VirusBlokAda Ltd. glads to offer you a new version of Vba32 AntiRootkit and invite you to participate in beta testing of our product.
Links to download:

ftp://anti-virus.by/beta/Vba32arkit_beta.rar

ftp://anti-virus.by/beta/Vba32arkit_beta.zip

ftp://vba.ok.by/vba/beta/Vba32arkit_beta.rar

ftp://vba.ok.by/vba/beta/Vba32arkit_beta.zip

The following techniques of kernel-mode rootkit detection are implemented in Vba32 AntiRootkit:

searching for SYSENTER hooks;
searching for hooks by replacing addresses in SSDT table;
searching for hooks by replacing addresses in Shadow SSDT table;
searching for hooks by modifying IDT table;
searching for export table modifications of main kernel modules (ndis.sys, hal.dll, ntoskrnl.exe);
searching for hooks by modifiying machine code (splicing);
searching for hooks by replacing addresses of IRP packet handlers;
searching for hooks by replacing addresses of FastIO request handlers;
searching for kernel modules hidden in the memory. If an object is considered as hidden, it'll be marked as Hidden in memory;
searching for processes hidden in memory. If an object is considered as hidden, it'll be marked as Hidden in memory;
searching for kernel modules which image on the hard drive doesn't correspond to the image in the memory. Such objects will be marked as Modified image;
searching for installed kernel mode notificators.


Moreover the following additional techniques are implemented:

scanning autoruns;
scanning drivers and services specified in the registry;
scanning all obtained objects (process files, autoruns, loaded drivers/services and kernel modules);
checking digital signature of all obtained objects (process files, autoruns, loaded drivers/services and kernel modules);
displaying additional information retrievied from file resources.


The following features are designed for neutralizing rootkits:

restoring hooks in SSDT table;
restoring hooks in Shadow SSDT table;
restoring hooks in IDT table;
restoring hooks in main kernel modules (ndis.sys, hal.dll, ntoskrnl.exe);
restoring hooks made by machine code modifications;
restoring SYSENTER hooks;
removing specified objects from autoruns;
enabling/disabling drivers/services specified in the registry;
copying specified files to the quarantine early in the system boot;
deleting specified files early in the system boot;
scanning and deleting autorun.inf files;
removing installed kernel mode notificators.


Vba32 AntiRootkit allows user to collect information, which may help in solving problems at user's computer.

Vba32 AntiRootkit has English help (Vba32ArkitEN.chm file).

You can send your feedback to beta[at]anti-virus.by or post it here.

This is the english site for the company, for those interested:

http://www.anti-virus.by/en/ :thumb:

Much more serious ark than from other antivirus houses, trying out now but first impression is good one.

Saraceno, your link is only for antivirus, not for antirootkit.

Link for antirootkit - come also from this Post #17 (with VBA forum link - by Sergey Ulasen - for this antirootkit software) from the thread: 'ANTI-ROOTKITS: Good, Safe ...' here: http://www.wilderssecurity.com/showpost.php?p=1540086&postcount=17

Very good tool.

Thank you Sergey!


PROROOTECT

Worked fine XP SP3. Haven't tried installing driver at boot yet.

212225

212226

sergey ulasen

Thanx

Your 4th link doesn't work, the f in front of ftp doesn't get resolved ?

-{ Quote: "Link for antirootkit - come also from this Post #17 (with VBA forum link - by Sergey Ulasen - for this antirootkit software) from the thread: 'ANTI-ROOTKITS: Good, Safe ...' here: http://www.wilderssecurity.com/showpost.php?p=1540086&postcount=17

Very good tool.

Thank you Sergey!" }-

Thanks for your post there(http://www.wilderssecurity.com/showpost.php?p=1540086&postcount=17 (there)).

Until now we have discussing only on http://virusinfo.info/showthread.php?t=41137 in Russian. From this time we will get English-speaking audience to testing Vba32 AntiRootkit.

Product is constantly evolving. We have had four beta-iterations (3.12.3.0, 3.12.3.1, 3.12.3.2, 3.12.3.3) for 7 monthes. You can see it in readme.en.

Now we are working up a low level disk access.

-{ Quote: "Your 4th link doesn't work, the f in front of ftp doesn't get resolved ?" }-

Thanks :)

No problems on XP Pro SP2.

Vba32 AntiRootKit 3.12.3.3 beta:

ftp://anti-virus.by/beta/Vba32arkit_beta.rar

ftp://anti-virus.by/beta/Vba32arkit_beta.zip

ftp://vba.ok.by/vba/beta/Vba32arkit_beta.rar

ftp://vba.ok.by/vba/beta/Vba32arkit_beta.zip

+ Added support of Windows 7

I think it's the last major change in the present branch. In the nearest future (during the month) we are planning to release public-version Vba32 AntiRootkit 3.12.4.0.

Thank you.

Just tried to run this latest version, but it says - " couldn't install driver"
However, I can still run the earlier version with no problem.
See screenshot attached.

can you ad keyboard support? i can not navigate whith tab and can not select the options.

-{ Quote: "Just tried to run this latest version, but it says - " couldn't install driver"
However, I can still run the earlier version with no problem.
See screenshot attached." }-

May be problem is connected with DefenseWall. Please, add vba32arkit.exe in "white list" and try again.

-{ Quote: "Just tried to run this latest version, but it says - " couldn't install driver"" }-
Because you tried to install as untrusted. Run installation file as trusted.

-{ Quote: "May be problem is connected with DefenseWall. Please, add vba32arkit.exe in "white list" and try again." }-

I tried this, but it didn't work.

-{ Quote: "Because you tried to install as untrusted. Run installation file as trusted." }-

I don't why had so much trouble this time around, but I deleted everything and started over.

I extracted the rar file to the unzipped folder as trusted, and this time it worked.

See a copy of the Dw_log.txt for informational purposes, showing the unsuccessful attempts.

"module C:\unzipped\vba\Vba32arkit.exe, Loading untrusted/untrusted created module C:\unzipped\vba\Vba32ar.dll. Process is untrusted now". That's the reason of the issue.

Just totally remove "vba" folder and unrar as trusted. Or, another solution- select the "vba" folder and run "change status to trusted".

Thanks to Ilya Rabinovich

-{ Quote: "can you ad keyboard support? i can not navigate whith tab and can not select the options." }-

We know about problem. But I can't promise that we'll fix it in the nearest future.

Vba32 AntiRootkit 3.12.4.0 release:

http://anti-virus.by/en/vba32arkit.html

Vba32 AntiRootkit advantages:

Does not require installation
Can be used with any antivirus software installed on your computer
Uses a unique feature of the detection of "clean" files
Can be used in several modes
Supports the maintenance of a system status report in html format
Treatment of the system may be done using a scripting language
Supports Windows 7
Help files in Russian and English languages

Can you give some more informations of how this works:

-{ Quote: "Treatment of the system may be done using a scripting language" }-


thanks

-{ Quote: "Can you give some more informations of how this works:" }-

Following operations are available: deleting files, copying files to the quarantine. To do this, select the File - Run Script menu item.

