NoVirusThanks Company Srl has released their first Anti-Rootkit as commercial software. Please take a moment and see what some of its capabilities are or browse their list of nice freeware tools.

http://www.novirusthanks.org/products/novirusthanks-anti-rootkit/

Thanks :thumb:

nice stuff

Commercial, mmm. Totally unneeded, should be freeware at the least donation. :thumbd: :thumbd:

anyone using it?:wacko:

Pay 19.95 USD you can.

(no trial) suspect will soon 'disappear'

edit : changed to 24hrs

-{ Quote: "Pay 19.95 USD you can." }-
thats the trick part;D

-{ Quote: "Revisit http://novirusthanks.org, a fully unrestricted evaluation / 24 hour trial of NoVirusThanks Anti-Rootkit is now available. After you're done downloading the trial setup and you are prompted with a product activation screen click "Request Eval Code" and enter a valid email address. After you obtain your evaluation serial key enter it and the product will be fully-functional for 24 hours." }-

.......

Looks like a fairly decent site, will be interesting how well they do over time...

Eyes are watching... :blink:

@ Mage

Thanks for the info etc :thumb:

Havn't got an email back yet ? If/when i do i'll give it a spin ;)

From the screenies on their www & the Youtube video, it does look kinda familiar, don'tcha think :D Of course appearances arn't everything, so we'll see if it's worth the asking $ or not ;)

Didn't realise it was Italian until i saw the vid ! Makes a change from Russian/Chinese etc though :D

http://www.youtube.com/watch?v=BcVp4F9Zd5A

thanks J

your welcome;) get some pop corn and a 2 litle pepsi:thumb:

-{ Quote: "your welcome;) get some pop corn and a 2 litle pepsi:thumb:" }- ;D J ;D Coke and Lays be just fine;D

cool8)

so that's their 'malware remover' ;)

scroll to the bottom of the page on the link provided by Mage.

Wow this ark is protected by a commercial software not that the amount of time needs extending over 24hrs ;) much better freeware alternatives.

-{ Quote: "http://www.youtube.com/watch?v=BcVp4F9Zd5A" }-
You sure that's the same program in the video? The video is a review about NoVirusThanks Malware Remover, and this thread is about NoVirusThanks Anti-Rootkit v1.0 so aren't those to different programs?

I'm not in any way affiliated with either program, i'm just stating an observation i made.

err didn't I just say that ;D

Meriadoc:

-{ Quote: "
Commercial, mmm. Totally unneeded
" }-

Because a software is commercial you consider it unneeded without even testing it ? :)

-{ Quote: "
suspect will soon 'disappear'
" }-

With which basis you say this ? Why should we discontinue it ?

-{ Quote: "
Wow this ark is protected by a commercial software not that the amount of time needs extending over 24hrs. much better freeware alternatives.
" }-

Again, you say this because our product is protect with TheMida ? Have you even tested our product and compared with freeware alternatives ?

What makes NVTArk different from other Anti-Rootkits ?

- Stability
- Vast Detection Range
- Technical Support
- Free Updates
- Official support for 4 major NT operating systems (XP, 2k3, Vista, Windows 7)

jmonge:

The youtube video you posted is a review of a freeware product named malware remover, it is a completely different product :)

I would like to introduce these documentations about our anti-rootkit:

Here you can see our anti-rootkit in action:
http://www.novirusthanks.org/news/article/novirusthanks-anti-rootkit-preview/
http://www.novirusthanks.org/news/article/novirusthanks-anti-rootkit-preview-2/

Video tutorials that may be interested for users:

Sudami Process Termination:
NoVirusThanks Anti-Rootkit demonstrating its effective process killing methods by terminating the allegedly "immortal" process Sudami (Sudami KillMe).
-http://www.youtube.com/v/lmXyOcl2Isk?fs=1&hl=en_GB&rel=0-

Detection and Removal of 4DW4R3 Rootkit:
-http://www.youtube.com/v/ht4yGvAmz7Q?fs=1&hl=en_GB&rel=0-
Detection and Removal of FUTo Enhanced:
-http://www.youtube.com/v/dacNYoe4CQg?fs=1&hl=en_GB&rel=0-
Detection and Removal of PHIDE
-http://www.youtube.com/v/1qfuZIZ1YUU?fs=1&hl=en_GB&rel=0-
Detection and Removal of DNSChanger
-http://www.youtube.com/v/bzBLL5AwiqE?fs=1&hl=en_GB&rel=0-
Detection and Removal of VOID Rootkit
-http://www.youtube.com/v/cPvjKrL0A9A?fs=1&hl=en_GB&rel=0-

