GMER Question

[SoCalGuy]

Hi:

New forum member here - first, thanks to all of the volunteers for the time and effort that they put in giving out helpful advice and tips. Definitely appreciate what you're doing for the anti-malware community. :-)

I have a question about GMER: I ran it (via the DDS suite) on my system, and everything appears clean - though I'm wondering what the last line of the "ROOTKIT" section means (user != kernel MBR !!!). I tried searching the forums for that, but got a "One or all of your search keywords were below 4 characters or you searched for words which are not allowed, such as 'html', 'img', etc, please increase the length of these search keywords or choose different keywords" error message. So if there's info on this log entry elsewhere, please feel free to point me in that direction.

--

Thanks,

GregR

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST31000528AS rev.CC3E -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-22

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

1 ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\Harddisk1\DR1[0x8A4CAAB8]

3 CLASSPNP[0xB810905B] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\00000076[0x8A539BE0]

5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\Ide\IdeDeviceP1T1L0-17[0x8A4A8B00]

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [sI], CH; JL 0x2d; JNZ 0x3b; }

user != kernel MBR !!!

[screen317]

Hi and welcome to Malwarebytes.

Are you currently experiencing any actual issues?

[SoCalGuy]

None that I'm aware of, though I'm was curious what that line meant (especially since scans on other machines didn't have it).

[SoCalGuy]

Thanks, Christina.

[screen317]

When running a scan with GMER, it's not very exclusive. If something is 'hidden' it will show it. Not all computers have the same components so not all logs will be the same. I'm not the author of GMER so I can't explicitly say what every line means. I can tell you though that if you were infected, you would be experiencing symptoms of infection.

[SoCalGuy]

I can tell you though that if you were infected, you would be experiencing symptoms of infection.

Thanks - I e-mailed the GMER author and he said the log didn't show any indications of an infection, though he also didn't reply to my follow-up about what that entry actually meant. But apparently it's just some random "noise" generated by the program, and if the machine is clean then I'm happy with that.

[screen317]

Great. GMER is a very nice guy.

Anything else I can help with?

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!