dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4606

SpannerITWks
Premium Member
join:2005-04-22

2 recommendations

SpannerITWks

Premium Member

AVZGuard Free Malware detection/removal App

AVZGuard

Here's something i discovered recently, even though it's been around for a while, and i've been evaluating. It comes from Russia, and is one of the most comprehensive Apps i've seen. It includes a large array of very useful tools/options etc.

Uses a number of solutions to help determine if any potential Malware exits such as, Black/White listing, Malware database, Heuristics etc.





It correctly identified these potential Malware files/locations etc

-

Contains networking functionality

most likely uses dialing

Application has no visible windows

Registered in autorun

can work with the network

PE file with nonstandard extension

Invalid file - not a PKZip file

suspicion for Keylogger/Trojan DLL/Virus/Rootkit etc ( Malware names )

Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors have been detected

Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) Suspicion for a Keylogger or Trojan DLL Behavioral analysis: Typical for keyloggers behaviour is not registered

Searching for opened TCP/UDP ports used by malicious programs ( no suspicious objects detected )

-

It also Very successfully found 2 new Gromozon nasties which were not yet in it's database, and most AV's etc did not yet detect !

c:\WINDOWS\Desktop\G + Z\www.kphr.com - PE file with modified extension, allowing for startup (typical for viruses)(level of danger 35%)
c:\WINDOWS\Desktop\G + Z\www.pictures.com - PE file with modified extension, allowing for startup (typical for viruses)

So far i'm Very impressed with it's capabilities. I didn't have Any crashes/lock ups etc with it at all, and i also like the fact that it's a Non install type of App, which runs directly out of your folder of choice ! I was able to update the database several times in the short time i've had it.

The following is just a small selection of info from the www and the Help files.

-

AVZGuard

The antiviral utility AVZ is intended for the detection and the removal:

SpyWare and AdWare modules - this is the basic purpose of the utility
Dialer (Trojan.Dialer)
Trojan programs
BackDoor modules
Net and mail worms
TrojanSpy, TrojanDownloader, TrojanDropper

The special features of utility AVZ (besides the standard signature scanner) is:

-

Built-in acquisition system Rootkit. Search RootKit goes without the application of signatures on the basis of a study of base system libraries for the object of the interception of their functions. AVZ can not only reveal RootKit, but also produce the correct blocking of work UserMode RootKit for its process and KernelMode RootKit at the level of system. Opposition RootKit applies to all service functions AVZ, as a result scanner AVZ can reveal the disguisable processes, the system of search in the list "sees" the disguisable keys and the like of anti-rueChinese it is supplied with the analyzer, which conducts the detection of processes and services, disguised RootKit. One of the main things in my view of the special features of the system of opposition RootKit is its fitness for work in Win9X (rasprostranennnoye opinion about otsustvii RootKit, that work on platform Win9X deeply erroneously - they are known hundreds of Trojan programs, which intercept API functions for masking its presence, for the distortion of work API of functions or tracking of their use). Another special feature is the universal acquisition system and blocking KernelMode RootKit, operational under Windows nt, Windows 2000 pro/server, XP, XP SP1, XP SP2, Windows 2003 server, Windows 2003 server SP1

etc -

-

The "Rootkit" options group

The Rootkit group of options contains the settings of the Rootkit detection and neutralization system. The Detect rootkit checkbox allows to enable the rootkit detector that tries to detect the Rootkit presence in the system by typical symptoms. It is necessary to mention that in this case false actuations are possible, because various system utilities, firewalls, and antivirus monitors can also be detected as rootkits. This is a normal situation, because such programs influence the operation of other applications and modify the operation of standard API functions.

The Block user-mode rootkits and Block kernel-mode rootkits options are available only if the Detect rootkits option is enabled. These allow to enable the system of active rootkit counteraction. It is necessary to mention that enabling the rootkit counteraction system might cause undesirable consequences, so it is necessary to be prepared to the situation when AVZ or the entire system freezes. Therefore, before activating the rootkit counteraction system it is recommended to close all programs, disconnect from the network, and then exit antivirus monitor and firewall.

When the rootkit blocking options are enabled, the system of heuristic file searching and rootkits searching gets activated. The general principle of the operation of this system is based on the system analysis before and after hooks neutralization, which allows to quickly detect hidden processes, services, and drivers.

The AVZGuard system and kernel-mode antirootkit are mutually exclusive options. When AVZGuard is activated, neutralization of kernel-mode rootkits is disabled automatically.

Note:

System check with rootkit neutralization requires system reboot !! This is because hooks neutralization might disturb the operation of antivirus nmonitors, firewalls and other programs that are responsible for system security. Rebooting is required only in case of restoring of the intercepted functions. In this case, AVZ adds the warning recommending to reboot the system to the end of the log.

-

Works on Win 98/XP/2000/3

Free from - »z-oleg.com/secur/avz/avz ··· uard.php

Spanner
SpannerITWks

SpannerITWks

Premium Member

Here's a very good example of it finding a very sneaky Rootkit lzx32.sys = PE386, and other Malware.

