High possibility of nProtect Gameguard being a rootkit.

Discussion in 'other security issues & news' started by nadirah, Jun 22, 2006.

Thread Status:
Not open for further replies.
  1. nadirah
    Offline

    nadirah Registered Member

    Hi again, everyone here.:cool: Today I've conducted my own investigation into a application called nProtect Gameguard which is bundled along with some popular multiplayer online games.
    Here's how it went:
    I downloaded a mog MapleStory from www.maplesea.com and tried to confirm my suspicions of nProtect Gameguard functioning as a rootkit, according to several sources. http://72.14.235.104/search?q=cache...it.&hl=en&gl=sg&ct=clnk&cd=3&client=firefox-a Now, as most people know, rootkits can cloak themsleves, files, processes in windows task manager, you name it...

    I attempted rootkit detectors like unhackme and sysinternal's RKR but no suspects showed up. I then first decided to check the program's behaviour. Before starting the game( after logging on to windows), I made a check of the total number of processes inside task manager.
    BEFORE- 42
    AFTER launch- 42--> (+the game should be more than 42, right?)
    Now I was puzzled. Shouldn't the game just like all other programs on the comp have visible processes inside windows task manager? This immediately raised my suspicion of gameguard. All the info I have points to gameguard. Some sites' describe gameguard as being capable of hiding the game application process, head on, this is rootkit behaviour, hiding a process from being visible in task manager.
    Next, I turned to diamondcs's free progs. Upon running openports.exe, it somehow managed to show the game's application process, details as follows:
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\nadirah>"C:\WINDOWS\Downloaded Installations\openports
    .exe"
    DiamondCS OpenPorts v1.0 (-? for help)
    Copyright (C) 2003, DiamondCS - http://www.diamondcs.com.au/openports/
    Free for personal and educational use only. See openports.txt for more details.
    _______________________________________________________________________________

    SYSTEM [4]
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    TCP 202.156.115.138:139 0.0.0.0:0 LISTENING
    UDP 202.156.115.138:138 0.0.0.0:0 LISTENING
    UDP 202.156.115.138:137 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:445 0.0.0.0:0 LISTENING
    MapleStory.exe [636]
    TCP 202.156.115.138:3513 203.116.196.8:8484 ESTABLISHED

    lsass.exe [748]
    UDP 0.0.0.0:500 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:4500 0.0.0.0:0 LISTENING
    svchost.exe [960]
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    smc.exe [1180]
    UDP 127.0.0.1:1029 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:1028 0.0.0.0:0 LISTENING
    svchost.exe [1300]
    UDP 0.0.0.0:1179 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:1032 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:1695 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:1025 0.0.0.0:0 LISTENING
    firefox.exe [1748]
    TCP 127.0.0.1:3514 127.0.0.1:3515 ESTABLISHED
    TCP 127.0.0.1:3515 127.0.0.1:3514 ESTABLISHED
    ashMaiSv.exe [2180]
    TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING
    ashWebSv.exe [2248]
    TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING
  2. nadirah
    Offline

    nadirah Registered Member

    I'm dividing this thread up into several parts, don't wanna make an extremely long post.

    Next I used Advanced Process Manipulation. I found out through this program that gameguard injects itself into nearly all the running processes on my computer. Even security programs like Javacool's SpywareGuard may be compromised. Another sickening thing is: I had to risk turning off ProcessGuard just to do this check. It is just like what Wayne said about Gunbound in 2004.
    Result from this program: Gameguard injects itself into all the running processes on the computer. See my screenshot.

    Attached Files:

