Discussion in 'other anti-trojan software' started by devil's advocate, Oct 11, 2005.
How clean are you?
Correct me if I am wrong but this is for NTFS only
Interesting Power Point display tho.
Why aren't you using NTFS?
Ut Oh....have I failed Security 101. I have never had the desire to install 2K as NTFS....personal choice DA
I only use ZA Free 2.6.362 and a very tight IE....do I fail in that area also
Ok....enough of my setup....it'll even bore a dead man. I simply noticed it appeared SVV needed NTFS and I'll assume you confirmed that for me
Hang tight, there's going to be a FAT version out soon.
Please forgive me but I have to ask: Will this work if your system is no longer a virgin. I am sorry but the "devil" made me ask.
Please all. Take this as light hearted fun.
Peter you played with this yet?
No I haven't. I just about have my plate full with the apps I am working with, and am content with them. It is going to have to be very special for me to take a look.
Interesting title for a program, so it really checks for the Windows hymen and then puts a chastity belt around it. I thought Windows system files were already protected by Window's own system file checker.
Windows File Protection will not prevent a rootkit install, nor will it help you detect one. The PowerPoint presentation, at the link above, outlines what SVV 1.0 does, and what is planned for future versions.
Thanks for the explanation Nick, will try it out, have Samurai doing the rootkit protection so will be interesting how this one fares up.
Keep in mind that it's a detection tool, and not a prevention tool.
From a machine (XP SP1) I was cleaning today...
System Virginity Verifier 1.0 (public), September 2005
written by Joanna Rutkowska
svv <command> [options] [/l <altKernelModuleName>]
command is one of the following:
check - check system virginity
fix - try to fix suspected modifications (disinfection)
following options are supported:
/a verify ALL modules (may cause false positives)
/m show details about modifications
/c show also clean modules
/d leave driver after finished
/t <n> fix to target verdict level = n (valid for fix command)
C:\svv>svv check /a
Null.SYS (f8b70000 - f8b71000)... error code = 0x490
mnmdd.SYS (f8a66000 - f8a68000)... error code = 0x490
RDPCDD.sys (f8a68000 - f8a6a000)... error code = 0x490
dump_atapi.sys (f2d6b000 - f2d81000)... Image file not found!
dump_WMILIB.SYS (f8a7a000 - f8a7c000)... Image file not found!
mc211.tmp (f8c5a000 - f8c5b000)... Image file not found!
kernel32.dll (77e60000 - 77f45000)... suspected! (verdict = 5).
USER32.dll (77d40000 - 77dcd000)... suspected! (verdict = 5).
klg.dat (5a000000 - 5a018000)... error code = 0x490
swpg.dat (003a0000 - 003b8000)... error code = 0x490
SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!
Whatever is there keeps disabling McAfee services and Spyware Doctor at startup. Various AV and spyware scans (normal and safe mode) show the system to be clean, but the system is obviously not clean. At this point, I plan on reformating.
Thanks again Nick, dont have any resident spyware apps or McAfee, only Avast but I do have Samurai running in root kit block mode.
It's not really special. Just a quick check. 5 minutes at best.
Like icesword i guess. But like icesword there is a cleaning component.
Very wise. Since you are planning on formatting , you might as well let svv fix it and see what happens.
You answered your own question. "It's not really special" best describes why I am not interested.
Deviladvocate has tried SVV and so have I. I don't see many posting on it as I figured would happen.
I can tell you that IceSword would show the hidden crap, especialy if there is a driver involved.
I could not get any switches to work on my Shared computer toolkit with SVV.
Since you have a nice infected drive and are reformatting. You might be surprised at qhat it does find.
As of present I am guessing the only support you will get for either program will be on a site like this. Not sure what the intentions of either programmer are or if they will come here and post as a registered guest.
You've either mixed me up with someone else or missed my humor. I didn't say I had an infected computer, I said it wasn't a virgin, and that for sure is true. I would define it being a virgin as it came from the factory. Any resemblance between then and now is purely coincidental. I am using Outpost 2.7,Regdefend,ProcessGuard,Online Armor, Safe'n'Sec, and the latest build of KAV 2006 beta. Something new would have to be very special, before I would spend anymore time on stuff.
On a final note, thanks for taking the time and posting as you thought I did have a problem. I do appreciate that.
It doesn't have bells and whistles to play with, that's why it's not special.
Peter has a nice infected drive? How did that happen?
Hey Pete, the special thing about this virginity verifier is that it doesn't blindly check against factory settings. It can tell which types of changes are harmless, because these are ones that have being made by drivers that don't hide.
For example, I verified that of your list above 4 of them don't have any changes that virginity verifer considers dangerous. The rest I don't use so I can't say but I bet it's ignored too.
So it's a pretty clever tool.
Interestingly, IceSword shows nothing hidden.
That was my plan after imaging the drive as it is. It's an older Dell Latitude laptop that someone would like me to magically undo several years of neglect. It will be interesting to see what the image contains.
I was refering to Nicks machine he was working on.
You said IceSword shows nothing?
Did you look at the SSDTS?
That is where the drivers are shown.
So I guess it's safe to say that SVV is really not quite ready for prime time? I mean, only experts who really know their stuff should be using it....right?
There is probably no harm using it just for checking. I would refrain from using it to fix any thing though....
Just for grins I downloaded it. Give it a quickie look, and it wasn't obvious how to even run it. DOS window maybe??
Separate names with a comma.