my gmer log

lunnz · January 30, 2010, 3:29pm

Hi,
When i start gmer the computer resets. İ can only run it in safe mode. Could someone please take a look at gmer log and say if there is anything suspicious?

[attachment deleted by admin]

rhgtyink · January 30, 2010, 3:39pm

No don’t see anything suspicious here, did GMER report anything hidden/suspicious?
Can you see what the BSOD message is, and or do you have minidumps on c:\windows\minidump folder?

lunnz · January 31, 2010, 12:50am

yes, it says “ntldr is missing”

rhgtyink · January 31, 2010, 10:16am

Can you try Rootrepeal see if that works?

Normally those scanners need the rootkit to be active to detect it…
It compares the API call file listings etc with a raw version directly from disk and if there are mismatches then there is some “filter/rootkit” in between…

lunnz · January 31, 2010, 12:00pm

I recently did a rootrepeal scan . Here’s my log.

ROOTREPEAL (c) AD, 2007-2009

Scan Start Time: 2010/01/26 20:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3

Drivers

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF422D000 Size: 98304 File Visible: No Signed: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B20000 Size: 8192 File Visible: No Signed: No
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D6000 Size: 3911680 File Visible: - Signed: No
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xF7DE0000 Size: 3198368 File Visible: - Signed: No
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF8B90000 Size: 7872 File Visible: No Signed: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF766F000 Size: 49152 File Visible: No Signed: No
Status: -

Hidden/Locked Files

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\sfi.dat
Status: Locked to the Windows API!

Path: \?\C:\Program Files\COMODO\COMODO Internet Security\Quarantine*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine+UnguxU0.exe.part.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\eMxSa0n7.exe.part.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\N4hn6Alv.exe.part.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\p4qPU3xN.exe.part.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\RootkitBuster.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\RootkitBuster.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\zD_aa_L1.exe.part.info
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
Status: Invisible to the Windows API!

SSDT

#: 097 Function Name: NtLoadDriver
Status: Hooked by “C:\Program Files\AntiLogger\AntiLog32.sys” at address 0xf45aebcc

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by “C:\WINDOWS\System32\DRIVERS\cmdguard.sys” at address 0xf45ae1aa

Shadow SSDT

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by “C:\Program Files\AntiLogger\AntiLog32.sys” at address 0xf42e760c

==EOF==

rhgtyink · February 1, 2010, 10:49am

Looks clean…

lunnz · February 1, 2010, 1:30pm

ok thank you