Gmer 1.0.14

Discussion in 'other anti-malware software' started by SystemJunkie, Jan 2, 2008.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Nice new features (Registry, File Viewer) in the new Version and new messages:
    ---- User code sections - GMER 1.0.14 ----
    ? C:\WINDOWS\Gmer.exe[744] C:\WINDOWS\system32\ntdll.dll PE header mismatch;
    ? C:\WINDOWS\Gmer.exe[744] C:\WINDOWS\system32\GDI32.dll PE header mismatch;
    ? C:\Programme\COMODO\Firewall\cmdagent.exe[1164] C:\WINDOWS\system32\ntdll.dll PE header mismatch;
    ? C:\Programme\COMODO\Firewall\cmdagent.exe[1164] C:\WINDOWS\system32\GDI32.dll PE header mismatch;
    ? C:\WINDOWS\Explorer.EXE[1624] C:\WINDOWS\system32\ntdll.dll PE header mismatch;
    ? C:\WINDOWS\Explorer.EXE[1624] C:\WINDOWS\system32\GDI32.dll PE header mismatch;
    ? C:\WINDOWS\regedit.exe[1680] C:\WINDOWS\system32\ntdll.dll PE header mismatch;
    ? C:\WINDOWS\regedit.exe[1680] C:\WINDOWS\system32\GDI32.dll PE header mismatch;

    C:\WINDOWS\Gmer.exe[744] C:\WINDOWS\system32\ole32.dll PE header mismatch; unknown module: msvcrt.dll
    ? C:\Programme\COMODO\Firewall\cmdagent.exe[1164] C:\WINDOWS\system32\ole32.dll PE header mismatch; unknown module: msvcrt.dll
    ? C:\WINDOWS\Explorer.EXE[1624] C:\WINDOWS\system32\ole32.dll PE header mismatch; unknown module: msvcrt.dll
    ? C:\WINDOWS\regedit.exe[1680] C:\WINDOWS\system32\ole32.dll PE header mismatch; unknown module: msvcrt.dll
    ? C:\WINDOWS\Gmer.exe[744] C:\WINDOWS\system32\USER32.DLL PE header mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
    ? C:\Programme\COMODO\Firewall\cmdagent.exe[1164] C:\WINDOWS\system32\USER32.dll PE header mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
    ? C:\WINDOWS\Explorer.EXE[1624] C:\WINDOWS\system32\USER32.dll PE header mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
    ? C:\WINDOWS\regedit.exe[1680] C:\WINDOWS\system32\USER32.dll PE header mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll

    Looks like detection ability of polymorphic viruses isn´t it? Google found not much related to pe header mismatch only one doc about polymorphic parvo.a virus from 1999.

    Probably these messages are nothing unusual(maybe originated in some security apps) but I guess this pe header stuff is also a tactic of old polymorphic viruses. Beside this old method fooled already behavior blockers 10 years ago... I always said it is a very old story, this rootkit stuff is nothing modern it looks like it has a long stealthed history based on old specialized stealth viruses.
     
    Last edited: Jan 2, 2008
  2. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Is this a Beta?
     
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes it is a beta.
     
  4. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hey SystemJunkie,

    Just a little head's up....try not to work up too much excitement;)

    http://www2.gmer.net/mbr/

    It is no longer POC theory but now found ITW malware:blink: :eek:
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    How do you get this rootkit on your computer ?
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    As an email attachment or a drive-by download. Your zero tool can kill it.
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes my zero tool will do it.
    Email-attachment is hardly possible, not the way I treat my spam-emails : no opening and immediate delete.
    Drive-by download is possible, but I assume that Sandboxie will isolate it and clean it up, when it empties the sandbox.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,749
    Location:
    U.S.A. (South)
    Eureka!

    Finally a Gmer version that WORKS! for me. I like it and best of all it's finally stable. :thumb:
     
  9. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I know that this is maybe only 5%-10% of the real unknown phantom we are hunting. This is no breakthrough it is just a little step toward the right direction.

    Malware Type II and III still remains a massive problem where most AVs and ARKs actually have 0 chance.

    As long as the malware doesn´t know that it resides inside your box..... and assumed your sandbox has no issues ;-)
     
    Last edited: Jan 5, 2008
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Last edited: Jan 17, 2008
  11. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
    one more FP
    IT'S Virtual CD - Windows 2000 / XP Driver
     

    Attached Files:

    • fp.jpg
      fp.jpg
      File size:
      17.7 KB
      Views:
      441
  12. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Came up clean on my box.. no FP, no trouble... nice! :D
     

    Attached Files:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.