Wilders Security Forums - View Single Post - High possibility of nProtect Gameguard being a rootkit.

jafaron · #22 July 16th, 2006, 01:52 AM

here is a log file from process guard 3.200 that shows what happens wen you start a game protected by gameguard.

Code:

06:37:40 [EXECUTION] "c:\programas\wizet\sea\gameguard\gamemon.des" was allowed to run
         [EXECUTION] Started by "c:\programas\wizet\sea\maplestory.exe" [3156]
         [EXECUTION] Commandline - [ \x01\xd0\xd5\x95\x41\x6d\x78\x17\xab\x3c\x73\x3c\x61\x0c\x8e\x41\xbc\xe2\x95\x69\x61\xce\x18\xf6\x59\x96\x10\x9a\x11\x81\xfc\x60\x05\x11\xc6\x8c\x4e\xee\x74\x33\x1e\x64\x60\x70\x31\x09\x4d\x90\x79 ]
06:37:41 [DRIVER/SERVICE] c:\programas\wizet\sea\gameguard\gamemon.des [2872] Tried to install a driver/service named dump_wmimmc
06:37:41 [DRIVER/SERVICE] c:\programas\wizet\sea\gameguard\gamemon.des [2872] Tried to install a driver/service named dump_wmimmc
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\csrss.exe [1044]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\winlogon.exe [1152]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\services.exe [1196]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\lsass.exe [1208]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1352]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1408]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1456]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1496]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1600]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\explorer.exe [2024]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\spoolsv.exe [120]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgamsvr.exe [224]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgupsvc.exe [240]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgemc.exe [256]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [332]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\processguard\dcsuserprot.exe [396]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\zapp turbo\client\ventc.exe [564]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\rundll32.exe [652]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\igfxtray.exe [848]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\hkcmd.exe [868]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\synaptics\syntp\syntplpr.exe [972]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\wscntfy.exe [1384]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\synaptics\syntp\syntpenh.exe [1476]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\alg.exe [1652]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\rthdcpl.exe [1756]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\alcmtr.exe [1852]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgcc.exe [1924]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\msnshell\msnshell.exe [820]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\zango\zango.exe [1252]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\java\j2re1.4.2_12\bin\jusched.exe [904]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\processguard\pgaccount.exe [1556]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\ctfmon.exe [1632]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\messenger\msmsgs.exe [1664]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\lg_swupdate\gilautouc.exe [1484]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\zapp\z010 connect\z010.exe [2496]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\processguard\procguard.exe [616]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\csrss.exe [1044]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\winlogon.exe [1152]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\services.exe [1196]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\lsass.exe [1208]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1352]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1408]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1456]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1496]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1600]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\explorer.exe [2024]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\spoolsv.exe [120]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgamsvr.exe [224]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgupsvc.exe [240]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgemc.exe [256]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [332]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\processguard\dcsuserprot.exe [396]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\zapp turbo\client\ventc.exe [564]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\rundll32.exe [652]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\igfxtray.exe [848]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\hkcmd.exe [868]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\synaptics\syntp\syntplpr.exe [972]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\wscntfy.exe [1384]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\synaptics\syntp\syntpenh.exe [1476]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\alg.exe [1652]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\rthdcpl.exe [1756]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\alcmtr.exe [1852]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgcc.exe [1924]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\msnshell\msnshell.exe [820]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\zango\zango.exe [1252]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\java\j2re1.4.2_12\bin\jusched.exe [904]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\processguard\pgaccount.exe [1556]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\ctfmon.exe [1632]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\messenger\msmsgs.exe [1664]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\lg_swupdate\gilautouc.exe [1484]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\zapp\z010 connect\z010.exe [2496]
06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\processguard\procguard.exe [616]