-{ Quote: "
The idea behind SVV is to check important Windows System components, which
are usually altered by various stealth malware, in order to ensure system
integrity and to discovery potential system compromise.
" }-

http://www.invisiblethings.org/tools.html

How clean are you?

Correct me if I am wrong but this is for NTFS only :-\

-{ Quote: "C:\WINNT\system32\drivers>svv check
Following important modules cannot be found:
ntfs.sys

ERROR (code = 0x2): Important modules not found" }-

Interesting Power Point display tho.

-{ Quote: "Correct me if I am wrong but this is for NTFS only :-\" }-

Why aren't you using NTFS?

-{ Quote: "Why aren't you using NTFS?" }-Ut Oh....have I failed Security 101. I have never had the desire to install 2K as NTFS....personal choice DA ???

I only use ZA Free 2.6.362 and a very tight IE....do I fail in that area also :-\ :P

Ok....enough of my setup....it'll even bore a dead man. I simply noticed it appeared SVV needed NTFS and I'll assume you confirmed that for me :-\

-{ Quote: "Ut Oh....have I failed Security 101. I have never had the desire to install 2K as NTFS....personal choice DA ???

I only use ZA Free 2.6.362 and a very tight IE....do I fail in that area also :-\ :P

Ok....enough of my setup....it'll even bore a dead man. I simply noticed it appeared SVV needed NTFS and I'll assume you confirmed that for me :-\" }-

Hang tight, there's going to be a FAT version out soon.

Please forgive me but I have to ask: Will this work if your system is no longer a virgin.;D I am sorry but the "devil" made me ask.

Please all. Take this as light hearted fun.

Peter you played with this yet?

No I haven't. I just about have my plate full with the apps I am working with, and am content with them. It is going to have to be very special for me to take a look.

Pete

Interesting title for a program, so it really checks for the Windows hymen and then puts a chastity belt around it. I thought Windows system files were already protected by Window's own system file checker.

-{ Quote: "Interesting title for a program, so it really checks for the Windows hymen and then puts a chastity belt around it. I thought Windows system files were already protected by Window's own system file checker." }-Hi Arup,

Windows File Protection will not prevent a rootkit install, nor will it help you detect one. The PowerPoint presentation, at the link above, outlines what SVV 1.0 does, and what is planned for future versions.

Nick

Thanks for the explanation Nick, will try it out, have Samurai doing the rootkit protection so will be interesting how this one fares up.

Hi Arup,

Keep in mind that it's a detection tool, and not a prevention tool.

From a machine (XP SP1) I was cleaning today...

C:\svv>svv
System Virginity Verifier 1.0 (public), September 2005
written by Joanna Rutkowska
http://invisiblethings.org

svv <command> [options] [/l <altKernelModuleName>]
command is one of the following:
check - check system virginity
fix - try to fix suspected modifications (disinfection)

following options are supported:
/a verify ALL modules (may cause false positives)
/m show details about modifications
/c show also clean modules
/d leave driver after finished
/t <n> fix to target verdict level = n (valid for fix command)

C:\svv>svv check /a
Null.SYS (f8b70000 - f8b71000)... error code = 0x490
mnmdd.SYS (f8a66000 - f8a68000)... error code = 0x490
RDPCDD.sys (f8a68000 - f8a6a000)... error code = 0x490
dump_atapi.sys (f2d6b000 - f2d81000)... Image file not found!
dump_WMILIB.SYS (f8a7a000 - f8a7c000)... Image file not found!
mc211.tmp (f8c5a000 - f8c5b000)... Image file not found!
kernel32.dll (77e60000 - 77f45000)... suspected! (verdict = 5).
USER32.dll (77d40000 - 77dcd000)... suspected! (verdict = 5).
klg.dat (5a000000 - 5a018000)... error code = 0x490
swpg.dat (003a0000 - 003b8000)... error code = 0x490

SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!

Whatever is there keeps disabling McAfee services and Spyware Doctor at startup. Various AV and spyware scans (normal and safe mode) show the system to be clean, but the system is obviously not clean. At this point, I plan on reformating.

Nick

Thanks again Nick, dont have any resident spyware apps or McAfee, only Avast but I do have Samurai running in root kit block mode.