Extract from the log

-

C:\Documents and Settings\Ninja\My Documents\161b7d0c634ff152ba21448dbde483682a9\Registry_Fix_v5_5_KeyGen_by_[TLG]Mysterio.exe - Suspicion for Virus.Win32.PE_Type1(level of danger 75%)
C:\Program Files\RegistryFix\Registry_Fix_v5_5_KeyGen_by_[TLG]Mysterio.exe - Suspicion for Virus.Win32.PE_Type1(level of danger 75%)
C:\Tech Tools\backups\backup-20060328-150241-856.inf >>>>> Spy.MyWebSearch successfully deleted
C:\WINDOWS\system32:lzx32.sys:$DATA >>> Danger - executable file in the NTFS stream - executable file masing is possible

http://www.castlecops.com/postlite169399-.html

Spanner

danny9
Go Ahead, Make My Day
Premium Member
join:2002-07-14
Clinton Township, MI

danny9 to SpannerITWks

Premium Member

to SpannerITWks
Sounds like a good program and one worth trying but... do you know if there is an English version of the site so we may know what it's saying?
Thanks.

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks

Premium Member

Hi, yes it's a very neat App indeed ! The author told me he is going to try and have an English www too, but as you've already seen, there's a Lot of info/pages on there to translate, which naturally will take time to do.

The good news is that the App is in English, and so is the Help file. I don't think you or most people should have Any problems with it. Try it and see, and let us know what you think !

Spanner

danny9
Go Ahead, Make My Day
Premium Member
join:2002-07-14
Clinton Township, MI

danny9 to SpannerITWks

Premium Member

to SpannerITWks
Hi Spanner,
Just to let you know I downloaded this AVZGuard but not with much luck.
I got the main screen, I believe, with the HD letters on the left and on the right were listed malware, trojans etc.
All across the top were ? marks and next to the malware etc. on the right. That's all I got.
The screen froze up immediately. I couldn't do anything. Nothing worked.
I had to shut off the computer and used GoBack at the boot screen to restore my settings to just before the install.
Any idea to what may have caused this?
Kinda leery about retrying this again.
Thanks, Dan

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks

Premium Member

Ooh this is handy, just caught it !

Sorry to hear about that, and i'm Very surprised indeed, as i havn't had even 1 problem with it. What OS are you on ? I'm on 98SE, yes don't laugh, but i never get infected with Anything, well only on purpose lol.

Did you actually get to run a scan, or did that happen before ?

Spanner

danny9
Go Ahead, Make My Day
Premium Member
join:2002-07-14
Clinton Township, MI

danny9

Premium Member

Xp home.
Never got to run anything.
Was trying to figure out all the ? marks when I realized I couldn't move the cursor then anything else.
Maybe I'll give it another shot anyway.
TeMerc6
join:2004-01-22
Phoenix, AZ

TeMerc6 to SpannerITWks

Member

to SpannerITWks
This rootkit:
Rootkit lzx32.sys = PE386

The driver is found by SmithFraudFix by Siri.
»siri.geekstogo.com/Smitf ··· dFix.php

Changelog:
Version 2.92 (September 18, 2006)
Added: pe386 driver detection
»siri.geekstogo.com/ChangeLog.php

danny9
Go Ahead, Make My Day
Premium Member
join:2002-07-14
Clinton Township, MI

danny9 to SpannerITWks

Premium Member

to SpannerITWks
Well, this time it worked Spanner!
Ran a full scan. Took 1 hr, 12 min.
Came up clean though.
Gonna keep it around for awhile. Read the help files to get a better feel for this.
Whether it would pick up something KIS6 wouldn't, running on full, remains to be seen.
Time will tell.
Thanks again, Spanner.
Dan

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks

Premium Member

danny9

That's good to hear !

My full scans only takes a few Mins, and that's a thorough scanning of Every area on my C drive, much shorter if i select which ones. I wonder how much stuff you have on there to take so long lol ?

Did you update the Database online ? Do this often as you would AV/AT/AS etc.

Yes the help files are better than i expected they might be !

I've found that compared to other Apps, this one gives you lots of extra info about lots of Malware entry points and possible hiding places etc, even in the ADS, if you have them, which Thankfully i don't ! It will flag these if it thinks it's suspicious, and also gives you a % rating as to how much. All very useful, as are the tools, like the DLL injection viewer, to name just one.

It's a keeper as far as i'm concerned, and i feel confident that the dedication/skills shown by it's author etc will continue to make it a high flyer. One to watch, no doubt.

Keep us posted with your observations etc.

TeMerc

Thanx for the heads up, not quite sure how it relates to AVZ though.

Spanner
TeMerc6
join:2004-01-22
Phoenix, AZ

TeMerc6

Member

said by SpannerITWks:

TeMerc

Thanx for the heads up, not quite sure how it relates to AVZ though.

Spanner
You pointed out that the AVZ app was able to find the rk, all I was doing was pointing that this particular non rk tool, could also point it out as well.

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks

Premium Member

TeMerc

Okey dokey !

Spanner