Once allowed to execute, XP Killer trojan removes following services on my PC.

Windows update service
Application layer gateway services
System Restore service
Windows firewall/ ICS service

I have tried to stop it from deleting services by protecting reg keys ControlSet001, ControlSet002, ControlSet003 and CurrentControlSet.
I tried RegDefend, SSM Pro, and Kaspersky,s PDM and they seem to block deletion of RegKeys but in spite of that trojan is able to delete the services.

It looks strange.

Sounds like a lovely bug, aigle. What gets it onboard a computer - email, download, etc, or all ways?

Aigle,

DefenseWall (review Kareldjag june 2006) stops it partially:

"With XP Killer : This file was able to stop automatic updates service, but DefenseWall did prevent the most harmful actions : no system files (auto updates service, XP firewall and restore service files) were deleted, so that the system state is normal after a reboot."

Did you check after reboot?

-{ Quote: "Sounds like a lovely bug, aigle. What gets it onboard a computer - email, download, etc, or all ways?" }-
Not sure. It did not tried for outbound connection on my PC. Just deleted these four services, but might do more as I tried it for short time.

-{ Quote: "Aigle,

DefenseWall (review Kareldjag june 2006) stops it partially:

"With XP Killer : This file was able to stop automatic updates service, but DefenseWall did prevent the most harmful actions : no system files (auto updates service, XP firewall and restore service files) were deleted, so that the system state is normal after a reboot."

Did you check after reboot?" }-

GesWall stops it altogether.

I've never tried geswall. Looks like it's time to add that one to my collection and see how it works. Sandboxie is nice, but I like the idea of being warned about things.

I guess I could run Powershadow and not have to worry about anything.

I use both. GW permanantly and PowerShadow off n on.

Aigle,

Have you tried to blocking the changes of values a few registry levels deep (option SSM-free)?

Application Layer Service
- HKLM/System/CurrentControlSet/Services/Alg (block 2 levels)

Windows Update Service
- HKLM/System/CurrentControlSet/Services/wuauserv (block 2 levels)

System Restore Service
- HKLM/System/CurrentControlSet/Services/srservice (block 2 levels)

Windows Firewall Service
- HKLM/System/CurrentControlSet/Services/SharedAccess (block 2 levels)

Al those service allow a 'stop' in regular operation, so this might also be the problem.

Regards K

I blocked Control sets upto 9 levels down. Most reg changes were blocked but SSM services module then gave popups of 'services removed'( so I did no hck after reboot).

Same with KIS PDM. I am not framiliar with reg, so probably I am doing some mistake.

Aigle,

The values problably only influence the startup type (automatic, manual, disable). In normal operation these services accept the stop handle. So protecting the corresponding registry values only helps you the keep the original values.

Start = 2 (automatic)
Start = 3 (manual)
Start = 4 (disabled)

wow xpkiller strikes again. i remember this thing wrecking havoc vs various HIPS and sandboxing programs. did you try it vs sandboxie aigle?

I don,t remember exactly but I must have tried and Sandboxie must have defended against it.

-{ Quote: "Aigle,

The values problably only influence the startup type (automatic, manual, disable). In normal operation these services accept the stop handle. So protecting the corresponding registry values only helps you the keep the original values.

Start = 2 (automatic)
Start = 3 (manual)
Start = 4 (disabled)" }-
May be some later testing.

BOClean is suposted to kill this one.Here is a screenshot of it in their list that they cover.

Good luck with whatever you try with this one , sounds nasty.

Don,t worry for signature based detection. Almost all of AVs will detect it.

Does anyone know or think Cyberhawk would have detected this? Also would the freeware version of GesWall be enough, and what are the differences between the free version and the Pro version of it? I looked on the website, but didn't find them. Thanks, I may add GesWall, but if I do, would I truly still need my AVG Anti-Spyware?

Duke,

Forrester research uses a model to determine the setup and strength of your security defense. In short it looks at the sequence of events of an infection.

Inbound traffic level
An inbound firewall (needed), preferably a hardware FW or the bare minimum windows XP firewall.

