Discussion in 'ProcessGuard' started by controler, Jul 23, 2006.
Last chance DCS
Either reply or you are history
You had more then enough time to repley
I said 'may be it is some kind of bug' nobody except Diamonds can really explain what's going on. One thing for sure, it is not malware of any kind as it's done it with my own pictures.
For the record I have: NOD32 - PG 3.405 - LnS -RegDefend - Ad Muncher - always running.
DS does not give a crap
too bad because now I am dumping PG
They had more then enough time to respond.
Could this http://www.dslreports.com/forum/remark,16596555 maybe be why DiamondCS doesn't seem responsive? How is PG going to be able to run on Vista? (I'm staying with XP even though I have a plenty powerful enough machine for Vista so I don't care. XP is likely my last MS OS I think but if PG won't run on Vista ...well, that might explain what has been happening here). PG already can't run on XP Pro 64 bit and DCS has said they have no plans to make that possible and now Vista.....
We're busy developing, but we assist where we can. I'm sorry I didn't see this thread earlier, but a simple email to support with the log would have got a lot more attention. Noone has posted WHAT tries to install a driver, it depends on associations too ? sure sounds like it.. and settings such as thumbnails, I've changed a lot of those settings myself.
As for this sort of thing in general, the file itself is not malicious, nor is the program opening it and you could allow the program to install the driver.
As for VISTA, that protection may be broken yet, it's early days. I agree with the theory of securing the OS stronger in the first place, and for drivers developers only need to get their code signed.
MALWARE has caused a real mess over the last few years, imagine if ADMIN wasn't the default user on Windows 2000, XP ? many of the major attacks of the last 5 years would never have happened. If implemented properly, the OS will be able to secure itself against the casual attackers, even more skilled ones.
PG is suited to Windows 2000 and XP, and for malware attacks that have been occurring for years. When there is an area that needs protecting, it may fit there in VISTA. Surely there are going to be things PG can do in Vista. Big or small, who knows for sure yet.. Vista isn't even finished!
Just to pour a bit more fuel on the fire...
When I tested it quickly the other day, PG was silent. Tonight, on a hunch, I started the Print Spooler service first (which I have normally set to manual), double-clicked the .jpg, and PG alerted:
22:15:48 [EXECUTION] "c:\windows\system32\spoolsv.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" 
[EXECUTION] Commandline - [ c:\windows\system32\spoolsv.exe ]
22:15:52 [DRIVER/SERVICE] c:\windows\explorer.exe  Tried to install a driver/service named
I generated a related alert for rundll32.exe by selecting Open With > Microsoft Picture and Fax Viewer from the .jpg's context menu:
22:16:07 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" 
[EXECUTION] Commandline - [ "rundll32.exe" c:\windows\system32\shimgvw.dll,imageview_fullscreen c:\documents and settings\nick\desktop\melanie1.jpg ]
22:16:09 [DRIVER/SERVICE] c:\windows\system32\rundll32.exe  Tried to install a driver/service named
Anyway, when I stop the Print Spooler service, then no alerts. Notice that PG does not name the service. Using Regmon, I saw no new services written to the registry (after setting PG to "Allow"). PG, BTW, alerted the same way with and without the latest BOClean installed.
Thank you Gavin for showing up. You could be right about thumb nails but
I just verified what nick posted. If you have the spooler running PG alerts.
What I still don't understand is why it was only those two pics not regular ones on my HD. I thought I asked how PG tags files to know the difference?
hum maybe I didn't.
Mele? I think you are right on with Vista. They can take their DRM and put it you know where LOL
However, I am anadvocate for making people sign their software but I say it has to be reputable sources agreed upon by big buisness.
If it's the Print Spooler service, then that explains why I didn't receive the error. I personally have that service deleted/uninstalled from my computer. IMO, it's strange that it try to (re)install itself from the explorer.exe (that's my guess on what's happening anyways). I know different programs do this, such as Unlocker v1.8.3 and User Profile Hive Cleanup. It may not even exactly be that, but related in a way to installing a driver/service. Again, this is just my guess as I'm not totally sure on what's happening here.
Not sure what you mean by reinstall itself. The service was always running
in taskmanager or are you saying the service was trying to install a driver?
I am confused about it myself and the fact it doesn't happen on all JPGs.
maybe I am owned? LOL
Why don't you just go back to 3.15? I have the Print Spooler service running all the time and I didn't get any error when I did those tests. But I went back to 3.15 some time ago.
I would go back but I think the self protection featres are better in the new version. I just expected more help frm DCS as I am now seeing every one did.
No need to send logs since it is explained here in detail.
What I mean is that some services install them selves as a driver/service again for some reason. For example, the User Hive Profile Cleanup service needs the install driver/service priviledge as it does this whenever it runs. For some reason, services sometimes double as drivers (usually/always in the Non-Plug and Play section). Really strange is that it pops up with v3.405 and not v3.150 unless there's some other thing causing this.
I guess it is a good thing I am still using 3.15 since I use User Hive Profile Cleanup and you saying that if I was using 3.405 that it would be reinstalling itself via Explorer everytime it runs and I would get a PG alert because of this?
I also use the hive cleanup along with shared toolkit which is off at the time.
PG logs a bunch of find.exe and cmd.exe on boot but doesn't alert on that stuff.
No, that's not what I mean. UHPC needs to have driver/service priviledges by itself. It doesn't try to install through Explorer. It's just that it will complain if it doesn't have driver/service installation priviledge. At least, that's how it is for me since v3.15.
Brand new install on XP Home on a Dell of 3.410
Same results on the pictures. I did notice while updating windows, there was a print spooler update. Should have tried it with out and with that update to see a difference.
This clean install only hase PG & Boclean on so far.
Those of you that have spoolv.exe disabled don't count. The problem happens with that running.
Separate names with a comma.