Feedbacks are welcome from everyone :)

NoVirusThanks Team

Yes I have tested your anti-rootkit and I can't believe your charging for it :)

edit : okay have finished tests and you are not detecting some samples because you cannot detected them yet!

payment/24 hr trial seem distasteful :)

Meriadoc:

-{ Quote: "
Yes I have tested your anti-rootkit and I can't believe your charging for it
" }-

Please, let me know your opinion, tests and comparisons, your previous and actual comments were not very detailed :)

-{ Quote: "
edit : okay have finished tests and you are not detecting some samples because you cannot detected them yet!
" }-

Can you be more specific ? Which samples ? Please give more details :)

I don't like this commercial side for ark that does not offer anything that free have and more. I also find hard to help you because of the same reason :( but, NVT is missing fundamental requirement, features for detection (so is already outdated now) imo.

edit : NVT missing some old demo rootkits.

-{ Quote: "
NVT is missing fundamental requirement, features for detection (so is already outdated now) imo.
" }-

Please let us know of that, which features for detection are missing ? We are open to add new feature requests of cource.

From our tests, NVTArk was able to detect all popular rootkits, such as 4DW4R3, TDL2, TDL3, Gootkit, Bubnix, TDSS, Black Energy, Unreal.A, ZeroAccess/MAX++, BadRk Demo, hidden modules, etc. Let me know if you have found samples not detected and we can add detection :)

-{ Quote: "
NVT missing some old demo rootkits.
" }-

Can you provide us these samples or let us know what kind of samples these are ?

Your help is appreciated ;)

Quick first impressions.

I've seen/used worse ARK's so :thumb:

GUI couldn't be resized = :thumbd:

In Drivers clicking on Properties, nothing happened ?

$ = not competitive with what's available for free.

CloneRanger, thank you for the feedback

-{ Quote: "
GUI couldn't be resized
" }-

We'll add that option

-{ Quote: "
In Drivers clicking on Properties, nothing happened ?
" }-

Probably because it's not a full pathname

novirusthanks :) , what interest is there in a paid ark, yes you could make money but not in this incarnation.

edit : ep_x0ff spells it out well at kernelmode.info:thumb: http://www.kernelmode.info/forum/viewtopic.php?f=11&t=436

Meriadoc :) I do not agree with what ep_x0ff wrote. Our ARK is not a "simple paid standalone software" and I do not think that all ARKs must be free. We offer to our users a stable anti-rootkit software, vast detection range, official support for 4 major NT operating systems, free technical support, frequent updates. Also please take in mind this is the very first version 1.0 of the product, we have plenty of features to add. We will extend the trial period to 7 days later today.

Relative, quick scan gives me BSOD sometimes. Good luck on NVT.

Odd. I have been using NoVirusThanks Rootkit since I announced the trial and I have found it very stable even with quick report mode. What stop error are you getting and do you have a mini dump? I have tested many samples that they don't even list and it's detected all but 1 I must say, tested 13 so far and 1 of which is not ITW and RKU and Kernel Detective failed to detect the rootkit presence completely!

If anyone wants screen shots I can upload to fileshare. I have yet to encounter any usermode access violation or system BSOD with this antirootkit. I will be on standby if needed. So far I am definitely impressed

Meriadoc what OS are you running and is it in a virtual machine? I have tested in vm mode and 2 native systems.

Not odd at all, with certain situations and testing techniques I'm pretty sure I've found a few bugs, I've pretty much fuzzed the hell out of it in a short time. Saying that as NVT ark stands atm my stance is pretty clear, as all comments good or bad are promoting, this will be my last public discussion - I will wait to see what NVT ark turns into which may then change my viewpoint.

edit : edited post 27 to include kernelmode.info link

-{ Quote: "

From our tests, NVTArk was able to detect all popular rootkits, such as 4DW4R3, TDL2, TDL3, Gootkit, Bubnix, TDSS, Black Energy, Unreal.A, ZeroAccess/MAX++, BadRk Demo, hidden modules, etc. Let me know if you have found samples not detected and we can add detection :)

Can you provide us these samples or let us know what kind of samples these are ?

