Gmer 1.0.14

Discussion in 'other anti-malware software' started by SystemJunkie, Jan 2, 2008.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Nice new features (Registry, File Viewer) in the new Version and new messages:
    ---- User code sections - GMER 1.0.14 ----
    ? C:\WINDOWS\Gmer.exe[744] C:\WINDOWS\system32\ntdll.dll PE header mismatch;
    ? C:\WINDOWS\Gmer.exe[744] C:\WINDOWS\system32\GDI32.dll PE header mismatch;
    ? C:\Programme\COMODO\Firewall\cmdagent.exe[1164] C:\WINDOWS\system32\ntdll.dll PE header mismatch;
    ? C:\Programme\COMODO\Firewall\cmdagent.exe[1164] C:\WINDOWS\system32\GDI32.dll PE header mismatch;
    ? C:\WINDOWS\Explorer.EXE[1624] C:\WINDOWS\system32\ntdll.dll PE header mismatch;
    ? C:\WINDOWS\Explorer.EXE[1624] C:\WINDOWS\system32\GDI32.dll PE header mismatch;
    ? C:\WINDOWS\regedit.exe[1680] C:\WINDOWS\system32\ntdll.dll PE header mismatch;
    ? C:\WINDOWS\regedit.exe[1680] C:\WINDOWS\system32\GDI32.dll PE header mismatch;

    C:\WINDOWS\Gmer.exe[744] C:\WINDOWS\system32\ole32.dll PE header mismatch; unknown module: msvcrt.dll
    ? C:\Programme\COMODO\Firewall\cmdagent.exe[1164] C:\WINDOWS\system32\ole32.dll PE header mismatch; unknown module: msvcrt.dll
    ? C:\WINDOWS\Explorer.EXE[1624] C:\WINDOWS\system32\ole32.dll PE header mismatch; unknown module: msvcrt.dll
    ? C:\WINDOWS\regedit.exe[1680] C:\WINDOWS\system32\ole32.dll PE header mismatch; unknown module: msvcrt.dll
    ? C:\WINDOWS\Gmer.exe[744] C:\WINDOWS\system32\USER32.DLL PE header mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
    ? C:\Programme\COMODO\Firewall\cmdagent.exe[1164] C:\WINDOWS\system32\USER32.dll PE header mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
    ? C:\WINDOWS\Explorer.EXE[1624] C:\WINDOWS\system32\USER32.dll PE header mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
    ? C:\WINDOWS\regedit.exe[1680] C:\WINDOWS\system32\USER32.dll PE header mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll

    Looks like detection ability of polymorphic viruses isn´t it? Google found not much related to pe header mismatch only one doc about polymorphic parvo.a virus from 1999.

    Probably these messages are nothing unusual(maybe originated in some security apps) but I guess this pe header stuff is also a tactic of old polymorphic viruses. Beside this old method fooled already behavior blockers 10 years ago... I always said it is a very old story, this rootkit stuff is nothing modern it looks like it has a long stealthed history based on old specialized stealth viruses.
     
    Last edited: Jan 2, 2008
  2. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Is this a Beta?
     
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes it is a beta.
     
  4. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hey SystemJunkie,

    Just a little head's up....try not to work up too much excitement;)

    http://www2.gmer.net/mbr/

    It is no longer POC theory but now found ITW malware:blink: :eek:
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    How do you get this rootkit on your computer ?
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    As an email attachment or a drive-by download. Your zero tool can kill it.
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes my zero tool will do it.
    Email-attachment is hardly possible, not the way I treat my spam-emails : no opening and immediate delete.
    Drive-by download is possible, but I assume that Sandboxie will isolate it and clean it up, when it empties the sandbox.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Eureka!

    Finally a Gmer version that WORKS! for me. I like it and best of all it's finally stable. :thumb:
     
  9. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I know that this is maybe only 5%-10% of the real unknown phantom we are hunting. This is no breakthrough it is just a little step toward the right direction.

    Malware Type II and III still remains a massive problem where most AVs and ARKs actually have 0 chance.

    As long as the malware doesn´t know that it resides inside your box..... and assumed your sandbox has no issues ;-)
     
    Last edited: Jan 5, 2008
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Last edited: Jan 17, 2008
  11. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
    one more FP
    IT'S Virtual CD - Windows 2000 / XP Driver
     

    Attached Files:

    • fp.jpg
      fp.jpg
      File size:
      17.7 KB
      Views:
      440
  12. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Came up clean on my box.. no FP, no trouble... nice! :D
     

    Attached Files:

Thread Status:
Not open for further replies.