Example:

Brs_Start();
Brs_QtnFile("c:\x.exe");
Brs_DelFile("c:\x.exe");
RebootSystem();

All information about scripts is available in Vba32arkitEn.chm file in Additional Features/Running Scripts chapter.

Does it have OnBootClean like AVZ?

-{ Quote: "Does it have OnBootClean like AVZ?" }-

Yes, it does

Vba32 AntiRootKit 3.12.5.0 beta:

ftp://anti-virus.by/beta/Vba32arkit_beta.rar

ftp://anti-virus.by/beta/Vba32arkit_beta.zip

ftp://vba.ok.by/vba/beta/Vba32arkit_beta.rar

ftp://vba.ok.by/vba/beta/Vba32arkit_beta.zip

+ Added direct disk access mechanism. NTFS and FAT 12/16/32 are supported. Low-level file verification is performed in all existed windows / checks

+ Added Low-Level Disk Access Tool windows. View, Copy, Delete and Wipe (with purging from windows file cache) operations were implemented at a low level. Hidden, locked and forged files can be optionally highlighted. NTFS Alternate Data Streams and symbolic links are also supported

+ Vba32 Defender prevents executable file startup and driver loading during the antirootkit operation time

+ Search hidden drivers was improved, Windows driver stack analysis was added

+ Search of hidden processes was improved (were added handle search in csrss.exe, PspCidTable parsing and etc.)

+ Section attributes verification for all kernel-mode modules was added

+ Search of hidden IRP handlers was added

* Possibility to exclude user mode images in kernel modules window was added

* Prosess window was improved, EPROCESS address and short name were added to user view

* Interaction between GUI and antirootkit driver was improved

* Hook detection mechanism was revised. Checking of EAT and code sections of all kernel mode modules was implemented

* Help in Russian was improved

Thank you :thumb:

i am trying this one now;)

-{ Quote: "+ Search of hidden processes was improved (were added handle search in csrss.exe, PspCidTable parsing and etc.)" }-

Specialists of http://www.ntinternals.org/ retested Vba32 Antirootkit 3.12.5.0 in the Hidden Process
Detection Test (http://www.ntinternals.org/process_detection_test.php).

Current result is 6 from 12. :) Last result was 1 from 12.

We continue to work in this direction.

-{ Quote: "Specialists of http://www.ntinternals.org/ retested Vba32 Antirootkit 3.12.5.0 in the Hidden Process
Detection Test (http://www.ntinternals.org/process_detection_test.php).

Current result is 6 from 12. :) Last result was 1 from 12.

We continue to work in this direction." }-

I think this is just how companies should work, keep it up. :)

-{ Quote: "I think this is just how companies should work, keep it up." }-

Thanks :)

I have tested Vba32 Antirootkit 3.12.5.0 beta with last TDL3 v3.27. This is result:


[main]
quote=You people voted for Hubert Humphrey, and you killed Jesus
version=3.27
botid=105ef377-e1a7-42d0-a324-30096d7a9bf1
affid=20223
subid=0
installdate=25.2.2010 13:59:41
builddate=24.2.2010 17:25:9
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://d45648675.cn/;https://d92378523.cn/;https://91.212.226.65/
wspservers=http://j00k877x.cc/;http://b11335599.cn/
popupservers=http://m3131313.cn/
version=3.741


215711

215712

Great Vba show TDL3 driver IRP hooks :)

How about removal? :)

Forgive me for not wording correctly, it wasn't intended to be a loaded question...

Do you have plans for removing TDL3?

testing now [the 4 links to download seem to be the same name/file? ]

-{ Quote: "Thanks :)

I have tested Vba32 Antirootkit 3.12.5.0 beta with last TDL3 v3.27. This is result:


[main]
quote=You people voted for Hubert Humphrey, and you killed Jesus
version=3.27
botid=105ef377-e1a7-42d0-a324-30096d7a9bf1
affid=20223
subid=0
installdate=25.2.2010 13:59:41
builddate=24.2.2010 17:25:9
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://d45648675.cn/;https://d92378523.cn/;https://91.212.226.65/
wspservers=http://j00k877x.cc/;http://b11335599.cn/
popupservers=http://m3131313.cn/
version=3.741


215711

215712" }-

Even I as an advanced user am not sure how to interpret all those results - could you clarify how I should know what is what (what to remove and what NOT to remove, etc.)? Thanks :)

The code is from the TDL rootkit...here is one I dumped,

[main]
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
version=3.27
installdate=26.2.2010 0:36:30
builddate=25.2.2010 8:55:8
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://d45648675.cn/;https://d92378523.cn/;https://91.212.226.65/
wspservers=http://j00k877x.cc/;http://b11335599.cn/
popupservers=http://m3131313.cn/
version=3.741
Although Vba is showing some of TDL it currently is not removing.

There are a few removers (http://forum.sysinternals.com/forum_posts.asp?TID=21266&PN=1) but of course the game changes frequently.

TDL 3.271 (http://forum.sysinternals.com/forum_posts.asp?TID=21266&PID=116825#116825)

-{ Quote: "Do you have plans for removing TDL3?" }-

Hi!

Thanks for your question.

We have Vba32 Rescue disk (http://anti-virus.by/en/vba32rescue.shtml) for it.

In the future we are planning to provide an opportunity to unhook IRP-hooks. After this you can replace malware file with "clean" file.

-{ Quote: "TDL 3.271 (http://forum.sysinternals.com/forum_posts.asp?TID=21266&PID=116825#116825)" }-

3.271 and 3.272 are detected in active state.


02.03.2010 Vba32 AntiRootkit 3.12.5.0 beta

* Overall work robustness of antirootkit was improved

Fixed some bugs that led to BSOD.

P.S.: If you have BSOD during antirootkit use, you can send minidump file to beta[at]anti-virus.by.

TDL updated to 3.273

[main]
quote=Dude, meet me in Montana XX00, Jesus (H. Christ)
version=3.273
installdate=3.3.2010 6:49:48
builddate=2.3.2010 12:41:15
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://d45648675.cn/;https://d92378523.cn/;https://91.212.226.65/
wspservers=http://30xc1cjh91.com/;http://j00k877x.cc/;http://m01n83kjf7.com/
popupservers=http://m3131313.cn/
version=3.741
delay=7200
clkservers=http://clkmfd001.ws/
[tasks]

I'm still confused about how interpret the results... :-\ It's like when I tried to use Rootkit Revealer or something like that. :blink: :ouch:

Vba32 AntiRootKit 3.12.5.1 beta.