    Last edited by a moderator: Jun 22, 2006
  3. nadirah
    Offline

    nadirah Registered Member

    Then I tried searching for registry keys, whatever that was related to nprotect gameguard.
    Regedit- Negative.
    .......... Next step, I used cmdline.exe
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\nadirah>"C:\WINDOWS\Downloaded Installations\cmdline.e
    xe"
    DiamondCS Commandline Retrieval Tool for Windows NT4/2K/XP
    Copyright (C) 2003, DiamondCS - http://www.diamondcs.com.au
    ---
    4 - ƒ
    <Error> Unable to read memory from PID 4
    588 - \SystemRoot\System32\smss.exe
    <Error> Unable to read memory from PID 588
    644 - \??\C:\WINDOWS\system32\csrss.exe
    <Error> Unable to read memory from PID 644
    668 - \??\C:\WINDOWS\system32\winlogon.exe
    winlogon.exe
    712 - C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\services.exe
    748 - C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\lsass.exe
    880 - C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    960 - C:\WINDOWS\system32\svchost.exe
    <Error> Unable to read memory from PID 960
    1056 - C:\Program Files\geswall\gswserv.exe
    "C:\Program Files\geswall\gswserv.exe"
    1128 - C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    1180 - C:\Program Files\Sygate\SPF\smc.exe
    "C:\Program Files\Sygate\SPF\smc.exe"
    1300 - C:\WINDOWS\System32\svchost.exe
    <Error> Unable to read memory from PID 1300
    1356 - C:\WINDOWS\System32\svchost.exe
    <Error> Unable to read memory from PID 1356
    1620 - C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\spoolsv.exe
    1684 - C:\Program Files\geswall\gswui.exe
    "C:\Program Files\geswall\gswui.exe"
    1728 - C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Explorer.EXE
    1848 - C:\WINDOWS\system32\igfxtray.exe
    "C:\WINDOWS\system32\igfxtray.exe"
    1864 - C:\WINDOWS\system32\hkcmd.exe
    "C:\WINDOWS\system32\hkcmd.exe"
    1932 - C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe"
    1940 - C:\Program Files\ProcessGuard\pgaccount.exe
    "C:\Program Files\ProcessGuard\pgaccount.exe"
    1952 - C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
    2016 - C:\WINDOWS\system32\ctfmon.exe
    "C:\WINDOWS\system32\ctfmon.exe"
    2040 - C:\Program Files\ProcessGuard\procguard.exe
    "C:\Program Files\ProcessGuard\procguard.exe" -minimize
    120 - C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe -Embedding
    216 - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    "C:\Program
    228 - C:\Program Files\SpywareGuard\sgmain.exe
    "C:\Program Files\SpywareGuard\sgmain.exe"
    440 - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
    456 - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
    488 - C:\Program Files\ProcessGuard\dcsuserprot.exe
    "C:\Program Files\ProcessGuard\dcsuserprot.exe"
    540 - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
    620 - C:\Program Files\SpywareGuard\sgbhp.exe
    "C:\Program Files\SpywareGuard\sgbhp.exe"
    888 - C:\WINDOWS\system32\slserv.exe
    slserv.exe
    1212 - C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    1292 - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
    "C:\Program Files\Raxco\PerfectDisk\PDSched.exe"
    1368 - C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    1720 - C:\WINDOWS\system32\hpoipm07.exe
    hpoipm07.exe
    2180 - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
    2212 - C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    "C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe" /DeviceID 11506
    42229 /Startup
    2248 - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
    2568 - C:\WINDOWS\System32\wbem\wmiprvse.exe
    <Error> Unable to read memory from PID 2568
    152 - C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe -k usnsvc
    1724 - C:\Program Files\Eraser\eraser.exe
    "C:\Program Files\Eraser\eraser.exe"
    1748 - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3176 - C:\WINDOWS\system32\cmd.exe
    "C:\WINDOWS\system32\cmd.exe"

    What's suspicious here is that some lines write: Error reading memory from PID [xxxx] I'm wondering if gameguard through its process-injection method intercepts reads to memory in some way. And also, MapleStory.exe is not in this list too! Its application process could only be unearthed by checking out all the current active network connections on my system.
    Therefore I'm appealing to other experienced computer guys/experts, to please help me in investigating what nProtect Gameguard does to some operating system functions, and what techniques it employs. This sneaky little but cunning program which is passed off by some game authors as 'software designed to protect the game client from cheating/hacking by game players and modifications to the game client' obviously is nothing decent. It was designed to protect the game at the expense of altering core system functions. And, the very first spark that set this whole thing off was its method of HIDING a process and concealing it to windows task manager.
  4. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    Hello,
    Best way to find out if something is rootkitting.
    Boot with BartPE CD, and compare the active partition files and folders listing with that you get when you boot from C. You will be able to see all and any that is hidden, cloaked or rooted. And if so, I leave the decisions about what to do to you.
    Mrk
  5. LokiLoki
    Offline

    LokiLoki Guest

    I found out gameguard tries to terminate smss.exe everytime I start the game.