Treath gates: think about sandboxes like GeSWall/DefenseWall (I use them on different machines) or Sandbox with file virtualisation (like (BufferZone or SandBoxie) or OS+File virtualisation/Hardware emulation (e.g. VMWare). In general Sandboxes like GW/DW are set and forget. GW free is as strong as GW paid, it only covers one treath gate (Internet and not P2P, chat, e-mail et cetera).

Trigger level: This are system wide IDS/HIPS programs who defend important OS files (like registry), system changes (services) and process modification. In this category fall the resident protection anti-spyware programs like SpywareTerminator (also a HIPS feature), classical HIPS like SSM and behavior blockers like CyberHAwk.

Data level: This is the area of traditional Antivirus applications (who check at every read and write on a black listed malware). Also programs like CoreForce, DriveSentry and SensiveGuard have data level protection, because they forbid certain files/folders/file extentions to be changed.

Outbound Network level: These are outbound firewalls wich prevent the hief to run after the theft.

In general it is wise to have those area's covered and to put most effort in protecting at an early state. Another rule of thumb is that hardening, black listing and whitelisting is a stronger form of defense, demanding higher levels of knowledge to answer pop-ups from the security ap.

Hardening = disable what you do not use, it either works or does not
Black list = catch known bad guys, a pop-up could be a false positive, but in general you can be trust the black list
Behavior blocking = stop strange/suspicious behavior. In all cases the pop-up (e.g. of CyberHawk) indicates a system anomaly, in few cases this is caused by a legitemat application.
Whitelist = allow only the good guys. Gives the user the problem to decide on what is good or bad. Therefore some white list aps have build in white lists or share white list experience across the user group via the Web (e.g. PrevX).

An Antivirus for instance also has behavioral protection (heuristics). In general it is wise not to overlap the sort of protection (e.g. two whitelist HIPS) on the same level.

What is neccesary depends on you PC usage behavior and at what protection you feel at ease. When you use AVG Antispyware (a blacklist + IDS) only for on-demand, they do not interfere. Some people use Spyware Terminator (not so good blacklist, good IDS) a long side with CyberHawk. So it is up to you really.

I personally do not use an AntiSpyware ap, because I trust the combination of DefenseWall/SSM-free and GeSWall Pro/CyberHawk on two different PC's. One PC is stable (no software being tried out), the other not (therefore CyberHawk in stead of SSM).
Regards

Thank you for this Kees1958. I appreciate your information and understand it really does boil down to what the user likes and feels comfortable with. I know I try out way too many combinations of software protection, while at the same time also realizing I don't really need all that much for my needs. It's just fun to do so. LOL. I enjoy reading posts like yours and the many others i see here in Wilders, and although I know I may be getting on a few peoples nerves with my questions. (and slight obsession. LOL.) I certainly appreciate the people like yourself who have humored me by answering them. I have recently decided to try and stick with the AVG Internet Security Suite even though I probably won't ever need a Resident AS. I believe that along with Cyberhawk and Geswall should be sufficient from what you're saying if I'm correct? Anyway thanks to you again, and to the others that have humored me. LOL

Yep,

AVG Internet security suit (when it fits you), GeSWall for Internet treathgate and CyberHawk for Zero days treaths.

Have fun

-{ Quote: "Does anyone know or think Cyberhawk would have detected this? Also would the freeware version of GesWall be enough, and what are the differences between the free version and the Pro version of it? I looked on the website, but didn't find them. Thanks, I may add GesWall, but if I do, would I truly still need my AVG Anti-Spyware?" }-
Free version should be enough for many users.
Free version has isolation rules for browsers, mail clients and viewers while pro has rules for many more applications. U can add ur own rules in both but it,s a job for experts.
U should keep AVG AS alongwith that as a scanner ( although u might disable it,s guard if u want).

So if I leave just my hands off of GesWall Free and use the rules it has, it should be easy to run and with no problems, right?

Ya, sure. Just u have to reply one pop up for each browser on first launch only. Say 'Yes' and mark 'Don,t ask again'. That,s all.