Links for downloading:

http://www.anti-virus.by/en/download_arkit_beta.php?

ftp://anti-virus.by/beta/Vba32arkit_beta.7z

ftp://anti-virus.by/beta/Vba32arkit_beta.rar

ftp://anti-virus.by/beta/Vba32arkit_beta.zip

http://vba.datacenter.by/beta/Vba32arkit_beta.7z

http://vba.datacenter.by/beta/Vba32arkit_beta.rar

http://vba.datacenter.by/beta/Vba32arkit_beta.zip

Antirootkit has the next changelog:

+ Main window was completely redesigned

Now html-report is generated in the main window. Later you will have an opportunity to save it to file.

+ Usability was improved ( added context menus, hot keys, tabs, etc. )

You can work with utility without a mouse. There are still some troubles but we will fix them ASAP.

+ Increased the number of checked autorun items ( Quick Launch, Service Modules, Explorer, Task Scheduler, Image File Execution Options )

+ View/delete for KeBugCheck notificators

+ HTML-report was improved: navigation, scan time, the state of Vba32 Defender were added. Interrupted scanning and errors in the analysis process are correctly displayed in the report

The html-report began to look much structured and validates by W3C.

+ Web page of beta-version Vba32 AntiRootkit

Antirootkit web page: http://www.anti-virus.by/en/beta.shtml . And there you can download Vba32 AntiRootkit with random name.

* Internal caching of scanning files was improved

Total checking time significantly decreased.

* Hidden processes search mechanism was improved

* Vba32ar.dll and Vba32arch.dll functional moved to .exe file. Now .exe packs with UPX

* Help in Russian was improved

- Temporarily removed quarantine and scripts

I have tried to run this twice,and both times it has failed to complete. My computer became locked up. No response to mouse or keyboard. Had to do a hard restart.

First time with the check-box ticked for "Vba32 Defender", and the second time, unchecked.

It seems to run into a problem when it gets to... 'Kernel-Mode Hooks' section.

@sergey ulasen

Thanks works for me :thumb:

217923

The log also showed me 2 crypted files belonging to one of my security apps, that no other ARK etc does :thumb: I won't show them or say what app it is to protect their confidentiality ;)

Version info is slightly confusing

217924

You don't get a chance to select

217925

before it scans, only after ?

System shows some strange results ?

217926



@Tarnak

Try doing manual one at a time scans via TOOLS

217927

-{ Quote: "@sergey ulasen

Thanks works for me :thumb:

217923

The log also showed me 2 crypted files belonging to one of my security apps, that no other ARK etc does :thumb: I won't show them or say what app it is to protect their confidentiality ;) " }-
Thanks :) We are trying to do our best ::)

-{ Quote: "
Version info is slightly confusing

217924 " }-
What did you expect to see here? 5.1 is actual file version btw :)

-{ Quote: "

You don't get a chance to select

217925

before it scans, only after ?" }-
Just uncheck "Check digital signature" in the main window and you'll get result you wish.

-{ Quote: "
System shows some strange results ?

217926
" }-
Nothing strange here. "System" process doesn't have corresponding executable file by it's design. System process serves as a container for the system threads which are needed for some drivers and other kernel-mode stuff. In the 3.12.5.2 you'll be able to see those system threads.
The only thing we probably need - is to hide "File Information" tab for this process. Thanks for suggestion. ;)

-{ Quote: "I have tried to run this twice,and both times it has failed to complete. My computer became locked up. No response to mouse or keyboard. Had to do a hard restart.

First time with the check-box ticked for "Vba32 Defender", and the second time, unchecked.

It seems to run into a problem when it gets to... 'Kernel-Mode Hooks' section." }-
Hi, thank you for interesting in our product.
First of all we apologize for any inconvenience. The product is in beta stage so system hangs are still possible. Did you try to uncheck "Kernel Mode Hooks" option? If no, please do and let us know.

-{ Quote: "Hi, thank you for interesting in our product.
First of all we apologize for any inconvenience. The product is in beta stage ......" }-

You're welcome!

-{ Quote: "

Did you try to uncheck "Kernel Mode Hooks" option? If no, please do and let us know.

" }-

I did try unchecking "Kernel Mode Hooks", and still unsuccessful.

In fact it locked up very quickly the 3rd time I tried to run it. It locked up at around 3.00pm,and when I rebooted, see the file change monitor as indicated by the second screenshot.


Edit: Further explanation as follows:

Even though I had unticked "Kernel Mode Hooks", as can be seen from my screenshot below... the scan came to a halt about 5 minutes later(i.e.3.06pm)...system completely unresponsive.

-{ Quote: "You're welcome!



I did try unchecking "Kernel Mode Hooks", and still unsuccessful.

In fact it locked up very quickly the 3rd time I tried to run it. It locked up at around 3.00pm,and when I rebooted, see the file change monitor as indicated by the second screenshot.


Edit: Further explanation as follows:

Even though I had unticked "Kernel Mode Hooks", as can be seen from my screenshot below... the scan came to a halt about 5 minutes later(i.e.3.06pm)...system completely unresponsive." }-
Check just "Kernel Modules", try to get the log and send it to beta[at]anti-virus.by if succeed.
Is there any possibility to take a screenshot after system hangs? If not, please describe in detail what you see. The most important thing is the status bar and the current iteration name.

-{ Quote: "Check just "Kernel Modules", try to get the log and send it to beta[at]anti-virus.by if succeed.
Is there any possibility to take a screenshot after system hangs? If not, please describe in detail what you see. The most important thing is the status bar and the current iteration name." }-

I sent an email about 10 minutes ago.

Thanks to Tarnak, AF_, CloneRanger :)

Alex from NT Internals (http://www.ntinternals.org/) retested Vba32 AntiRootkit 3.12.5.1 in Hidden Process Detection Test (http://www.ntinternals.org/process_detection_test.php).

Thanks Sergey. That's great results for Vba32 ARK! Is the "[-12-] - THREAD OBJECT - MANIPULATION" impossible to detect? I see that no product has a + for it.

Why all products fail that #12 test?

How do we detect malwares that are using #12 technique?

thanks and great work VBA

@AF_

Re Version info

-{ Quote: "What did you expect to see here?" }-

I expected to see 3.12.5.1 not just 5.1.0.0 :P


-{ Quote: "Just uncheck "Check digital signature" in the main window and you'll get result you wish." }-

:thumb:


Thanks for the System feedback -{ Quote: "In the 3.12.5.2 you'll be able to see those system threads" }-

:thumb:


Autorun shows a very nice comprehensive list :thumb:

Zombie Processes is good for showing what is still in memory, even though the actual app or malware has stopped running :thumb:


@sergey ulasen

-{ Quote: "Alex from NT Internals retested Vba32 AntiRootkit 3.12.5.1 in Hidden Process Detection Test." }-

Yes up with the best now :thumb: Only #12 test to pass now ;D

-{ Quote: "Thanks Sergey. That's great results for Vba32 ARK! Is the "[-12-] - THREAD OBJECT - MANIPULATION" impossible to detect? I see that no product has a + for it." }-


-{ Quote: "Why all products fail that #12 test?