-{ Quote: "No I haven't. I just about have my plate full with the apps I am working with, and am content with them. It is going to have to be very special for me to take a look.

Pete" }-

It's not really special. Just a quick check. 5 minutes at best.

-{ Quote: "Hi Arup,

Keep in mind that it's a detection tool, and not a prevention tool.
" }-

Like icesword i guess. But like icesword there is a cleaning component.

-{ Quote: "
SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected![/I]

Whatever is there keeps disabling McAfee services and Spyware Doctor at startup. Various AV and spyware scans (normal and safe mode) show the system to be clean, but the system is obviously not clean. At this point, I plan on reformating.

Nick" }-

Very wise. Since you are planning on formatting , you might as well let svv fix it and see what happens.

-{ Quote: "It's not really special. Just a quick check. 5 minutes at best." }-

You answered your own question. "It's not really special" best describes why I am not interested.

Peter2150

Deviladvocate has tried SVV and so have I. I don't see many posting on it as I figured would happen.
I can tell you that IceSword would show the hidden crap, especialy if there is a driver involved.

I could not get any switches to work on my Shared computer toolkit with SVV.


Since you have a nice infected drive and are reformatting. You might be surprised at qhat it does find.

As of present I am guessing the only support you will get for either program will be on a site like this. Not sure what the intentions of either programmer are or if they will come here and post as a registered guest.

controler

-{ Quote: "Peter2150

Deviladvocate has tried SVV and so have I. I don't see many posting on it as I figured would happen.
I can tell you that IceSword would show the hidden crap, especialy if there is a driver involved.

I could not get any switches to work on my Shared computer toolkit with SVV.


Since you have a nice infected drive and are reformatting. You might be surprised at qhat it does find.

As of present I am guessing the only support you will get for either program will be on a site like this. Not sure what the intentions of either programmer are or if they will come here and post as a registered guest.

controler" }-

Hi Controler

You've either mixed me up with someone else or missed my humor. I didn't say I had an infected computer, I said it wasn't a virgin, and that for sure is true. I would define it being a virgin as it came from the factory. Any resemblance between then and now is purely coincidental. I am using Outpost 2.7,Regdefend,ProcessGuard,Online Armor, Safe'n'Sec, and the latest build of KAV 2006 beta. Something new would have to be very special, before I would spend anymore time on stuff.

On a final note, thanks for taking the time and posting as you thought I did have a problem. I do appreciate that.

Pete

It doesn't have bells and whistles to play with, that's why it's not special.

-{ Quote: "
Since you have a nice infected drive and are reformatting. You might be surprised at qhat it does find.
" }-

Peter has a nice infected drive? How did that happen?

-{ Quote: "Hi Controler

You've either mixed me up with someone else or missed my humor. I didn't say I had an infected computer, I said it wasn't a virgin, and that for sure is true. I would define it being a virgin as it came from the factory. Any resemblance between then and now is purely coincidental. I am using Outpost 2.7,Regdefend,ProcessGuard,Online Armor, Safe'n'Sec, and the latest build of KAV 2006 beta. Something new would have to be very special, before I would spend anymore time on stuff.


Pete" }-

Hey Pete, the special thing about this virginity verifier is that it doesn't blindly check against factory settings. It can tell which types of changes are harmless, because these are ones that have being made by drivers that don't hide.

For example, I verified that of your list above 4 of them don't have any changes that virginity verifer considers dangerous. The rest I don't use so I can't say but I bet it's ignored too.

So it's a pretty clever tool.

Hi DA,

-{ Quote: "Like icesword i guess. But like icesword there is a cleaning component." }-Interestingly, IceSword shows nothing hidden.

-{ Quote: "Very wise. Since you are planning on formatting , you might as well let svv fix it and see what happens." }-That was my plan after imaging the drive as it is. It's an older Dell Latitude laptop that someone would like me to magically undo several years of neglect. It will be interesting to see what the image contains.

Nick

Pete

I was refering to Nicks machine he was working on.

You said IceSword shows nothing?

Did you look at the SSDTS?
That is where the drivers are shown.

controler

So I guess it's safe to say that SVV is really not quite ready for prime time? I mean, only experts who really know their stuff should be using it....right?

