Vba32 AntiRootkit 3.12.* beta

Re: Vba32 AntiRootkit 3.12.3 beta

Thanks. I'll be looking forward to the next version!

 

Re: Vba32 AntiRootkit 3.12.3 beta

Nicely done VBA.
Have been a long time multi-license user, but curiously I notice that flagged as unsigned are VBA's:
System32\Drivers\Vba32dNT.sys
vba32ads.exe
Vba32\Vba32ADS.exe

 

Re: Vba32 AntiRootkit 3.12.3 beta

When these modules are updated they will be signed.

 

Re: Vba32 AntiRootkit 3.12.3 beta

Hello folks,

I have a similar problem as Tarnak. I am using Vba32 AntiRootkit 3.12.5.1 and when I use the "Process List" option even with the option "Include Zombie Processes" unchecked it lock up and I have to reboot my system.
All the other options work OK, but "Process list" hang the system. I have made scan log with option "Process list" disabled. I will send it to the same e-mail you told Tarnak to send his logs. I hope it will help solve the problem. (Already sent it)

See you later,

Aeolis

 

Re: Vba32 AntiRootkit 3.12.3 beta

Hello Aeolis!

We haven't received your e-mail.
Could you please send the scan log to beta@anti-virus.by again.

Thanks!

 

Re: Vba32 AntiRootkit 3.12.3 beta

Very nice tool Sergey.

 

Re: Vba32 AntiRootkit 3.12.3 beta

Hello folks,

Dear Sergey I have sent the e-mail again. I hope it helps. Please, let me know if you received it.

See you later,

Aeolis

 

Re: Vba32 AntiRootkit 3.12.3 beta

Thanks

I haven't received your e-mail again...

Try to send the scan log to support@anti-virus.by and support-en@anti-virus.by

Thanks!

 

Re: Vba32 AntiRootkit 3.12.3 beta

Hello folks,

Dear Sergey I have sent it again, again to both e-mails you have given me. If you still don't receive it I could attach the log file to this thread (I don't know if this Forum rules allow me to attach the log file, that's why I haven't posted it here yet).

See you later,

Aeolis

 

Vba32 AntiRootkit 3.12.5 beta

Thanks Aeolis

I received your e-mail.

 

Re: Vba32 AntiRootkit 3.12.3 beta

Dear Sergey,

I have answered you e-mail with the requested files. Please, let me know if you received my answer and if you need more information.

See you later,

Aeolis

 

Vba32 AntiRootkit 3.12.5 beta

I received your answer. Thanks.

I will contact you tomorrow by e-mail or PM.

 

Re: Vba32 AntiRootkit 3.12.3 beta

Hello folks,

Dear Sergey any news regarding the issue I have reported? Best of luck to you.

See you later,

Aeolis

 

Re: Vba32 AntiRootkit 3.12.3 beta

Will there be full 64-bit support in the future?

 

Re: Vba32 AntiRootkit 3.12.3 beta

Hello!

I wrote your issue in bugtracker. When we will be testing the next version (3.12.5.2) we will try to reproduce your problem.

In the nearest plans only 32-bit support.

Thanks and have a nice day!

 

Re: Vba32 AntiRootkit 3.12.3 beta

Hi sergey, I may have missed it, but when will the next stable version be arriving?

 

Re: Vba32 AntiRootkit 3.12.3 beta

hi kerykeion

We are planning to release Vba32 Antirootkit 3.12.6 stable in the end of this year.

 

Re: Vba32 AntiRootkit 3.12.3 beta

Hello!!!
I'm not an expert, but I'm happy I came accross vba32, as I'm hunting a strange virus that sets itself into a temp folder, and is called RtkBtMnt.exe. I suppose it's a rootkit for I've deleted it ten thousand times with very nice and interesting tools, but it comes back again. Now, I've tried to run the antirootkit program and it gives me a blue screen and resets. The thing is it doesn't give me anytime to see what happens, in a second it is reseting the machine.
I have installed the antivirus now, trial version, so as to see if it finds it, but so far it seems it doesn't. Should this software help me?? Thank you!!!

 

Re: Vba32 AntiRootkit 3.12.3 beta

Cheers! Thanks!

 

Re: Vba32 AntiRootkit 3.12.3 beta

i think that it gave you a blue screen cause it(RtkBtMnt.exe) may be a part of a Realtek HD Audio from accer pc maybe that is your case

 

Vba32 AntiRootkit 3.12.5.2 beta

Hi folks!