How do we detect malwares that are using #12 technique?

thanks and great work VBA" }-

Nothing is impossible. For sure #12 test could be defeated, but as soon as that is only a PoC and there is no real malware using this technique, it's not vital problem indeed.
We have a lot of things to implement in our product which are much more important. Finding hidden dll's ( fuller TDL/MAX++ and other malware detect ) or threads analysis ( for Rustock 2010 for example ) are among of them. You'll see many more improvements in 3.12.5.2.
Also I'd like to thanks Alex of NtInternals for his tests and all of our beta testers of course.

Thanks. I'll be looking forward to the next version!

Nicely done VBA.
Have been a long time multi-license user, but curiously I notice that flagged as unsigned are VBA's:
System32\Drivers\Vba32dNT.sys
vba32ads.exe
Vba32\Vba32ADS.exe

-{ Quote: "Nicely done VBA.
Have been a long time multi-license user, but curiously I notice that flagged as unsigned are VBA's:
System32\Drivers\Vba32dNT.sys
vba32ads.exe
Vba32\Vba32ADS.exe" }-

When these modules are updated they will be signed.

Hello folks,

I have a similar problem as Tarnak. I am using Vba32 AntiRootkit 3.12.5.1 and when I use the "Process List" option even with the option "Include Zombie Processes" unchecked it lock up and I have to reboot my system.
All the other options work OK, but "Process list" hang the system. I have made scan log with option "Process list" disabled. I will send it to the same e-mail you told Tarnak to send his logs. I hope it will help solve the problem. (Already sent it)

See you later,

Aeolis

Hello Aeolis!

-{ Quote: "Hello folks,

I have a similar problem as Tarnak. I am using Vba32 AntiRootkit 3.12.5.1 and when I use the "Process List" option even with the option "Include Zombie Processes" unchecked it lock up and I have to reboot my system.
All the other options work OK, but "Process list" hang the system. I have made scan log with option "Process list" disabled. I will send it to the same e-mail you told Tarnak to send his logs. I hope it will help solve the problem. (Already sent it)

See you later,

Aeolis" }-

We haven't received your e-mail.
Could you please send the scan log to beta@anti-virus.by again.

Thanks!

Very nice tool Sergey.

Hello folks,

Dear Sergey I have sent the e-mail again. I hope it helps. Please, let me know if you received it.

See you later,

Aeolis

-{ Quote: "Very nice tool Sergey." }-

Thanks :)

-{ Quote: "Dear Sergey I have sent the e-mail again. I hope it helps. Please, let me know if you received it." }-

:'( I haven't received your e-mail again...

Try to send the scan log to support@anti-virus.by and support-en@anti-virus.by

Thanks!

Hello folks,

Dear Sergey I have sent it again, again :) to both e-mails you have given me. If you still don't receive it I could attach the log file to this thread (I don't know if this Forum rules allow me to attach the log file, that's why I haven't posted it here yet).

See you later,

Aeolis

Thanks Aeolis :thumb:

I received your e-mail.

Dear Sergey,

I have answered you e-mail with the requested files. Please, let me know if you received my answer and if you need more information.

See you later,

Aeolis

I received your answer. Thanks.

I will contact you tomorrow by e-mail or PM.

Hello folks,

Dear Sergey any news regarding the issue I have reported? Best of luck to you.

See you later,

Aeolis

Will there be full 64-bit support in the future?

Hello!

-{ Quote: "Dear Sergey any news regarding the issue I have reported? Best of luck to you." }-

I wrote your issue in bugtracker. When we will be testing the next version (3.12.5.2) we will try to reproduce your problem.

-{ Quote: "Will there be full 64-bit support in the future?" }-

In the nearest plans only 32-bit support.

Thanks and have a nice day!

Hi sergey, I may have missed it, but when will the next stable version be arriving?

hi kerykeion

-{ Quote: "I may have missed it, but when will the next stable version be arriving?" }-

We are planning to release Vba32 Antirootkit 3.12.6 stable in the end of this year.

Hello!!!
I'm not an expert, but I'm happy I came accross vba32, as I'm hunting a strange virus that sets itself into a temp folder, and is called RtkBtMnt.exe. I suppose it's a rootkit for I've deleted it ten thousand times with very nice and interesting tools, but it comes back again. Now, I've tried to run the antirootkit program and it gives me a blue screen and resets. The thing is it doesn't give me anytime to see what happens, in a second it is reseting the machine.
I have installed the antivirus now, trial version, so as to see if it finds it, but so far it seems it doesn't. Should this software help me?? Thank you!!!

-{ Quote: "hi kerykeion



We are planning to release Vba32 Antirootkit 3.12.6 stable in the end of this year." }-

Cheers! Thanks! :thumb:

i think that it gave you a blue screen cause it(RtkBtMnt.exe) may be a part of a Realtek HD Audio ;) from accer pc:) maybe that is your case

Hi folks!

I'm glad to offer you a new version of Vba32 AntiRootkit 3.12.5.2 beta. Current build is 168.

Download link: http://anti-virus.by/en/beta.shtml

+ Process List window replaced with Process Manager. Significantly increased informative content

+ Listing anomalies for each process

+ Operations on processes ( Terminate, Terminate and Delete, Suspend / Resume, Dump )

+ Listing modules, including hidden

+ Operations on modules ( Unmap, Dump )

+ Listing threads, including hidden and anomaly

+ Operations on threads, including system threads ( Terminate, Suspend / Resume )

+ Listing handles

We've added possibility of full-fledged working with process list:

- process termination;
- process suspend and resume;
- process dump.

Process list can be displayed in treelike and list-oriented formats. You can receive there a great number of various helpful information: PID, EPROCESS address, PEB address, etc. All headers in the table are optional and you can choose only necessary settings.

Vba32 AntiRootkit detects hidden and anomaly processes too.

225715

Thread list:

- thread termination;
- thread suspend and resume.

All headers in the list are optional.

Hidden and anomaly threads are detected.

225716

Module list:

- unmap in process;
- module dump.

Hidden and anomaly modules are detected.

225717

Process Manager provides information about handles and interpretation of detected anomalies.

+ Listing unloaded kernel modules

These modules have Unloaded modules state.

+ Detection and restoration of hooks in IAT ( for kernel modules )

Frequently used method of hijacking.

+ View/delete for Lego, SeFileSystem, LastChanceShutdown, Shutdown, BugCheckReason, FsRegistrationChange notificators

It can be helpful.

+ Network Tool window ( parsing of host and lmhost files, persistent routes, LSP providers )

+ Dedicated antirootkit desktop

Very useful feature in the light of desktop blockers.

Attention: the feature is used with Vba32 Defender that blocks process and drivers loading.

