There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.
Help reading GMER log - am I still infected
Hello,
I got whacked Monday with a fake Microsoft Security Essentials. While attempting to clean it I got hit with what Symantec calls "Boot.Tidserv" - little bugger infected my MBR - I removed it with TDSSKiller.exe from Kaspersky which is a stand alone tools created to clean this infection. Of course I had multiple spyware / viral problems - I used Malwarebytes, SuperAntispyware, and Spybot multiple times to clean up everything. Additionally I have run Panda's online scanner, Eset Online scanner, Blacklight and now GMER. Any infections that were detected I researched their damage and removed or fixed what I found... meaning added registry entries, directories etc..
I feel I'm at the final stage of clean up, however, I don't know how to interpret GMER's output / log. Below is the log after I ran GMER - would someone please take a look and tell me if it look like I'm NOT still infected by a rootkit. (Nothing came up in RED in GMER.)
Thank you
GMER LOG
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-23 16:11:14
Windows 5.1.2600 Service Pack 3
Running: rj5xekhw.exe; Driver: C:\DOCUME~1\BSOBOC~1\LOCAL
---- System - GMER 1.0.15 ----
SSDT 8A670A68 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SY
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SY
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVER
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\CLSI
---- EOF - GMER 1.0.15 ----
I got whacked Monday with a fake Microsoft Security Essentials. While attempting to clean it I got hit with what Symantec calls "Boot.Tidserv" - little bugger infected my MBR - I removed it with TDSSKiller.exe from Kaspersky which is a stand alone tools created to clean this infection. Of course I had multiple spyware / viral problems - I used Malwarebytes, SuperAntispyware, and Spybot multiple times to clean up everything. Additionally I have run Panda's online scanner, Eset Online scanner, Blacklight and now GMER. Any infections that were detected I researched their damage and removed or fixed what I found... meaning added registry entries, directories etc..
I feel I'm at the final stage of clean up, however, I don't know how to interpret GMER's output / log. Below is the log after I ran GMER - would someone please take a look and tell me if it look like I'm NOT still infected by a rootkit. (Nothing came up in RED in GMER.)
Thank you
GMER LOG
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-23 16:11:14
Windows 5.1.2600 Service Pack 3
Running: rj5xekhw.exe; Driver: C:\DOCUME~1\BSOBOC~1\LOCAL
---- System - GMER 1.0.15 ----
SSDT 8A670A68 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SY
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SY
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVER
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\CLSI
---- EOF - GMER 1.0.15 ----
Who is Participating?
Its impossible to tell from this log. Its not 'explicitly' stating there is a backdoor however those reg codes are gibberish to us. I would reommend check them out to make sure they are legit. However GMER is not stating that it found anything. Juding off this log file alone i would say there are not rootkits there w/o knowing whats in those reg keys.
Log looks ok.
Run this quick scanner to see if it detects anything outside of cookies.
Save Xml log if so
http://www.surfright.nl/en/hitmanpro
Run this quick scanner to see if it detects anything outside of cookies.
Save Xml log if so
http://www.surfright.nl/en/hitmanpro
Bahpoopie,
Thanks - you are correct - those registry codes are looking like they came from the viral infection. I cannot take permission of the final key - I can however view it in GMER - as soon as I went to screw with it with GMER opened - whamo - my computer rebooted! Sorry for the "sparse" posting, I know it didn't give you a complete picture of what is going on with my pc. I'm going to look at a way to remove that registry key.
Again, I cannot take permission, I even tried in Safe Mode as the Administrator. I let you know how I make out.
Thanks
Thanks - you are correct - those registry codes are looking like they came from the viral infection. I cannot take permission of the final key - I can however view it in GMER - as soon as I went to screw with it with GMER opened - whamo - my computer rebooted! Sorry for the "sparse" posting, I know it didn't give you a complete picture of what is going on with my pc. I'm going to look at a way to remove that registry key.
Again, I cannot take permission, I even tried in Safe Mode as the Administrator. I let you know how I make out.
Thanks
The log is OK.
First i wanna look your MRB because you had a rootkit..
Download here MBRCheck http://ad13.geekstogo.com/MBRCheck.exe
Post a fresh log
First i wanna look your MRB because you had a rootkit..
Download here MBRCheck http://ad13.geekstogo.com/MBRCheck.exe
Post a fresh log
Bahpoopie,
I'm taking your advice on the rebuild. As embarrassing as this is I'm the IT / CAD Manager at a small Arch/Eng Company. When my PC got infected, I immediately unplugged it from our network. I'm not a guru such as yourself, but I have cleaned a decent amount of infections on OTHER PEOPLE's computers - but this one is a whopper! Needless to say I cannot afford my PC infected as I'm in and out of servers, workstations, etc. all day.
I did clean the MBR which Symantec detected as "Boot.Tidserv" with a Kaspersky utility. Used Malwarebytes, Superantispyware, Spybot, manual attempts, Blacklight, Hijackthis, numerous rootkt detections - but something else is still there - you run a computer for a few years you can gauge it's speed and how it reacts!
I think you are 100% correct my PC is infected with a hidden virus / rootkit. While attempting to access that registry key, my computer rebooted... just to confirm that it wasn't hardware - which I'm 99% sure it wasn't, I again attempted to access the registry key with GMER - it rebooted - that and your advise it enough for me - I'm re-building it.
Anyway, I'm going to close the case a award you the points - thank you for your help!
I'm taking your advice on the rebuild. As embarrassing as this is I'm the IT / CAD Manager at a small Arch/Eng Company. When my PC got infected, I immediately unplugged it from our network. I'm not a guru such as yourself, but I have cleaned a decent amount of infections on OTHER PEOPLE's computers - but this one is a whopper! Needless to say I cannot afford my PC infected as I'm in and out of servers, workstations, etc. all day.
I did clean the MBR which Symantec detected as "Boot.Tidserv" with a Kaspersky utility. Used Malwarebytes, Superantispyware, Spybot, manual attempts, Blacklight, Hijackthis, numerous rootkt detections - but something else is still there - you run a computer for a few years you can gauge it's speed and how it reacts!
I think you are 100% correct my PC is infected with a hidden virus / rootkit. While attempting to access that registry key, my computer rebooted... just to confirm that it wasn't hardware - which I'm 99% sure it wasn't, I again attempted to access the registry key with GMER - it rebooted - that and your advise it enough for me - I'm re-building it.
Anyway, I'm going to close the case a award you the points - thank you for your help!
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month5 days, 12 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
Sorry to be so vague on this but if you can provide back specifics on what you find throughout your search i will do my best to give you some tips and tricks.