-{ Quote: "So I guess it's safe to say that SVV is really not quite ready for prime time? I mean, only experts who really know their stuff should be using it....right?" }-

There is probably no harm using it just for checking. I would refrain from using it to fix any thing though....

Just for grins I downloaded it. Give it a quickie look, and it wasn't obvious how to even run it. DOS window maybe??

I wish I had this program before I started dating my current girlfriend. ;)

-{ Quote: "Just for grins I downloaded it. Give it a quickie look, and it wasn't obvious how to even run it. DOS window maybe??" }-

yes. drop to command line. then it's obvious.

In case some don't know much about the command line, here is a simple way to run it.

If you saved the folder to desktop and are lazy about typing like me, right click on it and rename it SVV.

Then go to assessories, command prompt., open the DOS window.

Type cd desktop\svv

type svv

you will then get a list of switches such as /a ect.

type svv check or type svv check /and a switch such as a.

use a space after svv and before the switch, such as

svv(space)check(space)/a

I think you can make an autoexec.bat file to run it at boot. Not sure I have not tried it yet.

If you are running a program such as deep freeze, shadowuser, or windows shared tookkit, You may see errors.

In my case I can only run svv one time, then need to reboot to run it again.

controler

Thanks Controller for these instructions. Many people here started using computers after the windows er, so they are not comfortable with using the command line.

yes and I am happy at times to go back to the DOS prompt and look around.
It is like another world I am in.

You can still go to DOS and type Help to see all the commands.
Even tree still works. I sure remember the days of XTREE though LOL

Then if you hit the up arrow key, you don't have to retype the commands.
If you keep hitting the up arrow, you view all the commands you were typing.

I think that is because DOSKEY loads with windows these days.

I wonder if FC would work on registry entries?

controler

Hi Controller

I suspected thats one had to do. 1st time I tried it didn't work, so I asked. Thanks for posting good info. I Finally got it to run, but frankly I don't believe the results.

It says all my system DLL's are infected to a 5 level.

So my choice is do I believe this unknown proof of concept code or do I believe, the fact all the other software I run has never found anything, the F-Secure Rootkit detector says I am clean, I have monitored my systems port traffic via Port Explorer for up to an 8 hour period with no strange traffic, and no suspicious system behavior that might indicate infection.

I suspect what is happening is several programs I use to have kernel level drivers and that is messing up the results.

Pete

-{ Quote: "Pete

I was refering to Nicks machine he was working on.

You said IceSword shows nothing?

Did you look at the SSDTS?
That is where the drivers are shown.

controler" }-Hi controler,

Sorry for not getting back to you sooner. The SSDT view showed nothing unusual, but, today, I looked more closely at the Kernel Module view and saw a module with the following path: \??\C:\DOCUME~1\*****\LOCALS~1\Temp\mc22.tmp. The SVV output I posted above included something similar: mc211.tmp (f8c5a000 - f8c5b000)... Image file not found!. The mc2*.tmp naming convention is well known to be related to madshi's madCodeHook DLL injection.

This was confirmed by installing/running RegDefend, which alerted to the following at startup:

11:39:33 | Create Key | Allowed [User] | HKLM\System\Controlset001\Services\Mchinjdrv | | swdoctor.exe
c:\program files\spyware doctor\swdoctor.exe
"C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
HKLM\System\Controlset001\Services\Mchinjdrv

11:39:38 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Mchinjdrv | start | swdoctor.exe
c:\program files\spyware doctor\swdoctor.exe
"C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
start
[REG_DWORD] 4 (0x00000004)

11:39:43 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Mchinjdrv | imagepath | swdoctor.exe
c:\program files\spyware doctor\swdoctor.exe
"C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
HKLM\System\Controlset001\Services\Mchinjdrv
imagepath
[REG_SZ] \??\C:\DOCUME~1\*****\LOCALS~1\Temp\mc22.tmp

Note that it is Spyware Doctor (swdoctor.exe) installing the driver. After removing Spyware Doctor, SVV's output looked like this:

C:\svv>svv check /a
ntoskrnl.exe (804d7000 - 806eb780)...
Null.SYS (f8bff000 - f8c00000)... error code = 0x490
mnmdd.SYS (f8a1e000 - f8a20000)... error code = 0x490
RDPCDD.sys (f8a20000 - f8a22000)... error code = 0x490
dump_atapi.sys (f288c000 - f28a4000)... Image file not found!
dump_WMILIB.SYS (f8a22000 - f8a24000)... Image file not found!