225718

+ Full safe-mode support

+ Detection of revoked certificates

Appearance of Stuxnet has revealed us that we can't unconditionally trust to digital signatures. But it works only in updated Windows or with Internet connection.

225719

+ Increased the number of checked autorun items ( Print Provider, Control Panel objects, Known DLLs, URLSearch IE, Toolbar IE, IE Extensions, etc. )

+ Support of Windows 7 SP1

It's crucial issue.

* Search of hidden drivers was improved, added detection of numerous anomalies

* Increased low-level scanning speed

We have increased low-level speed about twice.

* Fixed BSOD on highly fragmented NTFS folumes

It's old problem. In this forum some people had BSODs by reason of the bug.

* "Don't display items digitally signed" option replaced with "Don't display trusted items"

* HTML-report was improved

* Internal caching of scanning files was improved

It has increased speed too.

* Help in Russian was improved


Known problems:

- Process Manager sometimes is hung. Don't scare :) It's happened not often. We are solving the problem;

- launching the antirootkit from dedicated desktop can lead to system deadlock on computers with some NVIDIA video card. It's happened not often too;

- audio sometimes is lost. It's connected with Vba32 Defender mode. We are going to solve this problem in the future.


You can send your suggestions, wishes, dumps and other helpful information to arkit@anti-virus.by.

Does this work on 64 bit?

-{ Quote: "Does this work on 64 bit?" }-

No, it doesn't. Only 32 bit.

-{ Quote: "No, it doesn't. Only 32 bit." }-
Ok, thanks. Is a 64 bit version planned? I know 64 bit rootkits are still minimal, but it's better to have a cure ready because they'll be coming in bigger numbers soon, especially since the 64 bit windows' market share is getting quite big. The latest security survey from AV-comparatives showed 30.1% using Win7 x64 as primary OS and 26.4% W7 x86.

I started the install, and got the following message,


"Would you like to run Vba 32 AntiRootKit on the dedicated desktop with advanced security features on

(recommended option) ?", to which I answered - YES.


My screen darkened and the words "Vba32 Dedicated Desktop", appeared in the 4 corners of my monitor.

The GUI, then appeared and started to run.

However, this mode locks me out of my computer. I could not activate my screenshot capture program or

anything else.

A few minutes of Vba 32 running, and I got the BSOD(IRQL_NOT_LESS_OR_EQUAL). After the reboot, the monitoring utility(Tiny Watcher) shows the changes.

Tried again, but not in "Dedicated antirootkit desktop" mode, this time, and was successful. See screenshots.

2Tarnak:

Could you please send me dump file ?

It should be in c:\windows\minidump directory.

e-mail: arkit@anti-virus.by

thx

-{ Quote: "I started the install, and got the following message,


"Would you like to run Vba 32 AntiRootKit on the dedicated desktop with advanced security features on

(recommended option) ?", to which I answered - YES.


My screen darkened and the words "Vba32 Dedicated Desktop", appeared in the 4 corners of my monitor.

The GUI, then appeared and started to run.

However, this mode locks me out of my computer. I could not activate my screenshot capture program or

anything else.

A few minutes of Vba 32 running, and I got the BSOD(IRQL_NOT_LESS_OR_EQUAL). After the reboot, the monitoring utility(Tiny Watcher) shows the changes." }-
BSOD was probably caused by Defender. It blocks driver load which may lead to BSOD in some cases ( usually with NVIDIA drivers ). We will extend Defender functionality in further versions to solve this potential problem.
As for ctfmon.exe, windows automatically starts it (and creates an autorun record) on newly created desktop.

-{ Quote: "2Tarnak:

Could you please send me dump file ?

It should be in c:\windows\minidump directory.

e-mail: arkit@anti-virus.by

thx" }-

I just sent you the minidump.

-{ Quote: "I just sent you the minidump." }-
I've just took a look at your minidump. As far as I can see BSOD was caused by safemon.sys, so I suggest contacting System Safety Ltd. regarding this problem.

-{ Quote: "I've just took a look at your minidump. BSOD was caused by safemon.sys, so I suggest contacting System Safety Ltd. regarding this problem." }-

I can't...Program ceased development in 2008/09. ;)

-{ Quote: "Ok, thanks. Is a 64 bit version planned? I know 64 bit rootkits are still minimal, but it's better to have a cure ready because they'll be coming in bigger numbers soon, especially since the 64 bit windows' market share is getting quite big. The latest security survey from AV-comparatives showed 30.1% using Win7 x64 as primary OS and 26.4% W7 x86." }-

Yes, we are planning to develop it in the future.

About an hour ago, whilst still having the GUI open as shown in my post #76 above, I decided to access the feature as per screenshot, but the mouse and keyboard became unresponsive. Had to hard reboot.

-{ Quote: "About an hour ago, whilst still having the GUI open as shown in my post #76 above, I decided to access the feature as per screenshot, but the mouse and keyboard became unresponsive. Had to hard reboot." }-

Did you use dedicated mode (or Vba32 Defender) ?

-{ Quote: "Did you use dedicated mode (or Vba32 Defender) ?" }-

I have not tried the dedicated mode after that BSOD, earlier.

But, I have had another BSOD.

STOP:0x1000008e (0xc0000005, 0xb9f9f499. 0xb464dc48, 0x00000000)
mkuk0aea.sys - address B979F499 base at B9F8A000, DateStamp 4d7b80fb

-{ Quote: "But, I have had another BSOD." }-

Ok, we are analyzing it.

Thx.

Alex from http://www.ntinternals.org/ has tested Vba32 AntiRootkit 3.12.5.2 beta in the Hidden Dynamic-Link Library Detection Test (http://ntinternals.org/dll_detection_test.php) :thumb: .

-{ Quote: "But, I have had another BSOD." }-

See your e-mail. Thx.

Working good on my Vista SP2. :thumb:

-{ Quote: "* Search of hidden drivers was improved, added detection of numerous anomalies" }-
Siskel :thumb: Ebert :thumb:


Would be nice if I could copy from the results window, one or several selections, and if needed I can always create an html log later if more info is required.

What is dedicated v. defender?

-{ Quote: "Siskel :thumb: Ebert :thumb:" }-

:D

-{ Quote: "Would be nice if I could copy from the results window, one or several selections, and if needed I can always create an html log later if more info is required." }-

You aren't the first who tell us about necessity of this feature...
I'm writing it in the feature requests list now.

-{ Quote: "What is dedicated v. defender?" }-

Vba32 Defender mode blocks loading of new drivers and launching of new processes. Be careful because this mode is default when you choose dedicated desktop. Sometimes it can be a reason for BSOD.

Basic log scan functions were working good on the first try. After trying the Low Level Scan, then cancel, 20% 3 hours, then another log scan, frozen on Process scanning section. Tried it with just process scanning again and frozen, no activity.

