GMER - the Antirookit Software is Getting Internet Recognition
January 20th, 2008 by Andrew Chen
I did a post on how to remove malware, Wintems.exe and Hldrrr.exe. It turns out to
One recent reader said.
I had the same virus and I couldn’t kill it until the guys over at Spybot helped me out. I downloaded GMER, booted into safe mode via GMER, and deleted hldrrr.exe/wintems.exe/srosa.sys.
And it reminds me how useful GMER is. The antirookit software I mentioned in that post that I used to detect hldrrr.exe is actually GMER. What is GMER?
This is the how GMER’s maker describe it on download.com
GMER is an application that detects and removes rootkits. It scans for: hidden processes, hidden threads, hidden modules, hidden services, hidden files, hidden Alternate Data Streams, hidden registry keys, drivers hooking SSDT, drivers hooking IDT, drivers hooking IRP calls and inline hooks. GMER also allows to monitor the following system functions: processes creating, drivers loading, libraries loading, file functions, registry entries, TCP/IP connections
You can download GMER from download.com or from GMER’s home site www.gmer.net
One thing to note though, if you don’t think your computer infected any malware better not to download it and play with it. When I use GMER it deleted one of the very important system files Kernal32.dll from my windows directory. My computer can not boot at all. Fortunately there are usually many copies of Kernal32.dll located in different places in the system. I can use a boot cd to boot the system to DOS command mode and copy Kernal32.dll from other place to c:\windows\sytem32. If you don’t have boot disk on hand then most likely you have to reinstall windows and all other programs on the system.
Related Posts:
(No Ratings Yet)
Loading ...
As I believe my computer to be on the road to recovery (fingers crossed) or recovered, I like to write a quick summary of the Bagle virus and how it manifested in my computer. I first noticed something was wrong when my sound went out after downloading cracked software from emule site that I could have gotten for free elsewhere. I couldn’t play WMP, or sound from websites was missing. In fact sound all together was missing from my computer.
When I would press turtle beach santa cruz speaker icon on my desktop toolbar, I would get ’santa cruz not detected’. My volume wouldn’t move. I spent several days unistalling and reinstalling latest sound drivers but still system would fail in their ’software configurations tests’ on third and fourth part of test. Under Control Panel, Sound and Audio devices was basically greyed out, not recognizing or showing santa cruz {Just now I went and actually changed it back to Santa Cruz on all options and I know my system is free of the virus. Thanks Kaspersky!}.
By this time I was beginning think virus as the only thing I had been doing was downloading. I also could not access my Norton antivirus, either to remove it or access their folders. My System Restore was a wash, I couldn’t go back at all and the few restore points that I had would fail on attempts. I could not access certain programs like spybot and hijackthis, resulting in a “this program is not a win32 exe program” or something like that. I also could not access certain ‘login’ pages such as my bank or yahoo. My internet was slow, certain pages wouldn’t even come up. I was bringing up the task manager consistently to close programs or websites. The task manager would also say my computer was running at ‘100%’ when I viewed Performance tab (now running at 0-7%).
I downloaded several antivirus programs; the first helpful was Malwarebytes, then Kaspersky online scanner, and finally something I know nothing about; Combofix (which might be an anti rootvirus). I believe the bagle virus was able to bring other viruses into my computer as later AV scans brought up many. See above posts.
This win32 bagel worm virus is incidious. It disables your antivirus to a degree and access to important files/folders, often disabling any AV program that was designed to kill it. I was never able to locate my System Volume folder for some reason. It seems to take several major AV programs working together as I couldn’t get Kaspersky to work until I used Malwarebytes several times but Kaspersky seemed to be much more thorough once it did work. It seems that Combofix and Kaspersky directions in the above posts have led to my computer’s return to full functionality. Note; I have generally kept my System Restore off during all this scanning and cleaning. The rest of the information is in the above posts. I just ran another Kaspersky online scan and nothing came back (yeah!). I plan on running some other scans (not combofix–deleting this from my computer) from superantispy, kaspersky, and malwarebytes again in the next couple days. I also plan on running both Kaspersky AV programs and Windows firewall at all times. I’m walking into the light at the end of the tunnel. Thanks for replying guys. I would have eventually tried your way if this didn’t work. A great computer back at work! All the below came up on my av scans.
[Keywords; Bagle, hldrr.exe, srosa.sys, rootkit, wintems.exe, mdelk.exe, trojan.agent, worm.bagle, I-worm, win32]