                                                       <-- ROOTKIT !!!
    
    ---- EOF - GMER 1.0.12 ----
    This option is disabled because making such log doesn't make sense.
    "Show All" option is useful when you want to create log of services, processes or other

    To show all services tick only "Services" + Show all.

    I hope it helps.

    Regards
     
  6. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Thank you GMER for your reply. I have read what I could find about gmer. Would you please confirm this for me. As I understand ,when you double click on the icon and gmer opens ,it checks for hidden items and will display them. Thank you for your help.
     
  7. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Just after start GMER checks only for hidden processes + servicess + libraries.
    To find hidden files, modules, registry keys or inline hooks you have to start full scan .
     
  8. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Thank you for your help. Also I found out the reason for the two different size scans on my two computers. My older computer is connected wireless. A bunch of entries for the wireless shows up.
     
Thread Status:
Not open for further replies.