-{ Quote: "Basic log scan functions were working good on the first try. After trying the Low Level Scan, then cancel, 20% 3 hours, then another log scan, frozen on Process scanning section. Tried it with just process scanning again and frozen, no activity." }-

Hi Searching_ _ _,

We know about this problem. I said about it in my first post:

-{ Quote: "- Process Manager sometimes is hung. Don't scare It's happened not often. We are solving the problem;" }-

Thank you.

Thank you. My memory is dodgy sometimes. :-[

No BSOD's. After a couple of reboots it's working again, file scan completed ok.

Log file: Would like the option to exclude trusted items when saving the log.

Are the base addresses memory locations or virtual addresses?
Can I put the addresses into say Kernel Detective disassembler?

-{ Quote: "Thank you. My memory is dodgy sometimes. :-[ No BSOD's. After a couple of reboots it's working again, file scan completed ok." }-

We are fixing this problem now.

-{ Quote: "Log file: Would like the option to exclude trusted items when saving the log." }-

I think, it's unnecessary feature. "Don't display trusted items" options realize your request.

-{ Quote: "Are the base addresses memory locations or virtual addresses?
Can I put the addresses into say Kernel Detective disassembler?" }-

Yes, it's virtual addresses. You can put them into disassemblers, debuggers, etc.

After log is saved, loading into FF 4, checking box "Don't display trusted items" has no effect.
225945

-{ Quote: "After log is saved, loading into FF 4, checking box "Don't display trusted items" has no effect.
225945" }-
This issue is already fixed in the aplha version. Sorry for FireFox users.

Hiya!

Vba32 AntiRootkit 3.12.5.3 beta build 222:

Download link: http://anti-virus.by/en/beta.shtml

Change list:

+ Listing filesystem minifilters
+ Operations on filesystem minifilters ( Unload, Unregister )

FileSystem Minifilters window (and table in the report) has been added. User can find there information about filesystem drivers-minifilters. Also there are available two operations: Unload and Unregister. These operations are used to unload minifilter from memory. But Unregister is less safety and can cause to BSOD.

+ Listing kernel devices ( Kernel Device Stack )

Kernel Device Stack window (and table in the report) has been added. The window displays kernel device stacks. Because of this user can analyze what kind of stack malware uses.

226619

There are no any operations with objects in Kernel Device Stack yet. It's planned on the future.

+ View/delete for FsRtlRegisterFileSystemFilterCallbacks notificators

It can be helpful.

+ Detection of DriverInit, DriverStartIo, DriverUnload hooks

It can be useful to detect some versions of TDL.

+ Detection and restoration of hooks in Object Functions ( ObjectType hooks )
+ Object type hijack detection for drivers and devices

Not very widespread type of hooking (in view of complexity) but looks like malware and some sort of security software use them.

+ Operation with opened handles ( CloseHandle )

Very useful function! It's available from the Process Manager window inside the Handles tab.

+ Terminating status in the time of Process Manager closing

Closing of the Process Manager window looks more clearly now.

* Fixed nonworking checkboxes in html-report ( in FireFox )

Sorry for FF users because we haven't supported you for 1.5 monthes. But now it's fixed.

* Focus from "YES" button was moved to "NO" button in the dedicated desktop request message

As I wrote early the antirootkit had some problems in the dedicated desktop mode. We have removed this mode by default. In the future, of course, the problem will be solved more radical way.

* Fixed GUI crash on infected with Trojan.Win32.VBKrypt machines
* Overall work robustness of antirootkit was improved

We have spent most of our developing time to increase stability of the application. We have fixed most known bugs that lead to BSODs or hangs.

* Help in Russian was improved

Remind you our e-mail: arkit@anti-virus.by.

And thanks to everybody who sent us feature requests, errors and dumps. Your attention is very important to us!

I tried to scan, but as you can see from the screenshot, it shows, " Error occurred while getting..."

I will send the log by email.

-{ Quote: "I tried to scan, but as you can see from the screenshot, it shows, " Error occurred while getting..."

I will send the log by email." }-

Hello Tarnak,

Do you have any security software that can block loading of vba32arkit's driver ?

Hello Sergey,

Nothing, has changed since when I last ran the program in March.

Hi everybody,

I'm glad to present Vba32 AntiRootkit 3.12.5.4 beta build 293.

Download link is the same: http://anti-virus.by/en/beta.shtml

Change list:

+ Low-level operations with disk volumes. Support of MBR and GPT. Support of Microsoft/Veritas dynamic
volumes ( Simple, Spanned, Striped, Mirrored and Raid-5 )

Despite the fact that dynamic volumes are quite rare this is a great step forward in our low-level disk access library. As far as I know there is no any other anti-rootkit that can provide this feature.

+ Boot sectors verification feature. Detection, view, dump and restoration of non-standard and forged
loaders. Saving primary boot sector in html log.

This might be the most interesting feature of the build. Finally we are able to detect, view, dump and restore forged and non-standard boot loaders ( that means that we can fight many bootkits such as TDL4/Sinowal/Alipop/Rmnet/etc. ). However, I'd like to point that we are still using "old" tdl3 detection code which can be bypassed on some type of disk controllers. We are currently working in this direction and will provide you with some advanced techniques in the near future.

+ Added detection and restoration of abnormal Global Descriptor Table (GDT) entries

Usually used to provide access to privileged instructions from R3 code.

+ Increased the number of checked autorun items
(LSA Providers, SubSystems\Windows и др.)

In every build we increase the number of checked autorun items.

* Detection and restoration of IDT and SysEnter hooks were improved

GDT selector offset and IA32_SYSENTER_CS register now are taken into account. In the previous builds gdt selector offset considered null, which is not right. The most arkit tools have the same bug unfortunately.

* Safe protected handles closure ( CloseHandle )

Serious bug indeed.

* Checking standard OS Windows Firewall rules

* Overall work robustness of antirootkit was improved

* Help in Russian was improved

Feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !

I ran a scan except for processes...

P.S. I then initiated a scan for the processes only...but it froze the system completely. Had to reboot.

-{ Quote: "I ran a scan except for processes...

P.S. I then initiated a scan for the processes only...but it froze the system completely. Had to reboot." }-
It seems that it's the same issue that you have before with previous build. I will try to get back to you to resolve this problem when I return from vacation.
Thanks for interesting in our product !
Btw, I see that you have non-standard MBR. Do you use Grub or Lilo or any other loader? Or maybe it's something "in the wild" for testing purposes ?

-{ Quote: "It seems that it's the same issue that you have before with previous build. I will try to get back to you to resolve this problem when I return from vacation.
Thanks for interesting in our product !
Btw, I see that you have non-standard MBR. Do you use Grub or Lilo or any other loader? Or maybe it's something "in the wild" for testing purposes ?" }-

Thanks...Looking forward to it.

As regards the non standard MBR, it must be something I have added since May 10, as I have created further snapshots since . Interesting, anyhow...will try and out what changed. ;)

Hi everybody,

I'm glad to present Vba32 AntiRootkit 3.12.5.5 beta build 425.