I'm glad to offer you a new version of Vba32 AntiRootkit 3.12.5.2 beta. Current build is 168.

Download link: http://anti-virus.by/en/beta.shtml

+ Process List window replaced with Process Manager. Significantly increased informative content

+ Listing anomalies for each process

+ Operations on processes ( Terminate, Terminate and Delete, Suspend / Resume, Dump )

+ Listing modules, including hidden

+ Operations on modules ( Unmap, Dump )

+ Listing threads, including hidden and anomaly

+ Operations on threads, including system threads ( Terminate, Suspend / Resume )

+ Listing handles

We've added possibility of full-fledged working with process list:

- process termination;
- process suspend and resume;
- process dump.

Process list can be displayed in treelike and list-oriented formats. You can receive there a great number of various helpful information: PID, EPROCESS address, PEB address, etc. All headers in the table are optional and you can choose only necessary settings.

Vba32 AntiRootkit detects hidden and anomaly processes too.



Thread list:

- thread termination;
- thread suspend and resume.

All headers in the list are optional.

Hidden and anomaly threads are detected.



Module list:

- unmap in process;
- module dump.

Hidden and anomaly modules are detected.



Process Manager provides information about handles and interpretation of detected anomalies.

+ Listing unloaded kernel modules

These modules have Unloaded modules state.

+ Detection and restoration of hooks in IAT ( for kernel modules )

Frequently used method of hijacking.

+ View/delete for Lego, SeFileSystem, LastChanceShutdown, Shutdown, BugCheckReason, FsRegistrationChange notificators

It can be helpful.

+ Network Tool window ( parsing of host and lmhost files, persistent routes, LSP providers )

+ Dedicated antirootkit desktop

Very useful feature in the light of desktop blockers.

Attention: the feature is used with Vba32 Defender that blocks process and drivers loading.



+ Full safe-mode support

+ Detection of revoked certificates

Appearance of Stuxnet has revealed us that we can't unconditionally trust to digital signatures. But it works only in updated Windows or with Internet connection.



+ Increased the number of checked autorun items ( Print Provider, Control Panel objects, Known DLLs, URLSearch IE, Toolbar IE, IE Extensions, etc. )

+ Support of Windows 7 SP1

It's crucial issue.

* Search of hidden drivers was improved, added detection of numerous anomalies

* Increased low-level scanning speed

We have increased low-level speed about twice.

* Fixed BSOD on highly fragmented NTFS folumes

It's old problem. In this forum some people had BSODs by reason of the bug.

* "Don't display items digitally signed" option replaced with "Don't display trusted items"

* HTML-report was improved

* Internal caching of scanning files was improved

It has increased speed too.

* Help in Russian was improved


Known problems:

- Process Manager sometimes is hung. Don't scare It's happened not often. We are solving the problem;

- launching the antirootkit from dedicated desktop can lead to system deadlock on computers with some NVIDIA video card. It's happened not often too;

- audio sometimes is lost. It's connected with Vba32 Defender mode. We are going to solve this problem in the future.


You can send your suggestions, wishes, dumps and other helpful information to arkit@anti-virus.by.

 

Re: Vba32 AntiRootkit 3.12.3 beta

Does this work on 64 bit?

 

Vba32 AntiRootkit 3.12.5.2 beta

No, it doesn't. Only 32 bit.

 

Re: Vba32 AntiRootkit 3.12.5.2 beta

Ok, thanks. Is a 64 bit version planned? I know 64 bit rootkits are still minimal, but it's better to have a cure ready because they'll be coming in bigger numbers soon, especially since the 64 bit windows' market share is getting quite big. The latest security survey from AV-comparatives showed 30.1% using Win7 x64 as primary OS and 26.4% W7 x86.

 

Re: Vba32 AntiRootkit 3.12.3 beta

I started the install, and got the following message,


"Would you like to run Vba 32 AntiRootKit on the dedicated desktop with advanced security features on

(recommended option) ?", to which I answered - YES.


My screen darkened and the words "Vba32 Dedicated Desktop", appeared in the 4 corners of my monitor.

The GUI, then appeared and started to run.

However, this mode locks me out of my computer. I could not activate my screenshot capture program or

anything else.

A few minutes of Vba 32 running, and I got the BSOD(IRQL_NOT_LESS_OR_EQUAL). After the reboot, the monitoring utility(Tiny Watcher) shows the changes.