    When I discovered gameguard modifying my software( such as NOD32,etc ), I stop playing games with gameguard.
  6. nadirah
    Offline

    nadirah Registered Member

    What is smss.exe? Is smss.exe spyware or a virus? Process name: Windows NT Session Manager
    http://www.neuber.com/img/space.gif
    Product: Windows
    http://www.neuber.com/img/space.gif
    Company: Microsoft
    http://www.neuber.com/img/space.gif
    File: smss.exe
    http://www.neuber.com/img/space.gif
    Security Rating: http://www.neuber.com/img/spyrate1.gif This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).
    Note: The smss.exe file is located in the C:\Windows\System32 folder. In other cases, smss.exe is a virus, spyware, trojan or worm!

    Virus with same name:
    W32.Dalbug.Worm - Symantec Corporation
    Adware.DreamAd - Symantec Corporation
    W32.Resdoc - Symantec Corporation
    Adware.Advision - Symantec Corporation
    Backdoor.IRC.Flood.F - Symantec Corporation
    Backdoor.IRC.Aladinz.O - Symantec Corporation
    and more...



    Obviously the gameguard developers provide low-quality software. It tries to terminate smss.exe because it thinks its a virus or something suspicious, as you can see there are some viruses with the same name too, but located in different places other than system32.
    BTW Processguard from www.diamondcs.com.au stops this from happening.
  7. matousec
    Offline

    matousec Registered Member

    Hi,

    nProtect Gameguard is well known anti-cheater software. Simply said it uses rootkit technology. However, its functionality requires this approach. Its goal is to protect the game from all kind of cheater attack. This includes protection against manipulation with Gameguard's and game's processes. nProtect uses rootkit technology to make working with these processes unpleasant. It hides processes and protects them against access of other applications. But its protection is not limited by process protection. Since it is used to protect online game clients it rely on the Internet connection with the Gameguard server. It can be used by admins to capture screenshots from players' machines. It also scans running process for "known patterns", so it behaves just like anti-spyware programs to identify known cheater programs. This is why it works with other processes on your system.

    But of course all these can be misused. You will never know whether the information from your computer that goes to Gameguard servers are only those in-game screenshots. There are many less or more paranoid scenarios you can think up. But since there is stable channel between Gameguard client and server there can left any kind of information from your computer. On the other side lot of large game companies trust and uses nProtect protection. The only question is whether you trust them ;)
  8. nadirah
    Offline

    nadirah Registered Member

    Well, it is very clear that nprotect gameguard is a program that utilises rootkit technology. Isn't this case similar to the sony rootkit saga?
    This program is confirmed to be a rootkit.

    And on the other hand, do any legitimate computer security software programs use rootkit technology to achieve their targets?
  9. matousec
    Offline

    matousec Registered Member

    Yes and no. No, because you can easily find information about how nProtect works on the vendors site. Maybe something is also written in EULA. Sony's EULA missed mentioning that this technology is used there. And another "No" argument is that Sony's rootkit was easily expolitable by malicious software to hide itself but nProtect seems to protect only itself and the game and nothing else. This does not mean it can't protect malicious software but at least it means that it is not easy or that it is not known in public. I don't know EULO of nProtect so I can't say whether there is some "Yes" argument too. But it can be problematic of course.

    Yes, many. In fact every personal firewall and some antivirus software as well as antirootkit detection and prevention software and also many other security software like some honeypots etc. Rootkit technology is used for a long time, "rootkit technology" is just modern term that is used for this kind of software activity. To prevent misunderstanding here it should be said that talking about rootkit technology we do not mean only hiding but also methods like hooking etc.
  10. nadirah
    Offline

    nadirah Registered Member

    nProtect Gameguard does not have an EULA and I wonder why. Some cases it is bundled with the game application.
    I think some games offer gameguard as a separate download while some bundle it together with the game client in 1 single download. Of all the programs I've tried out and tested with over the years , I remember Gameguard the most because its the ONLY program I've known that comes with no End User license Agreement. Is it because the developers are Korean and only know how to use basic english that they don't know how to produce an English EULA? I'm really curious about this issue.
    Last edited: Jun 27, 2006
  11. matousec
    Offline

    matousec Registered Member

    I don't think so. The important here is to consider the relation between game developers and Gameguard. If Gameguard offers nProtect in the way it is intergrated to the game it needs no EULA and it is the responsibility of the game vendor to mention it in EULA.
  12. gerardwil
    Offline

    gerardwil Registered Member

    o_Oo_O
  13. sosaiso
    Offline

    sosaiso Registered Member

    It was sarcasm.

    I think.

