Jump to content

GMER Question

Recommended Posts


New forum member here - first, thanks to all of the volunteers for the time and effort that they put in giving out helpful advice and tips. Definitely appreciate what you're doing for the anti-malware community. :-)

I have a question about GMER: I ran it (via the DDS suite) on my system, and everything appears clean - though I'm wondering what the last line of the "ROOTKIT" section means (user != kernel MBR !!!). I tried searching the forums for that, but got a "One or all of your search keywords were below 4 characters or you searched for words which are not allowed, such as 'html', 'img', etc, please increase the length of these search keywords or choose different keywords" error message. So if there's info on this log entry elsewhere, please feel free to point me in that direction.




=================== ROOTKIT ====================


Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST31000528AS rev.CC3E -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-22


device: opened successfully

user: MBR read successfully


Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

1 ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\Harddisk1\DR1[0x8A4CAAB8]

3 CLASSPNP[0xB810905B] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\00000076[0x8A539BE0]

5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\Ide\IdeDeviceP1T1L0-17[0x8A4A8B00]

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [sI], CH; JL 0x2d; JNZ 0x3b; }

user != kernel MBR !!!

Link to post
Share on other sites

  • Staff

When running a scan with GMER, it's not very exclusive. If something is 'hidden' it will show it. Not all computers have the same components so not all logs will be the same. I'm not the author of GMER so I can't explicitly say what every line means. I can tell you though that if you were infected, you would be experiencing symptoms of infection.

Link to post
Share on other sites

I can tell you though that if you were infected, you would be experiencing symptoms of infection.

Thanks - I e-mailed the GMER author and he said the log didn't show any indications of an infection, though he also didn't reply to my follow-up about what that entry actually meant. But apparently it's just some random "noise" generated by the program, and if the machine is clean then I'm happy with that.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.