Understanding GMER Output

Can anyone point me to an explanation of the output produced by the anti-rootkit detector GMER??

I haven't found anything on the PCTools website, and you really have to have sharp eyes to see the link to download it there. Apparently it is incorporated into some of their anti-malware products.

---- Stardance

nil carborundum illegitimi

 

If memory serves, Google lists gmer.net as the first two search results (PCTools is the third, for downloading GMER). However, as you say, gmer.net has been offline at least since my first attempt to access it sometime Saturday. I haven't checked yet today.

Certainly, I am not expert on Windows internals. Still, so far I've ran Sysinternals Rootkit-Revealer, F-Secure Blacklight, AVG Anti-Rootkit, and GMER. The concepts are relatively simple. Revealer and Blacklight use the "cross-view" method. AVG examines all of the files that it can find for a "signature" (presumably it uses every method of finding files that there is). None of the first three has found anything amiss, and I can't interpret GMER's output.

Frankly, I have come to believe that the malware running on my computer probably has not used a rootkit to hide its files. After all, with about 46,000+ files on the drive, it can be very difficult, if not impossible, to distinguish which file belongs where it is and which file doesn't belong where it is.

This is compounded by constant changes in the number of files, and in their sizes, that comprise not just the Windows operating system, but many utilities and applications as well. It also doesn't help that Windows will load and run any file that has the header of an executable file, regardless of the filename extension.

Thanks for your reply.

---- Stardance

nil carborundum illegitimi

 

According to Sysinternals TCPView, and to Foundstone's FPort, something hijacks Process ID 0 (zero), System Idle, and has been using it to communicate both with unidentifiable computers and with well-known, identifiable websites. It is probably an unwelcome nuisance at the latter. Which is to say that the malware exhibits worm-like behavior, but it also constantly attempts to establish an outoing UDP connection by using Microsoft File and Printer Sharing, presumably to allow access to my computer's files by a remote computer -- which Sunbelt Personal Firewall (SPF) will not permit.

Otherwise, SPF detects neither the traffic nor the OS component (probably the kernel) nor any other executable that is making the "calls out". Presumably the malware can receive messages from a computer that it has called. McAfee's firewall is just as clueless (but SPF is a lot better with regard to its other features). I haven't yet tried any other firewall. The last time that I saw Norton's, I had to say that it was the sorriest excuse for a firewall that I could imagine. Worse, they bought Sygate, which produced one of the best firewalls that I've ever used, and withdrew that firewall from the market. I've been trying various scanners and anti-rootkit tools, but nothing has been found so far.

That said, today, during the system boot, SPF reported that Application Layer Gateway has been changed since the most recent run (yesterday), and asked whether to permit ALG.EXE to run. I decided to not run it, as it seems to be used very little, if at all, by the applications that I run.

System Virginity Verifier 2.x reported that kernel32.dll, user32.dll, and WS_2.dll have been corrupted, and found that some changes have been made to ntoskrnl.exe as well. It also reported that three files that it expected to find were not present. I sent copies of the three .DLL files to McAfee's Avert labs, but their "automatic scanner" did not find any malware. Go figure.

For what it is worth, I went through the entire "Before You Post Your Hijack This Log" procedure for Spyware Beware! forum. It took several hours to do every step, then compose the message to post. It was posted on their forum (the Hijack This section) on August 7, has had 27 views and is now on page two, without any reply! That is, anyone who has the credentials to examine the information that I posted either hasn't seen the message or hasn't bothered to respond. I don't intend to repeat the experience here.

Also, I've been communicating with Microsoft tech support about the situation. They are really slow. The first tech who has been investigating has decided that he is in over his head, so he sent my "service request" to the next level, presumably last Friday. There's no telling when, if ever, I will hear from them again.

What I probably will do soon is to archive everything that I want to keep, nuke the hard drive and re-install Windows XP -- I've done it before. (Or maybe I will change to using Linux -- my next computer might be a Mac running OS X.) Of course, this means that since no "infected file" has been identified as such, no "signature" will ever be created for the malware that is now running on my computer. No anti-virus or anti-spyware developer wants anything except a file that they can identify as "infected". Period. Of course, they will gladly help you find an "infected file" if you are willing to pay them lots of money for their aid. Regardless of whether one is found, they expect you to pay the bill, yet they're the one who will profit the most perchance an "infected file" is found.

Regardless, ultimately, I will have to nuke the hard drive and install, or reinstall, an operating system. Of course, sooner or later my computer might be infected again by the same malware, by some other malware (whether known or unknown), or perhaps not by any malware for many years, if ever.

--- Stardance

nil carborundum illegitimi

 

First, I'm sorry to have offended you by my remarks! You have no idea how much time and effort that I've already spent dealing with this situation during the past 10 weeks -- in the context, of course, of having arguably much more important things to do instead.

It all began on June 3, when Sunbelt Personal Firewall (SPF) logged two attempts to connect "out" to the Verisign website from a "closed port", and it denied both transits. Those two little events left me with a nagging suspicion that malware might be present, so I searched the internet for tools that would enable me to see various aspects of the system in operation, such as Sysinternals TCP View and Process Monitor.

