2009 01 08
Detection added for the ones using the orphaned driver keys.
Sample from the logfiles.
Logfile option 1:
…
checking for random used files and services
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\drivers\gmer.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MEMSWEEP2
Imagepath REG_EXPAND_SZ \??\C:\WINDOWS\System32\1.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer
Imagepath REG_EXPAND_SZ System32\DRIVERS\gmer.sys
…[/quote]
Logfile option 2:
…
--- checking for random used files and services ---
these files and services will not be deleted by HaxFix
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\drivers\gmer.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MEMSWEEP2
Imagepath REG_EXPAND_SZ \??\C:\WINDOWS\System32\1.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer
Imagepath REG_EXPAND_SZ System32\DRIVERS\gmer.sys
…
Haxfix will not delete these services and files.
If you want to remove them, use SC DELETE
These are samples from a logfile. In this case the infection was using the legit service gmer and the legit filename gmer.sys. (Gmer is a legit program, a rootkitscanner.)
The other service used by this infection is memsweep2. Not necessarily a bad service, but here used by the infection.
Posts
Geen opmerkingen:
Een reactie posten