Your help is appreciated ;)" }-

Sample is coming,Black Energy 2.1

NVTArk miss it

There are lots of anti rootkit tools more powerful and free

below is NoVirusThanks Anti-Rootkit scan report

egomoo, appreciated your test, did you rebooted when you first ran the ark and did you tried also the "Drivers"->"Hardcore Scan" option ? I tried the sample GootKit 2.1 and it is detected correctly, see the attached image:

WTF. I've been uploading malware to:
http://scanner2.novirusthanks.org/
For a long while now, they want me to collect the malware for them (do their work) and pay!?

Here's a pun, Nothanks.




EDIT:: I wonder what other Antivirus companies think of this.... Their using other companies scanners to do the work.

-{ Quote: "egomoo, appreciated your test, did you rebooted when you first ran the ark and did you tried also the "Drivers"->"Hardcore Scan" option ? I tried the sample GootKit 2.1 and it is detected correctly, see the attached image:" }-

The sample is from kernelmode.info,the temp.rar you could download it from there.

There is a file named DATEA0B.tmp.exe in the rar.

I reboot,and now retest by using "Hardcore Scan",but also failed.

Quick test KAV IS 2010 + MBAM + SpyBot + PEGuard + NvtAntiRootkit = no conflicts = good

VM (rootkit) + RootkitUnHooker + NvtAntiRootkit = good

http://img221.imageshack.us/img221/9329/22rootkit.jpg

24/hour trial is very limited, extend it ?

Interesting screen shot and I noticed rootkitunhooker not detecting either 2 stealth driver sample(s)? I take it there is more than 1 in that image??? What sample was this :o I have not tested rootkitunhooker with much lately because it is too unstable especially running on a native system while running in unison with VMWare in the background, it always locks up the native OS when running VMWare in the background upon the anti-rootkit loading. The dialogue always says "Wait few seconds... Initializing" but never actually initializes in this case (with VMWare running separately). I need to file a bug report I guess with the author somehow.

Nonetheless, good job. Look forward to you furthering the anti-rootkit even if it is pay-for :P

We have released a free version (personal use only) of the ark, you can read comparison table and download the setup file from the product page:

http://www.novirusthanks.org/products/novirusthanks-anti-rootkit/

Thanks for letting us know :)

Unfortunately the free version is stunted.
-{ Quote: "Smart Process Termination + Delete File
Analyze Master Boot Record (MBR)
Detect Stealth IRP Hooks" }-
I understand the others but these are omitted from the free version :what:

Meriadoc, we've just released version 1.1.0.0, free version has now enabled "Stealth IRP Hooks" and "Master Boot Record (MBR) Analysis", it misses only "Smart Process Termination + Delete File" and "Reboot Delete File" in Processes right-click menu :)

-{ Quote: "...we've just released version 1.1.0.0, free version...it misses only "Smart Process Termination + Delete File" and "Reboot Delete File" in Processes right-click menu " }-
Why?..some important features missing imo, o' I suppose it keeps NVT discussed,..so tomorrow you will tell me they've been added? :)

Terminate or a Forced Kill, Delete and Wipe should be included, mandatory! :)

NAT ;)

-{ Quote: "
I suppose it keeps NVT discussed,..so tomorrow you will tell me they've been added?
" }-

Meriadoc :) No intention to keep NVT discussed, just wanted to notify about updated version, we have no plans for now to update the free version :) No need for you to reply here if not strictly necessary ;)

I apologize for the loaded question (knowing the answer) but what use is this ark without those missing strictly necessary features.

:blink:

Well from Totally paid, to 1 day trial, to 7 days & then limited Free & now even less limited Free, i say at least they do listen and act quickly to requests etc :thumb:

As they are obviously hoping to be a paid app & try and make a living from it, or partially to some extent anyway, i don't think we can expect them to give the full version away, i mean would you if it were your business !

So :) for what you've offered so far for free, & not forgetting the other things you already provide for free too :thumb:

Someone has to help pay the bills, bandwith etc isn't free :P

Leaving those out makes the free version pretty ineffective.