    It is a concern of mine as well, but Gunbound keeps me entertained, and I haven't had any privacy problems with it as of yet, so it will stay.
  14. mrhero
    Offline

    mrhero Registered Member

    KIS's proactive defense also warns about hidden object in Gameguard
  15. matousec
    Offline

    matousec Registered Member

    My point was to say that the raw fact that something is hiding itself or some other objects (or you can call it "using rootkit technology") is not malicious. If Gameguard do only what it should it is not malicious software and its behaviour is ok and also used technology is ok. The problem is that there is no easy way to verify whether it does not do something more.
  16. sosaiso
    Offline

    sosaiso Registered Member

    Good point matousec.

    But I think there is a way to see if it does something more. Throw on a packet sniffer to view everything that leaves the computer when nProtect is running. :T
  17. matousec
    Offline

    matousec Registered Member

    I assumed encryption of its communication when I wrote my last post. One can hardly imagine such advanced protection software not using encrypted communication ...
  18. sosaiso
    Offline

    sosaiso Registered Member

    Ah, I apologize, I did not think a game protector would encrypt data. Wonder if anyone here can verify if it is indeed sending out bad info.
  19. thetazzbot
    Offline

    thetazzbot Registered Member

    I wanted to add to the commentary about smss.exe and my experiences with NProtect.

    I have a laptop that I use remotedesktop to connect to my main computer which is in my home office. Frequently my son plays Lineage2 and I noticed that whenever he is playing or starts playing, the following oddities happen:

    Programs I start or am using in RemoteDesktop on my main computer close randomly.

    My remotedesktop session closes

    When I connect, his game freezes.

    This led me to my search for answes, which led me here. Thanks for the poster who posted about smss.exe, the microsoft session manager. This is the answer. Because when you connect with remotedesktop client, you are initiating a user session, and this makes total sense now. However, I dont like it :) It's a poorly implemented program. So now, I cant use my computer while he's playing and since he's only 8, he doesnt understand ;)

    Thanks for the site, hope the comments above are useful to someone else looking for answers.

    Cheers,
    Mark
  20. DownWithGameGuard
    Offline

    DownWithGameGuard Registered Member

    Just like the previous poster, I registered to thank you guys for that info!

    The problem I had (and somehow still have) with nProtect is that whenever I lost connection with the server, Explorer and the taskbar would enter some kind of cuccumber-mode. The computer wouldn't freeze completely, but I couldn't log out/restart/shut down the computer, the task manager wouldn't respond to Ctrl+Alt+Del, basically a hard reset was required.

    ProcessGuard is now installed (thanks for the link!) and like LokiLoki, the program found out that nProtect would attempt to repeatedly terminate smss.exe; wonderful...

    However that freezing behaviour still persists, and still linked to nProtect, though I haven't found out yet exactly how.
    Last edited: Jul 8, 2006
  21. DownWithGameGuard
    Offline

    DownWithGameGuard Registered Member

    Bumping with some additional info:
    http://discussions.virtualdr.com/showthread.php?t=207386&page=2&pp=40&highlight=Maple Story

    "When gg starts up, it will create a temporary file (what everyone sees as dump_wmimmc.sys) sets up its hooks and then boot the game. If for any reason gg sees something it considers "threatening" it will call for a reboot.

    The crash you experience when quitting the game I believe starts out when the temp file is cancelled, yet the hooks remain.

    There's not really anything you can do as it's pretty much up to nProtect to fix this problem."

    State-of-the-art software, really...
  22. jafaron
    Offline

    jafaron Registered Member

    here is a log file from process guard 3.200 that shows what happens wen you start a game protected by gameguard.