SYSTEM INFECTION LEVEL: 2
0 - BLUE
1 - GREEN
--> 2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED
Nothing suspected was detected.

I suppose you could call this a false positive similar to what Pete is seeing (given that, I have read, Online Armor uses madshi's tools as well). What troubles me is that I no longer see any McAfee errors (such as Viruscan being occasionally disabled) after uninstalling Spyware Doctor.

Nick

-{ Quote: "...So my choice is do I believe this unknown proof of concept code..." }-Hi Pete,

It might be unknown now, but I suspect it may eventually become more mainstream. If you monitor the registry (in my case, with RegDefend), you will catch SVV creating (and later deleting) a temporary service. Note the Arcabit (http://www.arcabit.com/) in the service name...

21:38:32 | Create Key | Allowed | HKLM\System\Controlset001\Services\Arcabitsvv | | services.exe
HKLM\System\Controlset001\Services\Arcabitsvv

21:38:32 | Set Value | Allowed | HKLM\System\Controlset001\Services\Arcabitsvv | imagepath | services.exe
HKLM\System\Controlset001\Services\Arcabitsvv
imagepath
[REG_EXPAND_SZ] \??\C:\svv\svv.sys

21:38:32 | Delete Key | Allowed | HKLM\System\Controlset001\Services\Arcabitsvv | | services.exe
HKLM\System\Controlset001\Services\Arcabitsvv

Nick

Hi Nick

Clearly it will be worth watching. I guess what I was saying is at this point, I wouldn't react to the current results. It clearly could startle someone.


Pete

I get the same results with KIS on my test box.

SVV

Process is trying to modify value ImagePath in controlled registry key.
or
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ArcaBitSVV



\??\C:\Documents and Settings\controler\Desktop\svv\svv.sys


Attempt of process C:\WINDOWS\system32\services.exe (PID: 584) to perform suspicios actions was denied. 10/15/2005 10:38:06 PM

2005-11-05 SVV 1.1 released: fixed some minor bugs and false positives.

System Virginity Verifier

The idea behind SVV is to check important Windows System components, which are usually altered by various stealth malware, in order to ensure system integrity and to discovery potential system compromise.

SVV 1.0 implements only code virginity verification which is the first step in SVV implementation and its task is to ensure the integrity of the code sections of in-memory mapped kernel and usermode modules (that is kernel drivers and usermode DLLs).

See the presentation for more details.

changelog

1.1a [05/11/2005]
- "Important modules not found" is now *really* _warn() ;)

1.1 [01/11/2005]
- kernel module: MmUnlockPages() wasn't called sometimes
- fixed off-by-one in call to relocBuffer() (it sometimes caused heap corrpution)
- fixed unloadDriver() to not crash when called when SVV is unitialized
- "Important modules not found" is now _warn() instead of _error()
- also fixed problem with "ntoskrnl.exe not found" displayed on some systems
- isJMPingCode(): added CALL decoding
- do not use heuristics for locating original SDT when current SDT inside .text section of ntosktnl
- report functionality enabled in public version :)

Freeware

http://invisiblethings.org/tools.html#svv


StevieO

How do you actually get it to run.Click on the exe just flashes up a dos box for a nano then nothing.Same as the older version.

It's a commandline tool. It doesn't have a GUI interface. Open up a command windows and change to the directory where you extracted the program. Type svv and press return. You will get the syntax to run the program. To get started try typeing without the quotes "svv check"

In case some don't know much about the command line, here is a simple way to run it.

If you saved the folder to desktop and are lazy about typing like me, right click on it and rename it SVV.

Then go to assessories, command prompt., open the DOS window.

Type cd desktop\svv

type svv

you will then get a list of switches such as /a ect.

type svv check or type svv check /and a switch such as a.

use a space after svv and before the switch, such as

svv(space)check(space)/a

OK,thanks fellas,will give it a go.

Is this another proof of concept?


Or is it going somewhere?

