System Virginity Verifier

You must be very lucky, or new to security software . In any case if you don't believe me, you can also look at the forums of these products or even forums of Wilders, you can see people do have false positives for all these products and more.

So are they (and I) justified to tell you not to use these products because we have had FPs?

Actually I think svv might be less dangerous simply because people have no idea how to remove your kernel dll. A false positive by other scanners can be dangerous because they offer to remove the file. Most times it's not too bad if they remove it, 1 in a 100 times it can cause serious damage.

Of course some guy might panic and format, but the same thing is true of a FP by any scanner. One member here, recently did just that because of a CWShredder FP.

 

Oh I wonder if the common home user actualy cares about what they do online?

Buy new Cd and install whatecer they want , DONE... they don't try copy they CD and even if they did , they are allowed to copy it 3 times. Is that so bad?
True it opens their computer to a REAL HACKER but what doe the hacker want from someone that listens to Neil Diamond? That listener most likely doesn't have much money.

not a mod

 

i ran it and it said
"the following important modules could not be found: ntoskrnl.exe
WARNING: important modules not found
system infection level: 0"

so is my system clean, or did it not work properly?

 

of course I also prefer the company of other men along with myself so it makes me feel a little silly...

 

I ran it and it told me that tcpip.sys is infected, I'm assuming applying the EventID 4226 patch would produce this result?

 

System Virginity Verifier v1.4 released

This has quietly appeared on the website !

svv-1.4-public

1.4 [13/12/2005]
- fixed bug in SVV::findKiServiceTableRVA() which resulted in incorrect SDT-modifications flagging on some systems
- SVV now check ONLY important module (the ones which we can be sure will not be unloaded!
seems like this is THE ONLY WAY to fix the race condition problem in kernel agent

1.2 [19/11/2005]
- kernel agent: BSOD on terminal services fixed
- kernel agent: added extra checks before MmProbeAndLockPages()

1.1a [05/11/2005]
- "Important modules not found" is now *really* a warn()

1.1 [01/11/2005]
- kernel module: MmUnlockPages() wasn't called sometimes
- fixed off-by-one in call to relocBuffer() (it sometimes caused heap corrpution)
- fixed unloadDriver() to not crash when called when SVV is unitialized
- "Important modules not found" is now _warn() instead of _error()
- also fixed problem with "ntoskrnl.exe not found" displayed on some systems
- isJMPingCode(): added CALL decoding
- do not use heuristics for locating original SDT when current SDT inside .text section of ntosktnl
- report functionality enabled in public version

http://invisiblethings.org/tools.html


StevieO

 

On the other threads... there's also an eCondom to protect IE and now here is another "sexy sounding" program- System Virginity Verifier. I just wonder that maybe developers out there are beginning to realize the importance of sexual reproduction things to incorporate it into our pc to make our system more safer everytime we explore the net.

But, all of these things that sounds really sexy didn't influence me to use their programs coz its either that the developers of programs/products maybe are out of ideas and the only way they do to attract attentions is using words that may stimulate human interests that may involve sexy titles... the weakness of ordinary humans.

 

all i know is that i got a level 1 alert: Green

 

I just ran SVV 2.2, and I get level 1 (GREEN) with NOD32 running but TrojanHunter not, and level 5 (DEEPRED) with both NOD32 and TrojanHunter Guard running. This is expected, and I just don't understand why people are complaining about it. The utility is simply detecting the fact that your security software is hooking the kernel. You can't expect it to detect known security software and ignore it--just shut it down before scanning! SVV is not being touted as a utility that every novice should run, and then reformat afterward.

 

By the way, there is a little trick that you can use to create shortcuts to console applications. I do this all the time--it's much easier than hassling around with the command line (as long as you run the same command each time). Just create a shortcut with something like this in the Target box:

That will make SVV run and do its check, then the console window will stay open until you press a key to close it. I do the same thing with CHKDSK, and all sorts of console applications:

Code:

cmd.exe /c chkdsk /f /v D: & echo. & pause & exit

Code:

cmd.exe /c echo. & net start "SafeNet IKE Service" & nircmd wait 2000

That last one uses the freeware NirCMD utility to pause for 2 seconds, before the window closes automatically.

Windows will automatically expand the path to cmd.exe once you click OK or Apply in the shortcut properties dialog (e.g. it will change cmd.exe to either %windir%\system32\cmd.exe or C:\WINDOWS\system32\cmd.exe, or whatever your path is).

There is a limit--I think it's 255 characters--to how long the entry in the Target box may be.

 

Hi ,

Can anybody tell me the reason I get the following warning for important modules not found, and why SVV cant find ntosknrl.exe when I run it? Strange, but i get a rating of Blue!

C:\Documents and Settings\name\Desktop\SVV>svv check /a
Following important modules cannot be found:
ntoskrnl.exe
[ntoskrnl.exe may be renamed - its not suspected]
WARNING: Important modules not found
WARNING: Veryfing integrity of ALL kernel modules may cause a SYSTEM CRASH!
Do you want to continue (yes/no)?
yes

SYSTEM INFECTION LEVEL: 0
--> 0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED
Nothing suspected was detected.

 

get the following

E:\winapps\svv>svv check
ntoskrnl.exe (804d7000 - 806eb400)... innocent hooking (verdict = 2).
NDIS.SYS (f765c000 - f7689000)... innocent hooking (verdict = 2).
kernel32.dll (7c800000 - 7c8f4000)... suspected! (verdict = 5).
WS2_32.dll (71ab0000 - 71ac7000)... suspected! (verdict = 5).
USER32.dll (77d40000 - 77dd0000)... suspected! (verdict = 5).

SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!

ntoskrnl was 5 but I ran fix which took it down to 2. But reverts to 5 after reboot because I havent found the cause. The other 3 5's which fix didnt change are kerio4 probably the HIPS system.

If I add /m to show the details it scrolls off because too much data and if I make a report I cant find a tool to open it the file extension is unknown.

I came across the program as I am investigating my suspected trojan/rootkit I have since learned that spybot/nod32/kerio isnt enough and I need something also to block hook interception which I will be doing after format.