-{ Quote: "...i don't think we can expect them to give the full version away, i mean would you if it were your business !" }-
Personally the ark would be free not shareware. For NVT it would be different if the tech was a part of something else but as for a stand-alone tool that offers less or no improvements over existing technical knowledge, yes of course it would be free.

Frankly EP hit the nail on the head in his last post about it ;)

I think EP hit the nail on the head after missing quite a few times ;) User NoVirusThanks is only asking for payment for their commercial version and it pays into user support, frequent updates and things of this nature from what I can see. I don't see anything morally or ethically wrong with charging a small amount for these luxuries, don't you pay for at least one security software? Most people do you know, not everything is always free regardless of free alternatives. They're not all carved out of the same stone. Where is the real user support for existing antirootkits? Where is the frequent updates or program stability, OS compatibility etc?

I think the fact that NoVirusThanks is actually listening to people on this forum and implementing requests in a timely manner is fantastic.

At first there was just a commerical antirootkit program. Now, there is also a stunted free version (http://www.wilderssecurity.com/showpost.php?p=1783333&postcount=46)...
-{ Quote: "...we've just released version 1.1.0.0, free version...it misses only "Smart Process Termination + Delete File" and "Reboot Delete File" in Processes right-click menu " }-
As for EP's posts he's spot on.


-{ Quote: "Mage said : Where is the real user support for existing antirootkits? Where is the frequent updates or program stability, OS compatibility etc?" }-

:blink: ???

You are uninformed :) The antirootkit developers for example that reside at KernelMode.info have always offered free support and kept their tools up to date...and stable.
Wether it was at their own forum, Sysinternal's forum or many other places...and now KernelMode.info.

Meriadoc:

KernelMode.info has only been in existence since early April of this year, some of these antirootkits have been around for many years. That site is also mainly a security information sharing forum. If you read posts there or even on other forums (Google search) the majority of these Free tools are littered with bugs, crashes, blue screens etc. I think you are misinformed to tell me how stable these tools are when their track record says the complete opposite ;)

Have you ever tried running these tools under a malware infested hostile environment? Most of these tools do not even run correctly, report information correctly and some do not even run at all! I have a large archive of nothing but crash reports for these tools but instead of offer product names I will digress as I would not want to single out any particular author or product as this would be unclassy and distasteful.

Quoting the "NoVirusThanks Anti-Rootkit" Help File...

-{ Quote: "Stability is also very important to us, otherwise what is the point of offering such low-level system analysis tools if they crash more than the to-be-detected malware itself?" }-

How can that statement even be challenged? Rhetorical. Product stability, frequent updates, and a rich feature set coupled with "dedicated" user support are worthy selling points for what I would suspect would be the majority of end users ::)

You have made it blatantly obvious that you do not care for pay-for antirootkit software and this would be your sole motive to continue to post in this thread it seems, this is fine and you are entitled to your own opinion of course but if you don't like it do not use it. The author has made provisions and catered to your concerns by creating a very fair Free version of this antirootkit for the public. What else can they possibly do to earn your gratitude for at least listening to you?

-{ Quote: "Meriadoc:

KernelMode.info has only been in existence since early April of this year, some of these antirootkits have been around for many years. That site is also mainly a security information sharing forum. If you read posts there or even on other forums (Google search) the majority of these Free tools are littered with bugs, crashes, blue screens etc. I think you are misinformed to tell me how stable these tools are when their track record says the complete opposite ;)
" }-

:blink:

Your initial statement is total BS again you are misinformed, obviously unaware.

All programs will have bugs. Wether they are serious enough to impact on use or unrelated to the intending job that it was designed to do. Over the years RkU, RootRepeal, KD... releases have been put out stable, I know I've used them as has many malware removal forums.

RkU had its own forum and I've seen EP answer questions in many others. Before KernelMode EP_X0FF resided at a few forums such as Sysinternals for years and helped not just RkU related but development and internals, malware and their tools, kudos to EP_X0FF.

KernelMode.info came about because of the trolling in the Sysinternals malware section. It is a place for discussing on rootkits, debugging, reverse-engineering, malware analysis, and other related topics ;) without fear of flooders and trollers. It was kindly set up by ad_13 dev of antirootkit RootRepeal. EP_X0FF (RkU ark) is a mod as is GamingMasteR (Kernel Detective ark) as are some very experienced people mods, confirmed users and members.

