System Virginity Verifier

Discussion in 'other anti-trojan software' started by devil's advocate, Oct 11, 2005.

Thread Status:
Not open for further replies.
  1. You must be very lucky, or new to security software :). In any case if you don't believe me, you can also look at the forums of these products or even forums of Wilders, you can see people do have false positives for all these products and more.

    So are they (and I) justified to tell you not to use these products because we have had FPs?

    Actually I think svv might be less dangerous simply because people have no idea how to remove your kernel dll. A false positive by other scanners can be dangerous because they offer to remove the file. Most times it's not too bad if they remove it, 1 in a 100 times it can cause serious damage.

    Of course some guy might panic and format, but the same thing is true of a FP by any scanner. One member here, recently did just that because of a CWShredder FP.
     
  2. not a mod

    not a mod Guest

    Oh I wonder if the common home user actualy cares about what they do online?

    Buy new Cd and install whatecer they want , DONE... they don't try copy they CD and even if they did , they are allowed to copy it 3 times. Is that so bad?
    True it opens their computer to a REAL HACKER but what doe the hacker want from someone that listens to Neil Diamond? That listener most likely doesn't have much money.

    not a mod
     
  3. ghotu

    ghotu Guest

    i ran it and it said
    "the following important modules could not be found: ntoskrnl.exe
    WARNING: important modules not found
    system infection level: 0"

    so is my system clean, or did it not work properly?
     
  4. not a mod

    not a mod Guest

    of course I also prefer the company of other men along with myself so it makes me feel a little silly...
     
  5. masqueofhastur

    masqueofhastur Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    109
    I ran it and it told me that tcpip.sys is infected, I'm assuming applying the EventID 4226 patch would produce this result?
     
  6. StevieO

    StevieO Guest

    System Virginity Verifier v1.4 released

    This has quietly appeared on the website !

    svv-1.4-public

    1.4 [13/12/2005]
    - fixed bug in SVV::findKiServiceTableRVA() which resulted in incorrect SDT-modifications flagging on some systems
    - SVV now check ONLY important module (the ones which we can be sure will not be unloaded!
    seems like this is THE ONLY WAY to fix the race condition problem in kernel agent

    1.2 [19/11/2005]
    - kernel agent: BSOD on terminal services fixed
    - kernel agent: added extra checks before MmProbeAndLockPages()

    1.1a [05/11/2005]
    - "Important modules not found" is now *really* a warn() ;)

    1.1 [01/11/2005]
    - kernel module: MmUnlockPages() wasn't called sometimes
    - fixed off-by-one in call to relocBuffer() (it sometimes caused heap corrpution)
    - fixed unloadDriver() to not crash when called when SVV is unitialized
    - "Important modules not found" is now _warn() instead of _error()
    - also fixed problem with "ntoskrnl.exe not found" displayed on some systems
    - isJMPingCode(): added CALL decoding
    - do not use heuristics for locating original SDT when current SDT inside .text section of ntosktnl
    - report functionality enabled in public version :)

    http://invisiblethings.org/tools.html


    StevieO
     
  7. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,678
    Location:
    Philippines, the Political Dynasty Capital of the
    :D On the other threads... there's also an eCondom to protect IE and now here is another "sexy sounding" program- System Virginity Verifier. :D I just wonder that maybe developers out there are beginning to realize the importance of sexual reproduction things to incorporate it into our pc to make our system more safer everytime we explore the net. :rolleyes: :D

    But, all of these things that sounds really sexy didn't influence me to use their programs coz its either that the developers of programs/products maybe are out of ideas and the only way they do to attract attentions is using words that may stimulate human interests that may involve sexy titles... the weakness of ordinary humans. :cautious: :p
     
  8. RuntimeWare

    RuntimeWare Registered Member

    Joined:
    Nov 9, 2002
    Posts:
    24
    all i know is that i got a level 1 alert: Green

    :D
     
  9. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,225
    I just ran SVV 2.2, and I get level 1 (GREEN) with NOD32 running but TrojanHunter not, and level 5 (DEEPRED) with both NOD32 and TrojanHunter Guard running. This is expected, and I just don't understand why people are complaining about it. The utility is simply detecting the fact that your security software is hooking the kernel. You can't expect it to detect known security software and ignore it--just shut it down before scanning! SVV is not being touted as a utility that every novice should run, and then reformat afterward.
     
  10. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,225
    By the way, there is a little trick that you can use to create shortcuts to console applications. I do this all the time--it's much easier than hassling around with the command line (as long as you run the same command each time). Just create a shortcut with something like this in the Target box:

    That will make SVV run and do its check, then the console window will stay open until you press a key to close it. I do the same thing with CHKDSK, and all sorts of console applications:

    Code:
    cmd.exe /c chkdsk /f /v D: & echo. & pause & exit
    Code:
    cmd.exe /c echo. & net start "SafeNet IKE Service" & nircmd wait 2000
    That last one uses the freeware NirCMD utility to pause for 2 seconds, before the window closes automatically.

    Windows will automatically expand the path to cmd.exe once you click OK or Apply in the shortcut properties dialog (e.g. it will change cmd.exe to either %windir%\system32\cmd.exe or C:\WINDOWS\system32\cmd.exe, or whatever your path is).

    There is a limit--I think it's 255 characters--to how long the entry in the Target box may be.
     
    Last edited by a moderator: Feb 14, 2006
  11. <DreamCatcher>

    <DreamCatcher> Registered Member

    Joined:
    Jan 6, 2006
    Posts:
    154
    Hi ,

    Can anybody tell me the reason I get the following warning for important modules not found, and why SVV cant find ntosknrl.exe when I run it? Strange, but i get a rating of Blue!

    C:\Documents and Settings\name\Desktop\SVV>svv check /a
    Following important modules cannot be found:
    ntoskrnl.exe
    [ntoskrnl.exe may be renamed - its not suspected]
    WARNING: Important modules not found
    WARNING: Veryfing integrity of ALL kernel modules may cause a SYSTEM CRASH!
    Do you want to continue (yes/no)?
    yes

    SYSTEM INFECTION LEVEL: 0
    --> 0 - BLUE
    1 - GREEN
    2 - YELLOW
    3 - ORANGE
    4 - RED
    5 - DEEPRED
    Nothing suspected was detected.
     
  12. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    927
    Location:
    UK
    get the following

    E:\winapps\svv>svv check
    ntoskrnl.exe (804d7000 - 806eb400)... innocent hooking (verdict = 2).
    NDIS.SYS (f765c000 - f7689000)... innocent hooking (verdict = 2).
    kernel32.dll (7c800000 - 7c8f4000)... suspected! (verdict = 5).
    WS2_32.dll (71ab0000 - 71ac7000)... suspected! (verdict = 5).
    USER32.dll (77d40000 - 77dd0000)... suspected! (verdict = 5).

    SYSTEM INFECTION LEVEL: 5
    0 - BLUE
    1 - GREEN
    2 - YELLOW
    3 - ORANGE
    4 - RED
    --> 5 - DEEPRED
    SUSPECTED modifications detected. System is probably infected!

    ntoskrnl was 5 but I ran fix which took it down to 2. But reverts to 5 after reboot because I havent found the cause. The other 3 5's which fix didnt change are kerio4 probably the HIPS system.

    If I add /m to show the details it scrolls off because too much data and if I make a report I cant find a tool to open it the file extension is unknown.

    I came across the program as I am investigating my suspected trojan/rootkit I have since learned that spybot/nod32/kerio isnt enough and I need something also to block hook interception which I will be doing after format.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.