Author Topic: GMER ntoskrnl.exe suspicious modification  (Read 5980 times)

0 Members and 1 Guest are viewing this topic.

abenomics

  • Guest
GMER ntoskrnl.exe suspicious modification
« on: April 08, 2013, 03:56:17 AM »
Hello -

My system was recently cleaned of a siredef/zeroaccess infection, every single tool including Avast (malwarebytes, combofix, aswMBR, TDSSKiller, etc...) reports the system as clean although I continue to see these lines in my GMER log:

If you Google "ntoskrnl.exe suspicious modification" you'll find several other recent results of successfully cleaned malware that also receive that notification after cleaning. The file comes back clean in Virustotal and all checksums match although I suspect GMER is referring to the image in memory, not the file itself.

Is there anything to be concerned about?

GMER 2.1.19155 - http://www.gmer.net
Rootkit scan 2014-04-05 11:04:37
Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1 Hitachi_HDT721010SLA360 rev.ST6OA3AA 931.51GB
Running: 16i3bm43.exe; Driver: C:\Users\Abe\AppData\Local\Temp\pxldapoc.sys

---- Kernel code sections - GMER 2.1 ----

INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                               suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                               suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                               suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                               suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                               suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                               suspicious modification

---- EOF - GMER 2.1 ----

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37526
  • Not a avast user
Re: GMER ntoskrnl.exe suspicious modification
« Reply #1 on: April 08, 2013, 07:48:47 AM »
malware expert is notified, check back later today.....

Offline essexboy

  • Malware removal instructor
  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: GMER ntoskrnl.exe suspicious modification
« Reply #2 on: April 08, 2013, 03:01:44 PM »
That was probably where the data for the infected services file was stored, and then removed.. Hence the modification