Download link is the same: http://anti-virus.by/en/beta.shtml

Change list:

+ Native support of IDE and AHCI mass storage controllers.

The main goal of this beta version. We spent thousands of hours studying specifications and debugging third-party drivers to provide the ultimate solution. AntiRootkit will work with the most mass storage controllers directly, however current solution is incompatible with some hardware/software setups, such as Nvidia4 chipset + original nvidia drivers ( there is no problem on Nvidia4 chipset when using standard Microsoft drivers ). We are working to solve this ASAP and if you're unlucky with starting antirootkit ( e.g. system hangs, bsods ), you can use our product in compatibility mode ( /nodmsa command line switch ).

+ Vba32 Defender: interactive mode, white and black lists, hints for users implemented. Ability to start
processes on dedicated desktop.

Functionality of Vba32 Defender was significantly increased for convenient use.

+ Basic self-defence functionality has been added.

AntiRootkit successfully confronts the most threats, including latest ZeroAccess aka Max++, Trojan.Necurs, etc.

+ Ability to detach device from device stack

Very useful feature.

+ Hidden driver detection technique ( raw memory lookup, only on Vista and later OS'es )

Also may be very useful.

+ View/delete for ObCallbacks notificators

For Vista SP1 and later OS'es.

+ Restore MBR and force reboot option

Safer than using "Restore MBR and force reset"

+ Output of MD5/SHA1 for checked files

Useful when using services such as VirusTotal.

+ "Don't display items with empty path name" option in drivers/services tool

+ Support of Windows 8 ( Developer Preview Build )

* Issue with driver unload and loss of sound on some systems

* Overall work robustness of antirootkit was improved

* Help in Russian was improved


Feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !

Also, we began publishing "Detection & Removal" guides, drafts are available here:
http://anti-virus.by/en/doc/Vba32%20AntiRootKit%20vs%20TDL2.pdf
http://anti-virus.by/en/doc/Vba32%20AntiRootKit%20vs%20TDL4.pdf

I tried to run the new version, but it locked up my system, i.e. clock in the systray stopped.

It got as far as 'processes' and seemed as if nothing was happening, but I couldn't get Process Explorer to open, to see if there was any CPU activity.

One good thing, I didn't get a BSOD this time around.

After 30 minutes or so with nothing changing, I did a soft reboot via the button on my desktop tower.

After the reboot, I reloaded the program, but before initiating the scan, I shutdown my AV, i.e. Vipre, WSA, and anything else I considered unnecessary.

This time, omitting 'Processes' checking.

However, after initiating scanning, and about 10 minutes later, the system clock stopped. During this time period, I had tried to take a screenshot using the 'Print Screen' button on the keyboard, but my system seemed unresponsive, i.e. screenshot was not saved.

Scan started: 9:35 AM and finished 75 minutes later. This is longest duration for a scan, on my system ever. This does not seem normal.

After, the scan finished, I saved a copy.

However, because the systray clock was stopped during scanning, I had to do another soft reboot to clear my system.

Tarnak, pls check you pm. We are looking forward to troubleshoot your issue. You still can use /nodmsa command line switch to start antirootkit in compatibility mode.

-{ Quote: "Tarnak, pls check you pm. " }-

I was looking for your PM, but when I didn't see...I checked my e-mail. ;)

does it support x64 ?

-{ Quote: "does it support x64 ?" }-
Currently doesn't. Only 32 bit systems.

-{ Quote: "Currently doesn't. Only 32 bit systems." }-

Can't wait for the x64 version

-{ Quote: "Can't wait for the x64 version" }-
We are working in this direction, but unfortunately can't promise that we will release it soon.

Error log: Failure to load driver.

Has there been a fix for this? I'm on Windows 7 32bit if that helps.

Also one more question, does this rootkit have the ability to update it's definitions?

Thanks, looks like a strong product!

-{ Quote: "Error log: Failure to load driver.

Has there been a fix for this? I'm on Windows 7 32bit if that helps.

Also one more question, does this rootkit have the ability to update it's definitions?

Thanks, looks like a strong product!" }-
Hi, thanks for interesting in our product. We need more information to troubleshoot your issue:
1. What version are you trying to launch? Is it latest beta version or old release?
2. Do you have any other anti-malware program running? It may prevent loading driver.
3. The latest version doesn't use any definitions at all. It detects generic anomalies in the system. However, the next version will be able to use vba32 anti-virus bases for more precise results.

Thanks for the reply. Yes I believe my other av software prevented it from loading. I will test this again to be sure and report back.

Hi everybody,

I'm glad to present Vba32 AntiRootKit 3.12.5.6 beta build 500 !

Download links have been changed a little bit:

http://anti-virus.by/en/beta.shtml ( .exe is about 500 Kb )

ftp://anti-virus.by/pub/beta/vba32arkit_beta.zip ( regular version, what's new ( both in en and ru ) and russian help included, ~3.5 Mb )

ftp://anti-virus.by/pub/beta/vba32arkit_full_beta.zip ( full version with AV kernel and AV bases, ~90 Mb )

ChangeLog ( builds 493 and 500 ):

+ Volume Boot Sectors verification feature. Detection, view, dump and restoration of non-standard and forged
loaders. Saving primary volume boot sector in html log.

For detection / removal Cidox/Carberp malware.

+ Ability to use Vba32 AV-Kernel to verify forged, locked files and boot sectors as well

Simplifies the detection of complicated infections such as Cidox, Max++, TDLs, Sinowals, etc.

Some examples:
231561
231562

+ Force Delete option

Function is able to delete files that were been opened exclusively or locked with LockFile/LockFileEx/.. functions. For mapped files function "Unmap in all processes and force delete" is available from Process Manager.

* Functionality of Low-level disk access Scanner enhanced

Checking of MBRs/VBRs/System Folder from scanner tool. The functionality will be also enhanced in the future versions.

* Stability of direct mass storage access library was significantly improved

Now we are working MUCH more stable on supported hardware and provide direct access to the disk content on the most IDE ( PATA/SATA ) / AHCI controllers !

* Overall work robustness of antirootkit was improved

Fixed possible BSOD's on some MAX++ versions, also improved detection of Sinowal variant which hijacks \DR0 device object.

* Stability of Vba32 Defender was improved

* HTML-report was improved

* Fixed some minor bugs in GUI

* Help in Russian was improved

As usual, please feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !

Still have the problem with processes scan, as mentioned > http://www.wilderssecurity.com/showpost.php?p=1904888&postcount=101

What exactly are the advantages on installing the extended driver?

