adaware terminates spybot and process guard is helpless to stop it

Adaware se 1.05 Using definitions file:SE1R30 08.03.2005

declares that spybot search and destroy 1.3 is spyware (180solutions) and then terminates spybot. Process guard flashes it's warning saying that adaware has tried but was blocked from terminating spybot. Adaware does indeed terminate spybot.

I tried to terminate spybot from within taskmanager but was blocked by process guard.

adaware is authorized to read and modify. spybot is protected from termination and modification (except from this killer version of adaware).

These adaware definitions make it the first time that adaware called spybot 108solution spyware and then proceeded to kill it outright.

Just in case spybot was spyware I installed a new copy of spybot and adaware called this copy spyware and killed it off as well.

Am I to make from this that process guard is unable to protect from termination? Has adaware sold it soul to the devil?

 

Don't recall what it was but I saw a complaint recently about new ad-aware versions allowing previously declared (by ad-aware) spyware. ie I believe it was removed from def.'s

 

Hi Vam, AdAware defs: Reference Number : SE1R28 16.02.2005
Hmm, not sure what is wrong there: AdAwrae and Spybot with default PG settings.
Here is my PG log.
Tue 08 - 05:51:59 [EXECUTION] "c:\program files\lavasoft\ad-aware se professional\ad-aware.exe" was allowed to run
[EXECUTION] Started by "c:\winnt\explorer.exe" [1336]
[EXECUTION] Commandline - [ "c:\program files\lavasoft\ad-aware se professional\ad-aware.exe" ]
Tue 08 - 05:53:57 [EXECUTION] "c:\tds3\ext.sys\execprot.exe" was allowed to run
[EXECUTION] Started by "c:\winnt\explorer.exe" [1336]
[EXECUTION] Commandline - [ c:\tds3\ext.sys\execprot.exe tds|tdsdll-test:c:\program files\spybot - search & destroy\spybotsd.exe ]
Tue 08 - 05:53:59 [EXECUTION] "c:\program files\spybot - search & destroy\spybotsd.exe" was allowed to run
[EXECUTION] Started by "c:\winnt\explorer.exe" [1336]
[EXECUTION] Commandline - [ "c:\program files\spybot - search & destroy\spybotsd.exe" ]
Tue 08 - 05:55:12 [TERMINATE] c:\program files\lavasoft\ad-aware se professional\ad-aware.exe [3844] was blocked from terminating c:\program files\spybot - search & destroy\spybotsd.exe [4080]

 

Pilli, your log indicates termination was prevented by ProcessGuard. Did Ad-Aware succeed in termination anyway? It looks like new definitions came out yesterday for Ad-Aware.

I would try this out myself, but I recently removed paid Ad-Aware SE Plus 1.05 from my system since it's Ad-Watch protection was no longer functioning as it did under the older non-SE versions and not protecting start up entries. Ad-Watch would flash red, but not indicate anything in it's logs and I found that I could delete start up entries normally protected by the non-SE versions without a deny/allow prompt, including Ad-Watch's own start up registry entry. Since Ad-Watch was the only reason I paid for their program, it was uninstalled.

I have always been a fan of Ad-Aware, but I am starting to ponder the same question Vam mentioned last.

 

Hi Rick, No spybot was not terminated Wth the last definitions or the latest ones

Pilli

 

WhenU removed from defs according to these guys.
http://www.broadbandreports.com/forum/remark,12665642~mode=flat

 

Well I took the ad-aware/spybot s&d challege since I backed up my partition yesterday and could put it all back quickly.

I reinstalled Ad-Aware SE Plus 1.05 and loaded Ad-Watch. I gave it all the same rights I did before in my firewall and in ProcessGuard and updated to the current definition. Upon launch of Spybot S&D, Ad-Watch indeed popped up touting the process as 180solutions and prompted for allow/deny. I allowed. Upon reboot Ad-Watch crashed saying something about a corrupted process list and to close and restart Ad-watch. It appeared to function normally after that. Ad-Watch was even protecting start up entries from deletion like it was supposed to, for a change. But upon relaunch of Spybot, Ad-Watch again promted to disallow Spybot from starting touting it as a 180solutions dataminer. But running a full Ad-Aware scan yeilded nothing.