Not convinced. 5 Deepred's on a new pc with Sygate, BOClean and KAV5 + NOD32(on-demand). Plus disabled UPnP, DCOM and Messenger before even connecting to the net. I've only gone to a handful of websites, all totally legit. Here, BBR, BBC.co.uk, Play.com and amazon.co.uk
So the chances i could pick up a rootkit is as pretty close to zero as you can get. So do i believe what it tells me and i delete Kernel.dll and ntoskrnl.exe Do you think my pc will be cured? Broke, but not cured i'm sure.

Because i'm slightly paranoid, curiosity got the better of me and i ran Rootkit Revealer and it says i'm clean. I've been trying Unhackme a couple of days also and that says i'm clean too.

No, i'm definitely not convinced by SVV. But it's a new app and i'm positive they are FP's. Still i'll keep an eye on this app and maybe try it again sometime.

muf

muf ? have you shut down all your other security apps before running SVV?

Then you can try the new hookanlz.exe posted else where in this forum to see what is hooking the kernel.

Like the man says, kernel hooking has to be still done by some security software

controler

Hello,
That does not justify the code 5 flag.
I tried the same on a fresh machine I installed and configured myself and got the same deepred warning. I do not approve. This means valid and legal hooks are misinterpreted as malware. Not good. Besides, I don't want to kill every secuirrty apps I have and run only 14.33 processes to make sure the tool works properly. There are about a trillion security configurations. And each one will give a different result then? The tool has to be universal. Run on all platforms regardless of what is installed.
Or perhaps in safe mode?
Mrk

Mrkvonic

I only gave that advice so that you can see what else is hooking. Your regular windows config won't show deep red ever. Only if you have other kernel touching things installed.
You are correct SVV is not for the home user and may never be. She may leave it as just another proof of concept. She may sell it. you just never know.
Why wouldn't you dare run SVV with your other security stuff dissabled? If unhook your internet cable, you can't get hurt, unless you don't trust the app (SVV). I have asked Johanna what her plans for SVV where but never did get a complete answer and that is her buisness anyways. ;D
If she does post at Wilders, it is anon. Like DA mentioned, she posts at the rootykit site but might think she is too good for Wilders.

Mrkvonic ? Do you like to test alot of software or did you fear you have a rootkit?


controler

Hi,
First, I'm not afraid of getting infected.
I did not disable the security software on purpose. I wanted to see how this program fares with a standard windows installation plus anti-virus, some anti-spyware, firewall etc. My findings are not good. I have discovered that your average home computer returns a deepred code without anything being compromised on it.
Imagine someone with less confidence using this tool - BOOM, deepred. He's already running 14 security programs. And yet, this little tool indicates he's rooted deeply deeply. So he formats. Installs again. Tries it, BOOM, deepred. A diagnostics tool should never give a warning like that in normal circumstances. And I mean normal, because I think 90% + of all users run anti-virus and firewall.
Therefore, a security tool should be able to give 0 false positives when running in usual environment or it should be run in a special environment. Special requires very precise definitions - like safe mode for example. It should never be up to a user to disable his firewall, anti-virus, system restore, registry, whatever ... to be able to get trustworthy results. What if you forget some process or application? What if? What if?
Take an average anti-spyware for instance. Spybot. You don't need to shut off any process or anything before running it. Now, the comparison is not fair, I know. Therefore, then the SVV should not be more than an information tool. Not a diagnostics, and certainly not a repair tool.
Did you read the svv presentation? It says, if you got code 5 = infected! Not true.
Diagnostics and repair demand far more accuracy than just objective information.
And therefore, the tool should be run with very specific instructions or none at all, but with true results in both circumstances.
This tool is not for home users at all. If you don't know how kernel works, you shouldn't meddle with it. If you DO, you don't need svv ...
One more thing: People trust dry artificial intelligence results from their scanner bots too seriously. They get a flag they are infected and they start to panic. Not the right course of action.
People who are not sure if they are infected or not do not use their computers properly. If you're not sure, no scanner is good for you.
I had false positives with several programs in recent months and years. I never erased the keys and values and files the scanners found. Why? Because I know that what they found are not infections. Even without looking at the actual keys and files. And true, when I sent these finding to the respective companies, they proved false positives.
Getting your computer infected requires an effort. A deliberate effort.
I wanted to test svv on a clean machine to reduce any slightest doubt as to the cleanness (virginity) of the test machine. I'm not saying the tool is not good. On the contrary. But not for average users. It's too dangerous for average users.
And finally, I like to test software, some if it, anyway. The interesting ones.
And I did not fear rootkit. Not sony or anything else. Not that I would ever buy the Bolshevik-branded DRM music.
I repeat: computers are dumb machines. No matter what happens you can always format. Or replace hard disk. Nothing you cannot live without. Just dumb sweet machines.
Mrk

-{ Quote: "muf ? have you shut down all your other security apps before running SVV?

