Jump to content

Gmer Rootkit scanner destroyed windows?


Chrisssj2
 Share

Recommended Posts

I know this doesn't contain the necessary information, But the point is, I was building up all my information, and my pc hang while scanning in this step: So I entered reset button on my pc.

Download the following GMER Rootkit Scanner from here◦Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.

◦Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run

◦It may take a minute to load and become available.

◦If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..

◦In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED

■Sections■IAT/EAT■Drives/Partition other than Systemdrive (typically only C:\ should be checked)

■Show All (don't miss this one)

◦Then click the Scan button & wait for it to finish.

◦Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.

◦Save it where you can easily find it, such as your desktop

◦**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

◦Click OK and quit the GMER program.

Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.

So now when I start windows XP3 (the troubled OS) ( I have multi boot select by vistabootpro (im on win7 now)

It gets dark and nothing happens, nothing loads, and F8 doesn't work either.

So my info(all my scans etc.) is now under a Personalised XP account...

I can't enter my files there... or is there a way to get in there still?

I can't reformat since there are important files there. Need to recover at least the files if not the windows installation if possible.

Any recommondations to try out?

Thanks.

Link to post
Share on other sites

This is the info I managed to save.

Yesterday my pc suddenly rebooted and at login screen it had a message from windows, saying

Services is shutdown Which is critical for windows etc etc. etc.

So It rebooted again and again. I happend to login once quite fast, press ctr alt del and start

services and i was saved though every action took 15 minutes...

I searched registry for some time didn't see anything( well yeah looking in a hay stack)

Then I rebooted and everything was OK again.

I scanned and got this: ( or the morning before can't remember :))

http://img36.imageshack.us/img36/1541/96877957.png

http://img710.imageshack.us/img710/3671/45980645.png

I think the morning i removed some, then evening got the reboot, and the next scan resulted nothing I think.

Also searched with Spy-bot S&D latest

+ Housecall Trendmicro Anti_virus

No results.

Then later that evening my internet dc'ed meaning internet did'nt work (IE8, Firefox)

But msn conversations were still ongoing :) and torrents were still receiving too I believe.

So I went to sleep and shut off pc.

Nex morning everything was OK untill the evening I got dc again...

(did both scans again spybot s&D+ malmware , nothing..)

I looked at my event viewer and saw this info:

http://img30.imageshack.us/i/disc2c.jpg/

http://img30.imageshack.us/img30/4321/disc3w.jpg

http://img710.imageshack.us/img710/531/disc4.jpg

http://img684.imageshack.us/img684/3790/discm.jpg

http://img268.imageshack.us/img268/5148/disc9.jpg

http://img30.imageshack.us/img30/2618/disc67.jpg

Hijack this log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:52:36 PM, on 12/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\mmc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

C:\Documents and Settings\chrisssj4.EXPERIEN-18506F\Desktop\Masterbackup of all

times\Snelkoppelingen\HiJackThis.exe

O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32)

- Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)

O23 - Service: Creative Audio Service (CTAudSvcService) - Unknown owner - C:\Program

Files\Creative\Shared Files\CTAudSvc.exe (file missing)

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper

Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common

Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner -

C:\WINDOWS\system32\nvsvc32.exe (file missing)

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies -

C:\Program Files\WinPcap\rpcapd.exe

--

End of file - 2696 bytes

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.