• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2176
  • Last Modified:

How do I use GMER

I have quite a bit of experience using many "Anti-Malware" search and remove tools including AutoRuns, Combo Fix and Process Explorer. . .etc

I've run GMER but really dont know how to use. I hear many good things about using this tool as part of any "Anti-malware" Arsenal  tool kit. I've been told that you should update the program before each run but I dont see an update option. Also I'm told to exclude several search options.

When I scan, it shows some entries, specifically Library files in Red. Does this mean I should delete them if they look like fake entries?

Any help would be aprreciated
Andreas Gieryic
Andreas Gieryic
  • 3
  • 2
  • 2
  • +1
2 Solutions
i have never heard this tools before. however based on the info that i found on internet, it looks like dangerous to me if i want to run this tools. why not you tried to do some thing more safety like internet security tools. for ex. kaspersky or other tools. it is more safely and no harm on your machine.

Andreas GieryicComputer Networking, OwnerAuthor Commented:
this tool is a very well known tool thats geared towards rootkits including bogus entries but it requires advanced eperience and involves more user input as how to deal with its findings.
It' true, there aren't a lot of manuals about using Gmer. The few really good ones I read seem to have disappeared or are hidden somewhere deep inside larger texts.

This is pretty basic:

This is a bit more in-depth:

But there are some things to note here:
1. If you, as you say, use ComboFix regularly, you already do a basic GMER scan all the time, becasue CF uses GMER to find (and remove) hidden processes and files.

2. Rootkits are the technologically most advanced malware. It simply won't work to rely on one tool and one methodology to detect them. If you want to hunt them down, adapt and learn to think like a rootkit developer (you will inevitably learn GMER on the way there), or get used to using all rootkit detectors that exist out there.

3. You will find tests of all anti-rootkit software here:
- http://www.ntinternals.org/process_detection_test.php
- http://www.ntinternals.org/anti_rootkits.php
- http://www.ntinternals.org/dll_detection_test.php

4. Check out kX-Ray: http://www.bugczech.fu8.com/bin/
That's even a lot less known than Gmer, but has a good reputation on the respective forums.

The rest will be constant learning and reading, I'm afraid, no step1 to step5 readymades.

Good luck.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Oh, and one more thing:

As always when I check for information on Gmer it struck me again that those who are most concerned about learning it seem to be the rootkit makers and wannabe rootkit makers. You may be assured that it is being used as the number one rootkit testing tool as well.
If there were a lot of really well written, in-depth and publically accessible manuals and howtos on Gmer, making good new undetectable rootkits would be even easier. It's the same as with ComboFix; hardly any good information about its inner workings is obtainable publicly. That is intentional policy. The maker of CF doesn't want to facilitate the creation of new nasties that escape detection.
GMER seems to be the most popular rootkit scanner, it scans for:
hidden processes, threads, modules, services, files, Alternate Data Streams, registry keys and much more.

And when it detect a rootkit activity you'll get a warning message.

The buttons are self explanatory, e.g. the Services list all services, the startup type, and the file name associated with the service.

In the File tab, the delete button deletes the file.

The "Kill Process" button does exactly what it says.
The "Kill All" button <-- kill every process on the computer except for GMER.
The "Run This" lets you to run any program either from the command line or by searching for the file.

All hidden files are highlighted in red.

"I've been told that you should update the program before each run but I dont see an update option"

No, Gmer doesn't need to update, no update button.

"Also I'm told to exclude several search options."

You mean, the time when you need to uncheck those options? You only uncheck those options when using "Show All" button.

"Does this mean I should delete them if they look like fake entries?"

Red entries just means they are hidden, these don't necesarily mean bad so be careful what to delete.

If you have any particular questions, post it maybe I can help.

This link might also help.
Andreas GieryicComputer Networking, OwnerAuthor Commented:
Great information. Thanks for all your help
No problem... in the future if you're using Gmer, feel free to post the log if you like and we can look at it and show you the steps if rootkits are present.

Or post any questions you may have regarding the Gmer tool.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now