Then you can try the new hookanlz.exe posted else where in this forum to see what is hooking the kernel.

Like the man says, kernel hooking has to be still done by some security software

controler" }-

Well i retried it with all my security apps shut down and the deepred's went from 5 to 1. So i zipped up the Kernel32.dll file that it was reporting and sent it to Kevin McAleavey(BOClean) because i value his opinion and diagnostic. He says it's (in his words) "peachy". So it apears not to be rootkitted.

As i said earlier. One app to look out for but in it's current incarnation it could get people to hose their systems believing in what it says. Worrying.

muf

Yes, any scanner that ever produces a false positive is not recommended for newbies. Or anyone else for that matter.

This list includes spybot,adaware,cwshredder all antiviruses etc etc.

-{ Quote: "Yes, any scanner that ever produces a false positive is not recommended for newbies. Or anyone else for that matter.

This list includes spybot,adaware,cwshredder all antiviruses etc etc." }-

Hi,
You really ARE the devil's advocate!
BTW, are you Pachino or Reeeves?
Apropos false positives, I never had one with spybot, anti-virii or adaware, yes I did with cwshredder. However, still, removing those fps would be a game compared to removing your kernel dlls.
Mrk

-{ Quote: "I never had one with spybot, anti-virii or adaware" }-


Do any of these apps find rootkits? There is a big difference.


controler

-{ Quote: "Hi,
You really ARE the devil's advocate!
BTW, are you Pachino or Reeeves?
Apropos false positives, I never had one with spybot, anti-virii or adaware, yes I did with cwshredder.
Mrk" }-

You must be very lucky, or new to security software :). In any case if you don't believe me, you can also look at the forums of these products or even forums of Wilders, you can see people do have false positives for all these products and more.

So are they (and I) justified to tell you not to use these products because we have had FPs?

-{ Quote: "However, still, removing those fps would be a game compared to removing your kernel dlls." }-

Actually I think svv might be less dangerous simply because people have no idea how to remove your kernel dll. A false positive by other scanners can be dangerous because they offer to remove the file. Most times it's not too bad if they remove it, 1 in a 100 times it can cause serious damage.

Of course some guy might panic and format, but the same thing is true of a FP by any scanner. One member here, recently did just that because of a CWShredder FP.

Oh I wonder if the common home user actualy cares about what they do online?

Buy new Cd and install whatecer they want , DONE... they don't try copy they CD and even if they did , they are allowed to copy it 3 times. Is that so bad?
True it opens their computer to a REAL HACKER but what doe the hacker want from someone that listens to Neil Diamond? That listener most likely doesn't have much money.

not a mod

i ran it and it said
"the following important modules could not be found: ntoskrnl.exe
WARNING: important modules not found
system infection level: 0"

so is my system clean, or did it not work properly?

of course I also prefer the company of other men along with myself so it makes me feel a little silly...

I ran it and it told me that tcpip.sys is infected, I'm assuming applying the EventID 4226 patch would produce this result?

This has quietly appeared on the website !

svv-1.4-public

1.4 [13/12/2005]
- fixed bug in SVV::findKiServiceTableRVA() which resulted in incorrect SDT-modifications flagging on some systems
- SVV now check ONLY important module (the ones which we can be sure will not be unloaded!
seems like this is THE ONLY WAY to fix the race condition problem in kernel agent

1.2 [19/11/2005]
- kernel agent: BSOD on terminal services fixed
- kernel agent: added extra checks before MmProbeAndLockPages()

1.1a [05/11/2005]
- "Important modules not found" is now *really* a warn() ;)