I forgot to test if ProcessGuard would protect Spybot from termination while running however. I restored my partition back, removing Ad-Aware. If you go to lavasoftusa.com, go into their support forums and search on Spybot, you'll see there are several reports of this being mentioned with no answers yet from mods or forum volunteers. You'll also see the link in that search result for the very long and heated WhenU removal discussion and Lavasoft's responses.

I guess we'll see some answers over the next few days. I might try a reinstall of Ad-Aware tomorrow if I get time and see if ProcessGuard stops the termination on my machine here.

 

Hi everyone.

I did some more testing.
When using adaware definition se1r30 08.03.2005 adaware kills spybot.

When using adaware definition se1r29 05.03.2005 adaware does not kill spybot.

I suppose this thread has two issues.
1 adaware killing spybot.
2 Process guard is unable to stop adaware from terminating spybot.

Note: adaware doesn't just close spybots window it actually stops it dead (per windows taskmanager)

I can remove adaware, but how do I stop it or other programs that develope this ability terminate a program that Process Guard is supposedly protecting from termination or modification??

 

Hi Vam, As far as I know there is no method of terminating a protected program except by another protected program that has the allow termination flag enabled.
You should try both of the following.
Remove AdAware.exe from the protection list and see if AA can terminate Spybot.
Get the Advanced Process Termination tool from here: http://www.diamondcs.com.au/index.php?page=products and test it against your protected apps. Note that two of the tests 6 & 7 if I remeber correctly, require that Secure message handling is enabled.

It will be interesting to see your results.

Thanks. Pilli

 

Hi,
It's funy because I have the same definition on my system and the same program including PG. I did the same test couple of minutes ago and nothing happend.

 

Hi,

It seems that in order for Ad-Aware to kill SB process, SB has to be open and have it´s process active, otherwise if you scan with Ad-Aware, it detects nothing BUT if you have Ad-Watch running and then you proceed to open SBSD, Ad-Watch detects it and warns you inmediately and yes, this started to happen upon updating the most recet de.files: 08/03/2005. and there are already some threads in both forums Lava´s and SBSD regarding this issue.

Diazruanova

 

Ad-Aware is also targeting Zerospyware and Aluria for removal
both good apps accoriding to Eric Howe's list on www.spywarewarrior.com but with some questionable affiliates (IHMO) recently in the case of Aluria

Vendorossible Browser Hijack attempt
Category:Vulnerability

TAC index:3

Descriptionossible attempt to control/redirect the browser. This object referrs to a "blacklisted" site. If the site listed is the site intended (in other words, it is set to the setting you wish it to be set to), add this listing to your ignorelist. If not, then selecting this item will reset your browser to the default setting for this item.

however going to the "more data" site shows nothing
so how do the determine a TAC?

The do show these:
Commenthttp://www.aluriasoftware.com/support)
Commenthttp://www.zerospyware.com)

why is this not in the "more information" page?

Wyrmrider

 

A new Definition File is in the process of being tested right now.

As soon as the report was provided to R&D this morning, 180Solutions was allowed to be installed in stealth on a test machine and tests were run. Indeed the problem that has been reported was duplicated. Steps were taken immediately to correct the problem. If you use Ad-Aware, please watch for a new Def. File to be released.

Thank you and apologies for the inconvenience.

 

Thanks for the information Corrine.

 

Looks like Ad-Aware fixed the Spybot S&D detection error in an updated definition file. I'm glad they fixed this issue quickly. No mention of what the problem was.

Corrine, just for the record I never had a 180solutions infection. Thanks for the update!

 

Which leaves us with "How was adaware able to shut down SB when it was protected by PG?". I ran the same tests and adaware did, in fact, shut down SB no matter the log saying otherwise. And this is probably an easy one but why does adaware need to modify all running applications?
I uploaded a view of my log, it says I did but, I dont see it in this preview so I hope it took.