-{ Quote: "Still have the problem with processes scan, as mentioned > http://www.wilderssecurity.com/showpost.php?p=1904888&postcount=101" }-
Thanks for respond, I will try to find the time to troubleshoot this specific problem.
-{ Quote: "What exactly are the advantages on installing the extended driver?" }-
Extended driver is intend to start at an early stage of os boot process thus it's able to monitor a suspicious behavior of other system components that loads later. Very useful feature to detect some hidden drivers ( for example, for TDL2 malware ). However, we only recommend using this option for in-depth analysis when it's not possible to identify the threat based on standard log ( rare situation ).
If you're interested, on Monday I can share 2 logs made on the same infected system in both standard and extended mode to see the advantages of the last one.

-{ Quote: "What exactly are the advantages on installing the extended driver?" }-
TDL4 for example (http://ifolder.ru/28745979)

Thanks for the explanations :) The logs would be nice btw.

-{ Quote: "Thanks for the explanations :) The logs would be nice btw." }-
groft has already shared sample logs for TDL4, pls see the post above.

-{ Quote: "groft has already shared sample logs for TDL4, pls see the post above." }-
Ah, missed that, thanks for the logs :)

Hi everybody,

I'm glad to present Vba32 AntiRootkit 3.12.5.7 beta build 588.

Download link is the same: http://anti-virus.by/en/beta.shtml

Change list:

+ Registry hives parsing mechanism has been added. Direct registry access is performed in Autorun and
Drivers & Services ( from Registry ) windows, and in report as well

Should have been done long time ago.

+ Added Low-Level Registry Access Tool window. Operations on hidden, locked and forged registry keys / values

We will expand this window functionality in the nearest builds.

+ Restoration of modified MBR partition table

Needed for Rootkit.Boot.sst and similar malware treatment.

+ Vba32 Defender: added information about command line and parend pid ( for processes ). Ability to block
the creation of new registry keys and setting of registry values

+ Reboot on Exit option

Very usefull to fighting malware which is constantly rewriting the registry keys / values

+ Support of Windows 8 Consumer Preview. Support of Windows 8 Developer Preview has been dropped

We are trying to support the latest builds.

- Force reset option

This is redundant option. Force reboot works in all known cases.

* Overall work robustness of antirootkit was improved

* Stability of direct mass storage access library was improved

* Stability of Vba32 Defender was improved

* Fixed bugs in self-protection module

* Fixed bugs in GUI

We have spent a lot of time working on stability of this build.

* Help in Russian was improved

Feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !

Hi,

How to check 'Use Antivirus kernel' ? It's grewed.

Where to analyze the Vba32 Antirootkit online ?

Thanks in advance

-{ Quote: "
How to check 'Use Antivirus kernel' ? It's grewed." }-

You have to download version with AV kernel. Here is direct link:
ftp://anti-virus.by/pub/beta/vba32arkit_full_beta.zip ( updated daily )


-{ Quote: "
Where to analyze the Vba32 Antirootkit online ?
" }-
Sry, I didn't understand what do you mean ?

Thanks AF,

I'm sorry, my english is not good enough. ;)

For ie, I have the vba32 log file. In which forum or website is possible to analyze or to check it ? Where can I submit the log file ?

Also, I've noticed that the scanning time is longer than previous versions.

-{ Quote: "
For ie, I have the vba32 log file. In which forum or website is possible to analyze or to check it ? Where can I submit the log file ?
" }-
You can submit the log file here or send it directly to us : arkit[_at_]anti-virus.by
Usually analysis is pretty much simple and could be done by yourself.
-{ Quote: "
Also, I've noticed that the scanning time is longer than previous versions." }-
Yes, it's possible. We are improving disk access code every build ( mainly we're aiming stability of the tool ), sometimes it causes perfomance degradation. Pls check future versions ::)

AF_,

Please check carefully my log file :

http://www.directmirror.com/files/V0HVLWAO


What grew and brown colors mean ?


Thanks in advance ! :thumb:

AF,

Any news, please ?

Is this the best Anti rootkit ? ???

-{ Quote: "AF,

Any news, please ?" }-
Hello!
1) Your Hosts file ( C:\Windows\System32\drivers\etc\Hosts ) is modified. You changed it?
2) Second Volume boot record is "Non-standard VBR". Dump and send an arkit[@]anti-virus.by

-{ Quote: "Is this the best Anti rootkit ? ???" }-
You doubt it? Try it!

Hi groft,

1) Maybe my Antivirus or anti-malware program.
2) Ok, thanks. I will send my log file.

-{ Quote: "Hello!
1) Your Hosts file ( C:\Windows\System32\drivers\etc\Hosts ) is modified. You changed it?
2) Second Volume boot record is "Non-standard VBR". Dump and send an arkit[@]anti-virus.by" }-

-{ Quote: "Hi groft,

2) Ok, thanks. I will send my log file." }-
Dump is created as:
1. start arkit
2. open in main windows "Tools -> Low-Level Disk Access Tool -> Volumes"
3. Select "Non-standard VBR"
4. In context menu select "dump"
5. Save & and send an arkit[@]anti-virus.by

Hi groft,

I've just sent the requested file, please check it. :thumb:

-{ Quote: "Dump is created as:
1. start arkit
2. open in main windows "Tools -> Low-Level Disk Access Tool -> Volumes"
3. Select "Non-standard VBR"
4. In context menu select "dump"
5. Save & and send an arkit[@]anti-virus.by" }-

-{ Quote: "Hi groft,

I've just sent the requested file, please check it. :thumb:" }-
Thanks, tomorrow answer

-{ Quote: "Hi groft,

I've just sent the requested file, please check it. :thumb:" }-
I've checked both you log file and dump. You system is most likely clean. Non-standard VBR is our false positive and already fixed ( fix will be available in the next beta version )
Gray and blown are neutral colors. Usually brown means that object doesn't have any anomaly but also doesn't have a digital signature ( if applicable ). With gray color we mark objects that were unloaded from memory or don't exist on filesystem.
Hope that helps.

Big thanks AF_ and groft ! :thumb:

Great job ! Excellent program, go along with the next version ;D

AF_ and groft

Check your mailbox, I submit a request, thanks. ;)

-{ Quote: "You have to download version with AV kernel. Here is direct link:
-ftp://anti-virus.by/pub/beta/vba32arkit_full_beta.zip- ( updated daily )
" }-

hi, i'm getting the failed to load driver error also on windows 7 64 bit
i tried the above 'full installer' and it wont run on x64

any suggestions on how to get past that 'failed to load driver'
it seems to run otherwise when you hit start

not sure what functions are lost w/o the driver can you elaborate
also is there a download with the virus definitions intact other than this one that will run in x64 systems? thx n regards

-{ Quote: "hi, i'm getting the failed to load driver error also on windows 7 64 bit
i tried the above 'full installer' and it wont run on x64

any suggestions on how to get past that 'failed to load driver'
it seems to run otherwise when you hit start

not sure what functions are lost w/o the driver can you elaborate
also is there a download with the virus definitions intact other than this one that will run in x64 systems? thx n regards" }-
Look post #109