You are very misinformed if you don't think there wasn't any support for those tools before KernelMode.info.

-{ Quote: "Have you ever tried running these tools under a malware infested hostile environment? Most of these tools do not even run correctly, report information correctly and some do not even run at all!" }-

BS. Have I ever used these tools under malware infested hostile environment?..Mage, I have two jobs I investigate live malware cases, pen test, reverse engineer software and hardware, and a part time Lecturer getting students through their computer engineering course what your saying above is wrong and FUD as many other experienced users would agree and again the helpers at dedicated malware removal forums that use these very tools.

As for my intensions I only came back to respond that the free version is stunted and ineffective.

I don't want to revert any thread to a toing and froing of words like this as they quickly result in going down hill, so I will revert to not commenting unless something changes with this tool.

You've made far too many wrongful assumptions about my views to correct so I will basically dumb it down for you Mr. Lecturer of Computer Engineering.

[1] All programs will have bugs, 100% agreed. It's the bug criticality that is the difference in my honest opinion. Constant BSODing is unacceptable especially after years in the making one would think and I don't want to hear the technical challenges that an anti-rootkit author faces, this tool is perfectly stable running on the same machine with the same samples.

[2] These tools had some form of forum support with Q/A sessions prior to kernelmode.info website. I never said otherwise but that's not "dedicated" support when the support link for these Free tools changes constantly between sites, most of which ended up being canned (Ask your idol EP about his old narod site, it's been down for years!)

[3] -{ Quote: "As for my intensions I only came back to respond that the free version is stunted and ineffective." }- You must be delirious because only one or 2 small features are stripped from the Process tab in the Free version of NoVirusThanks Anti-Rootkit leaving intact all the other features included in their commercial product. You call that grounds for being "stunted" and "ineffective"?

[4] If you think that other tools are better and that other programmers are more capable then by all means list comparison charts in controlled environments while running new-age rootkit samples. I have already tested over 20 samples since this tool's public inception, can't wait to share my results because it will surely surprise you.

I think I have said enough, all you know how to do is complain without any solid shred of evidence about what you're even talking about. Quit being a troll yourself and a fellow RKU fanboy. Refer to the screen shot that NoVirusThanks posted, RKU failed to detect what appears to be 2 stealth drivers! If you trust your PC to this tool then apparently you are the one who is truly unaware. Nuff said.

I've said it before, there is no best antirootkit only an up to date tool.

I've already said my piece and will not be goaded by comments about my job, RkU fanboys and idols (LoL) into a war of words. You are misinformed and giving out wrong statements, the facts stack up for themselves.

Now before there's any warning I will stand by all that I've said and leave it there.

::)

-{ Quote: "
I've said it before, there is no best antirootkit only an up to date tool.
" }-
Completely agreed.

If the spreading of misinformation is a disease then I have long been vaccinated ;) I as well do not plan to comment any more about this since arguing over the internet is like winning the special olympics {...} Well, I am sure you know the rest of the expression and I don't care to be labeled as such. Happy trails and good luck in your future endeavors.

From paid to 24hr trial, to 7 days trial, (limited) free, and no trial for the paid any longer...What the hell?

P.S. I know I know I can get the free version, but that isn't the point...the developer no longer posts here either...I guess just a flash in the pan. ::)

The dev likely does not post here anymore because this topic turned into a bickering between two users.
I have a little PC Repair job on the side and this tool may help me in removing difficult infections from customer PCs.
Will give this a try.

@Tarnak

Demo licenses have been disabled when we released the free version :)

@jeremyofmany

We should release in the next week the new version 1.2 that will have a lot of new features, I made a small video preview of NVTArk that detects and remove the new Black Energy 1.2+ Rootkit:

Detection and Removal of Black Energy 2.1+ Rootkit
-http://www.youtube.com/v/RiIztE0IqsA?fs=1&hl=en_GB&rel=0-

Detection and Removal of Rustock Rootkit
-http://www.youtube.com/v/f73edHo6_30?fs=1&hl=en_GB&rel=0-

We may open a new thread here for the new version.

novirusthanks,


I have one major problem with this application: the order in which the confirmation dialog boxes are presented to the end-user.

In this video:
http://www.youtube.com/v/RiIztE0IqsA?fs=1&hl=en_GB&rel=0

@ 1:04
"File Wiped Successfully!"