 

Ad-aware has to take on some serious contenters to remove them and knows all the termination tricks in the book. It may well be that ProcessGuard did succeed in blocking some of the attempted termination requests.

Before you update the definition file in Ad-Aware try running the test with Secure Message Handling enabled for Spybot and see if that changes the outcome.

I wish I tested termination and not just launch detection by Ad-Watch. It didn't succeed on Pilli's test. Maybe different variations of protections settings affect the outcome. What are the default settings for these two apps? My system is NEVER default....

 

Hi all.

Adaware has fixed the SB problem with Def SE1R31.

Note: Adaware is authorized to modify and read, Spybot is protected from termination and modification (in PG).

I can't do the test of Adaware Vs Spybot using Secure Message Handling because I'm using the free edition of PG and that's not included.

I still have a copy of Adaware def SE1R30 if anyone wants to test it against Secure Message Handling.

Will the next version of spyware learn Adaware's trick in terminating a protected program?

Is the full edition of Process guard any better at protection than the free edition?

Seeya

 

>

 

Today (3/9/05)

I ran a full update of Ad-Aware Se and did a full update of Spybot S&D and did a full system scan with both. Neither did anything out of the ordinary. I even ran the scans at the same time and Ad-Aware did not list anything. I activated tea timer and scanned again with Ad-Aware...still nothing.

Maybe this is just a glitch with some systems??

 

Windows Privilege Escalation allows the following escalations of privilege :-

ASSIGNPRIMARYTOKEN
AUDIT
BACKUP
CHANGE_NOTIFY
CREATE_PAGEFILE
CREATE_PERMANENT
CREATE_TOKEN
DEBUG
ENABLE_DELEGATION
INC_BAPRIORITY
INCREAQUOTA
LOAD_DRIVER
LOCK_MEMORY
MACHINE_ACCOUNT
PROF_SINGLE_PROCESS
REMOTE_SHUTDOWN <----------- Perhaps AdAware used this one
RESTORE
SECURITY
SHUTDOWN <----------- or this one
SYNC_AGENT
SYSTEM_ENVIRONMENT
SYSTEM_PROFILE
SYSTEMTIME
TAKE_OWNERSHIP <----------- Seems pretty dangerous to me !
TCB
UNDOCK
UNSOLICITED_INPUT <----------- What on earth is this for !?!

I wonder which one Ad-Aware used to terminate Spybot S&D. I also wonder why Windows would have a "privilege escalation" function in its API. I also wonder why Windows has "create thread in another running program's workspace" and "inject code into another running program's workspace" functions in its API.

Sometimes, I think Windows is just far too open to ever be secure.

 

Hi Graphic, I cannot answer your question but there appear to be many undocumented calls, maybe AA has found yet another

 

Rodehard, I completely understand what you are saying and I also agree that secure message handling is not a user friendly experience. But Windows was never built from the ground up with security in mind and there are a ton of ways to terminate a process. Looking at the post by Graphic Equaliser, some possibly undocumented. SMH can stop some termination attempts that's all I was trying to say. I personally don't like using it either though.

I started playing with the apt.exe app Diamond offers to test terminating apps. Curiously if you protect security related apps from being read they do not even appear on the apt.exe list to be terminated and PG shows their prevention from being read as you refresh. That may offer a limited extra measure of protection against some attempts. But of course that's not going to stop another security app from reading the app if it has the rights to read other protected apps or stop all termination attempts.

The more I learn about trying to secure windows, the more I learn it's almost impossible to actually nail it down completely. All these programs are evolving, but so is PG.

 

Hi! All,

Fortunately I did not have "termination" problems. At least that I was made aware of via PG or any other of my security progs. But I was definitely having some problems...and the trail led to Ad-Aware (to the best of my humble non-expert knowledge).

FYI... http://computercops.biz/postt109318.html

 

I'm glad that Lavasoft rectified the false positive with Spybot. But how about the remaining issues with Zerosypware, and other antispyware applications?