6 replies to this topic

[finiteworld]

Had a machine that was infected with Anti-virus 2009, it was also loaded with tool-bars and .cab game files from winnersworld.com. I removed all of that (think anyway) and also found and removed the postcard.exe worm/virus which had the local settings\temp .bat file and associated registry entries. -SO- I then wanted to poke around on this system with gmer and see if I caught anything running. When I tried to access www.gmer.net with IE7, was told that web page unavailable (the standard ie error when a page doesn't load). I was able to access www.gmer.net from another computer, however. I then downloaded and installed firefox from download.com just fine. Using firefox, I was able to now get to www.gmer.net. However, when I tried to download gmer I was given an error stating that the "source file cannot be read". I was able to download gmer onto another computer just fine. host file is clean and I can navigate with IE7 to greatis.com and download unhackme just fine, which found nothing; by the way. I also was able to get to avg's website with IE7. The machine shows clean according to malwarebytes and mcafee antivirus. I know that the above information is general and that I am not posting a log so -> what I'm really asking for is if by chance anyone knows of a piece of malware out recently which could be kernel-level rootkit/cloaking malware, run stable, block gmer, and not be detected IN ANY WAY with malwarebytes or mcafee? Just thought that I'd ask.

[John B..]

Hi,

what I'm really asking for is if by chance anyone knows of a piece of malware out recently which could be kernel-level rootkit/cloaking malware, run stable, block gmer, and not be detected IN ANY WAY with malwarebytes or mcafee?

How could I know of malware that is not detectable? Just joking. I recommend that you post in one of the private forums and ask there. You may still be infected (don't know how far you are in training) and the malware experts visit those subforums more than these tech forums.

Regards,
John.

[ISHAN.SHARMA]

At first look I thought yours is a case of malware infection. I myself have been infected by Antivirus 2008 once and although all the antivirus and anti-spyware programs (except threatfire, which always detected two rootkits in my PC) displayed clean logfies I knew I was infected. Antivirus 2008 blocked all access to malware removal websites and other antivirus and anti-spyware websites. Perhaps this is what happened to you too. But hey! even I'm not able to access gmer.net presently and I know I'm clean.

[paws]

Just for the record, I was able to access OK the GMER site a second or two ago with no problems. There's no telling what the infections may have done to the system in question.....the safe and quick answer is blitz the disc and format and reinstall the OS and Applications....... However as we don't provide malware removal advice on this subforum and perhaps you may be treating this machine as a learning exercise......... if so then maybe you should ask one of your teachers here for their views. Malware of this type often takes out various security related websites and prevents either the downloading of common removal tools or their installing and functioning....or all three! Also even though the back up/copy /archive of all important documents data etc may be 100% up to date, accurate and reproducible and kept safely on removable media, it may be compromised in terms of the viral activity experienced! Regards paws

[ISHAN.SHARMA]

For the records: I tried again after paws post and was able to browse the GMER website now.

[finiteworld]

thanks to everyone for the input. yeah, the machine's not mine and it'll probably end up being swiped and the OS reloaded. I spent a few hours toying with it yesterday to see if I could get any better experience with GMER. I just started training here at WTT and still lack foundational knowledge that I think is required for a tool such as GMER. Not for long, though, right? I've obtained a book and other literature on rootkits but they're beginner-type (Rootkits for Dummies etc...) and I'm now trying to progress to the intermediate level; like being able to recognize poor-dll's, hijacks, injections, etc... I'm pretty sure my buddy will do the swipe and reload today and therefore won't have time to post the hijack this logs and troubleshoot. if I had another machine with the same hardware configuration i'd ask'em to let me put it's image on another pc so that I could train with it. i have many friends who practice way unsafe computing, to the nth degree in fact; despite my best efforts to modify their behavior otherwise. guess that since i always fix their machines, there's not too much incentive for them to watch where they surf and what they download. more training for me so i'm sure that the next infection for me to work/learn on is "in the post" with my address on it; just as soon as they call for me to fix their pc again.

[paws]