@ 1:06
"File Successfully Marked for Deletion but Rebooting is Recommended. Reboot Now?"

While many users may not distinguish between a file being marked for deletion and wiped, I certainly do.

These prompts are backwards. The file must be ready for deletion first, then it can be wiped (overwritten using such methods as DoD (3 passes), NSA (7 passes) and my favorite, Gutmann (35 passes).

Wiping:
Overwriting malware/rootkit files multiple times is unnecessary and overkill. However, if you must insist in doing so, this is what I would do:
Implement the Gutmann 35-pass.
Malware/rootkit filesizes range from a few hundred kilobytes to a few megabytes.
The maximum time it would take to Gutmann-wipe the malware/rootkit would be comparable to the time required to copy a 35-40MB file from one drive to another. Even for a dated PC, this is 5 seconds or less.

Getting back to the issue of the dialog prompts, they are backwards.

1. Unlock/unhook/unload/free up the malware file(s)
2. Reboot only if necessary.
3. Gutmann-wipe the malware/rootkit file(s).

Having said all that - may I have a free commercial license as reward for a constructive and valuable product suggestion? ;D

:thumb: ;) :thumb:

Another tests with hidden process = good http://img821.imageshack.us/img821/5037/51292300.gif

Can add 'Maximize' option pls ?

-{ Quote: "3. Gutmann-wipe the malware/rootkit file(s)." }-

A 'secure file delete' wold be a good option to have aboard

NoVirusThanks Anti-Rootkit Pro v2.0 has been released:

[Changelog] 12.01.2011

+ View Loaded Modules->Inject a New DLL
+ View Loaded Modules->Force Unload Module
+ View Loaded Modules->Reboot Delete File
+ Processes->Start new Process with DLL
+ Added Additional Right-Click Menus
+ Detection for Black Energy 2.1+ Rootkit
+ Tools->File Delete
+ Tools->Copy File
+ Tools->Copy Folder
+ Tools->File Hasher
+ Tools->Timed Remote Report + Send Log to Email
+ Tools->Send To FTP (send a file to remote FTP)
+ Use Grid Lines for ListViews
+ Optimized Processes Behavioral Analysis
+ Verify File Signature
+ Export data as HTML and CSV
+ Mark in orange possible keylogger activity in Message Hooks
+ Fixed FPs for MBR Scan
+ Global Descriptor Tables (GDT) Hooks
+ Autorun.Inf (Scan all removable devices and the system for autorun.inf)
+ Hosts File (View, edit and reset hosts file)
+ Hidden Modules (Any Hidden Modules in any Process can now be seen here)
+ Hidden Modules->Force Unload Module
+ Hidden Modules->Dump All Module Memory
+ Registry Startups (View common registry startup entries)
+ WinEvent Hooks
+ Start with Windows
+ Minimize to System Tray
+ Maximize GUI
+ Other additions and optimizations
+ Minor changes

More details:
http://www.novirusthanks.org/news/article/novirusthanks-anti-rootkit-pro-v2-0/

Website (Identity hidden)

"Here is a list of engines that can be used:
PcTools Browser Defender, Norton SafeWeb, MyWOT, Threat Log, MalwareDomainList, hpHosts, ZeuS Tracker, Google Diagnostic, PhishTank, Project Honey Pot, ParetoLogic, Spamhaus, URIBL, Malware Patrol, SURBL, SpamCop, Finjan TrendMicro Web Reputation, Web Security Guard, AMaDa, DNS-BH, joewein.de LLC, Spamhaus, DShield.

At end of july 2010 we have integrated a new tool URL & Link Scanner that makes use of the engine of NoVirusThanks Scanner to scan a link, provided by the user, with multiple Antivirus engines to facilitate the detection of possible malicious code such as hidden iframes and evil javascript code. It can be used also to scan remote files such as executables or PDF files. In this service we can use the following engines:
a-squared, Avast, AVG, Avira, BitDefender, ClamAV, Comodo, Dr.Web, F-Prot, Ikarus, Kaspersky, NOD32, Panda, TrendMicro, VBA32, VirusBuster."

All of these engines?

Had a play with it not long ago. Found it waaay too complex. NotForMeThanks ;D

There are one or two free alternatives listed here:

http://www.technibble.com/forums/showthread.php?p=163639