    Code:
    06:37:40 [EXECUTION] "c:\programas\wizet\sea\gameguard\gamemon.des" was allowed to run
             [EXECUTION] Started by "c:\programas\wizet\sea\maplestory.exe" [3156]
             [EXECUTION] Commandline - [ \x01\xd0\xd5\x95\x41\x6d\x78\x17\xab\x3c\x73\x3c\x61\x0c\x8e\x41\xbc\xe2\x95\x69\x61\xce\x18\xf6\x59\x96\x10\x9a\x11\x81\xfc\x60\x05\x11\xc6\x8c\x4e\xee\x74\x33\x1e\x64\x60\x70\x31\x09\x4d\x90\x79 ]
    06:37:41 [DRIVER/SERVICE] c:\programas\wizet\sea\gameguard\gamemon.des [2872] Tried to install a driver/service named dump_wmimmc
    06:37:41 [DRIVER/SERVICE] c:\programas\wizet\sea\gameguard\gamemon.des [2872] Tried to install a driver/service named dump_wmimmc
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\csrss.exe [1044]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\winlogon.exe [1152]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\services.exe [1196]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\lsass.exe [1208]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1352]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1408]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1456]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1496]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1600]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\explorer.exe [2024]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\spoolsv.exe [120]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgamsvr.exe [224]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgupsvc.exe [240]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgemc.exe [256]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [332]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\processguard\dcsuserprot.exe [396]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\zapp turbo\client\ventc.exe [564]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\rundll32.exe [652]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\igfxtray.exe [848]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\hkcmd.exe [868]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\synaptics\syntp\syntplpr.exe [972]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\wscntfy.exe [1384]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\synaptics\syntp\syntpenh.exe [1476]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\alg.exe [1652]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\rthdcpl.exe [1756]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\alcmtr.exe [1852]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgcc.exe [1924]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\msnshell\msnshell.exe [820]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\zango\zango.exe [1252]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\java\j2re1.4.2_12\bin\jusched.exe [904]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\processguard\pgaccount.exe [1556]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\ctfmon.exe [1632]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\messenger\msmsgs.exe [1664]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\lg_swupdate\gilautouc.exe [1484]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\zapp\z010 connect\z010.exe [2496]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\processguard\procguard.exe [616]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\csrss.exe [1044]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\winlogon.exe [1152]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\services.exe [1196]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\lsass.exe [1208]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1352]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1408]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1456]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1496]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [1600]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\explorer.exe [2024]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\spoolsv.exe [120]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgamsvr.exe [224]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgupsvc.exe [240]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgemc.exe [256]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\svchost.exe [332]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\processguard\dcsuserprot.exe [396]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\zapp turbo\client\ventc.exe [564]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\rundll32.exe [652]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\igfxtray.exe [848]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\hkcmd.exe [868]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\synaptics\syntp\syntplpr.exe [972]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\wscntfy.exe [1384]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\synaptics\syntp\syntpenh.exe [1476]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\alg.exe [1652]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\rthdcpl.exe [1756]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\alcmtr.exe [1852]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\grisoft\avg free\avgcc.exe [1924]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\msnshell\msnshell.exe [820]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\zango\zango.exe [1252]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\java\j2re1.4.2_12\bin\jusched.exe [904]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\processguard\pgaccount.exe [1556]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\windows\system32\ctfmon.exe [1632]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\messenger\msmsgs.exe [1664]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\lg_swupdate\gilautouc.exe [1484]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\zapp\z010 connect\z010.exe [2496]
    06:37:41 [MODIFY] c:\programas\wizet\sea\gameguard\gamemon.des [2872] was blocked from modifying c:\programas\processguard\procguard.exe [616]
    Last edited by a moderator: Jul 16, 2006
  23. mrhero
    Offline

    mrhero Registered Member

    Why gameguard wants to modify all running processes.
  24. nadirah
    Offline

    nadirah Registered Member

    As mentioned earlier in this thread, ProcessGuard can stop gameguard from modifying, terminating or reading some processes on your computer.

    I want to say something more about this program. nProtect Gameguard may be legitimate or not, I'm not so sure myself.
    But as with the issue with smss.exe, I honestly believe any person who reads this thread now or in the future will realise that its simply not worth the while having such programs on their systems at all. Simply because its developers are very selfish people, especially those game developers who have partnerships with inca. And it seems that INCA's employees are not good in english but that's not important at all, what's important here is what the heck do their programs do.

    If gameguard is so pathetic and stupid as to just terminate smss.exe or any other legitimate process without checking just because its considered suspicious by the game author and inca, it just goes to show what a lousy program they've chosen to implement in their game products. The fact that it can be stopped by other quality security products means that it is useless and ruptured.

    And just to add on more important details, using a disassembly program like IDA Pro from www.datarescue.com shows something about gameguard and the game client.
    The imports segment of this/the file is destroyed. This means that it may have been packed in such a way that makes it more difficult to analyse.....it may contain malware......
    The verdict: Don't use it.


    Gameguard operates in a selfish manner, just like the people who made it
  25. DownWithGameGuard
    Offline

    DownWithGameGuard Registered Member

    Well, ProcessGuard can stop gameguard from modifying, terminating or reading some processes... 50 times if you take their "free for home use" version, apparently. A restriction which doesn't seem to be documented anywhere. Kinda shoddy IMO.
    Is there any other similar program? Or did I miss something?
    Last edited: Jul 24, 2006
Thread Status:
Not open for further replies.