1.1 [01/11/2005]
- kernel module: MmUnlockPages() wasn't called sometimes
- fixed off-by-one in call to relocBuffer() (it sometimes caused heap corrpution)
- fixed unloadDriver() to not crash when called when SVV is unitialized
- "Important modules not found" is now _warn() instead of _error()
- also fixed problem with "ntoskrnl.exe not found" displayed on some systems
- isJMPingCode(): added CALL decoding
- do not use heuristics for locating original SDT when current SDT inside .text section of ntosktnl
- report functionality enabled in public version :)

http://invisiblethings.org/tools.html


StevieO

;D On the other threads... there's also an eCondom to protect IE and now here is another "sexy sounding" program- System Virginity Verifier. :D I just wonder that maybe developers out there are beginning to realize the importance of sexual reproduction things to incorporate it into our pc to make our system more safer everytime we explore the net. ::) ;D

But, all of these things that sounds really sexy didn't influence me to use their programs coz its either that the developers of programs/products maybe are out of ideas and the only way they do to attract attentions is using words that may stimulate human interests that may involve sexy titles... the weakness of ordinary humans. :dry: :P

all i know is that i got a level 1 alert: Green

:D

I just ran SVV 2.2, and I get level 1 (GREEN) with NOD32 running but TrojanHunter not, and level 5 (DEEPRED) with both NOD32 and TrojanHunter Guard running. This is expected, and I just don't understand why people are complaining about it. The utility is simply detecting the fact that your security software is hooking the kernel. You can't expect it to detect known security software and ignore it--just shut it down before scanning! SVV is not being touted as a utility that every novice should run, and then reformat afterward.

By the way, there is a little trick that you can use to create shortcuts to console applications. I do this all the time--it's much easier than hassling around with the command line (as long as you run the same command each time). Just create a shortcut with something like this in the Target box:

-{ Quote: "cmd.exe /c echo. & "C:\Program Files\System Virginity Verifier\svv.exe" check /a & echo. & pause" }-

That will make SVV run and do its check, then the console window will stay open until you press a key to close it. I do the same thing with CHKDSK, and all sorts of console applications:

cmd.exe /c chkdsk /f /v D: & echo. & pause & exit
cmd.exe /c echo. & net start "SafeNet IKE Service" & nircmd wait 2000

That last one uses the freeware NirCMD (http://www.nirsoft.net/utils/nircmd.html) utility to pause for 2 seconds, before the window closes automatically.

Windows will automatically expand the path to cmd.exe once you click OK or Apply in the shortcut properties dialog (e.g. it will change cmd.exe to either %windir%\system32\cmd.exe or C:\WINDOWS\system32\cmd.exe, or whatever your path is).

There is a limit--I think it's 255 characters--to how long the entry in the Target box may be.

Hi ,

Can anybody tell me the reason I get the following warning for important modules not found, and why SVV cant find ntosknrl.exe when I run it? Strange, but i get a rating of Blue!

C:\Documents and Settings\name\Desktop\SVV>svv check /a
Following important modules cannot be found:
ntoskrnl.exe
[ntoskrnl.exe may be renamed - its not suspected]
WARNING: Important modules not found
WARNING: Veryfing integrity of ALL kernel modules may cause a SYSTEM CRASH!
Do you want to continue (yes/no)?
yes

SYSTEM INFECTION LEVEL: 0
--> 0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED
Nothing suspected was detected.

get the following

E:\winapps\svv>svv check
ntoskrnl.exe (804d7000 - 806eb400)... innocent hooking (verdict = 2).
NDIS.SYS (f765c000 - f7689000)... innocent hooking (verdict = 2).
kernel32.dll (7c800000 - 7c8f4000)... suspected! (verdict = 5).
WS2_32.dll (71ab0000 - 71ac7000)... suspected! (verdict = 5).
USER32.dll (77d40000 - 77dd0000)... suspected! (verdict = 5).

SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!

ntoskrnl was 5 but I ran fix which took it down to 2. But reverts to 5 after reboot because I havent found the cause. The other 3 5's which fix didnt change are kerio4 probably the HIPS system.

If I add /m to show the details it scrolls off because too much data and if I make a report I cant find a tool to open it the file extension is unknown.

I came across the program as I am investigating my suspected trojan/rootkit I have since learned that spybot/nod32/kerio isnt enough and I need something also to block hook interception which I will be doing after format.