The first challenge was discerning whether what I found happening while the computer ran was evidence of malware. The "PC" has not been "slow" recently in any ways that it wasn't already occasionally "slow". There were no messages from Norton AntiVirus, from Spybot Search & Destroy, and/or from two of SPF's three "intrusion detection" features, that the computer's system had been compromised. The SPF Application Behavior Blocking feature has alerted twice -- not immediately after installing updates on Patch Tuesday -- that a Windows component has been changed since its most recent execution, asking whether I want to allow it to run. However, the evidence has came primarily from using those other tools.

The second challenge has been twofold. For one, I have not been able to determine how the computer system was invaded -- whether by an e-mail attachment, or by a website, or by direct transmission from a hostile computer that had the necessary IP address and port number while that port was opened for some other communication. A Linksys WRT54G router is installed between the computer and the DSL modem, with the router's "stateful packet inspection" firewall enabled. So, I have reviewed the router's configuration, as well as other aspects of the "network" and of the computer itself. It seems that the malware didn't become as active as it is now immediately upon arrival. Perhaps only a part of it was introduced, and it had to wait until delivery of the rest penetrated the defenses.

The other part has been looking for a way to actually identify the malware executable(s) -- I assume that at least one is stored on this computer -- and get rid of the malware without resorting to beginning all over again from scratch. In the process, I've come to have little faith in following "scripts". Even those that come with a price tag end with the malware still running on my computer. The "tech" who is supposedly conferring a benefit at $0.50+ per minute is, of course, following a "script" that s/he has been ordered to use, one that I could probably write in my sleep. At most, the scripts that I've followed just "clean up" the computer, whether such activity improves the potential detection of malware by security software or by some other method(s). And it seems that everyone has a different "cleaner" utility and, sometimes, a program that simply "examines and reports" mostly basic information about the computer and the software that is installed.

We cannot remove what we cannot find. The first message in this exchange asked where I could find information on interpreting the output of GMER. You told me (thank-you!). And as far as I know, gmer.net is still offline.


FWIW, I do not recall seeing the use of Control Panel > Add or Remove Programs in a cleaning routine before perusing yours. I suspect that some of the software on your list is distributed by websites that are in the HOSTS file of this computer. Regardless, Add or Remove Programs has apparently become corrupted. For example, it doesn't show Sun Java or Microsoft .NET installations that it used to show.

Now, Java update executables will run, but do not install the update. One problem revealed by Process Explorer is that McAfee's System Guards unit terminates the Java update as soon as the executable is loaded, and the unit does not log doing that. If I terminate System Guards first, then the Java update executable remains loaded, but it doesn't do anything.

The recommendation to boot in Safe Mode and run CCleaner while logged-on with "the Administrator" account is also novel. Could malware hide files in storage space allocated for that account, e.g., in its Local Service\Temp subdirectory? Windows won't let me access that account's storage in C:\Documents and Settings unless I am logged-on via the Safe Mode Administrator account. So, how malware would access such space to store files, whether at least one executable stored there is loaded during system boot, remains to be seen. Aside from running a "cleaner", I've been reluctant to boot into Safe Mode and enter "the Administrator" account's password, if only because I don't know whether the malware has installed a key-logger. Regardless, I ordinarily run the computer in Normal Mode with, against some advice, an account that has Administrator privileges.

Your "Run & Read Me First" doesn't say anything about System Restore (unless it's on a link that I haven't seen yet). Reportedly, most AV/AS scanners do not examine files in System Restore, i.e., Windows won't allow them to do that. So some folks say that it should be turned off, at least before running a rootkit detector, because some malware has been discovered storing files within the storage area that has been set aside for System Restore.

By the way, the computer is not simultaneously running two firewalls for very long after system boot. After I installed the McAfee package, I did not run SPF with it. However, if McAfee firewall ever had a clue as to what the malware has been doing, or trying to do, then it has never told me. So, for example, I don't know whether it stopped the malware from using Microsoft File and Printer Sharing to transmit files to another computer(s) via the internet. Now, after both firewalls are loaded, I use McAfee Security Center to turn their firewall "off". But it won't stay "off" unless I run Process Explorer and kill the McAfee firewall process. Apparently I must do those two things in that order, or a McAfee component will re-launch McAfee's firewall service when it finds that it is missing.

Then SPF is left in control without adverse consequences, as far as I've been able to determine. McAfee still does ad hoc scanning of e-mail, of e-mail attachments, and of software that is loaded in memory -- without apparently interfering with SPF Application Behavior Blocking. McAfee's update service keeps the definitions file current, and I run McAfee's scanner manually to search the hard drive every day. That said, I plan to uninstall McAfee entirely before the end of this week. I haven't decided what, if any (?), anti-virus, anti-spyware software that I will install in its place. There sure is plenty of it out there!

Further, when I install an AV/AS "scanner" that I've downloaded, I take care to install only the part(s) that are required to run a manual scan -- just to use their definitions file to see whether the scanner can find whatever malware is running on my computer. If I cannot use the scanner in such a limited role, then I don't install it or any software that comes with it.

In conclusion, don't get me started.

--- Stardance

nil carborundum illegitimi