need help on PG fullver > 100% working protections?

We just buy PG2 full version for home uses. After playing around and reading stuff about it, there are some concerns to have help from xp'user and xperts.

1- On a win2k pro (uptodate), regsvc.exe could start even it was "quanrantined" into PG's "blacklist" if let it enabled (automatical start setting in services section of MMC.exe window.) - that made us worried and poped up a concern that whether PG2 starts most early and provides most protections during windows booting? In fact, regsvc.exe could start at bootup.

2- It seems that SpySweeper (webroot.com) & PG2 having compatible issues?
Times by times, everytime installed SpS, and at almost every boot of windows then, there are appearances of PG Secure desktop GUI with non-specific executable request to run (ofcourse, it was intercepted by PG).
I have pix of the "issues" and I dont know what on this page provides option to upload images.

Thx.
:roll:

 

The issue with #1 will never really be 100% solved. There is just no way you can guarantee when your service/driver will load with Windows. However, some program must still execute and install a driver/service which Process Guard would alert on. So it is more an inconveniance issue rather than a security problem.

#2 will probably be fixed in the next version which will be in BETA in a few days. There have been some fixes regarding this issue .

 

I am running Spy Sweeper, V3.0, Build 129 with PG V2.0 and am not seeing any conflicts. My OS is XP-SP2-Build 2162 Home Edition.

I have Spy Sweeper in my program list with the normal 4 block flags and then Allow Flags of Write, SetInfo, Terminate, Suspend, GetInfo, Read. I also have Close Message Handling set as an Option.

HTHs

 

Hi newbuyer,

If you register an account you can attach the images, it will help a lot to understand your problem

It could be possible you simply have old video card drivers

 

I am using opera7.x internet browser and seems having difficulties uploading images to the server (done uploading but close windows not worked to go back to reply writing windows - it has gone away). I will try it with firefox.
I have a video card using nvidia chipset Geforce2-MX400 with the laster nvidia driver installed.
I have 10 images for problems happened to my pc. I dont know which one would show most close to the "problem"? What I can do to upload all images? If you dont mind, can I have one of your email address (can be a temporary email address) which I can submit all images to for you to take a glance at it if any image provides a fact to the problem on my pc?

Thx so much.
PS: win2k pro sp4.
* programs installed:
PG2 (licensed), TDS3/PE/CS (trials), Norton AV 2003, ZoneAlarmSuite 5.1.011 (with av disabled); Acronis TrueImage & DiskDirector.
* hardwares:
soyo-k7vmp2 mobo, adm-xp1700+, 768mb ddr266, video card nvidia geforce-MX400 (seems WinFast), Netgear FA312 NIC, Hauppaug (not sure spelling) TV-tuner PCI card...
------------------------------------------------------------------------

 

Thx for the info.
First, I did not give spysweeper3 full "power"; later on, I gave it full and such issues still happened to my box until I removed spysweeper3. It seems that at booting up, spysweep tried to install some driver "mchInjDrv" and PG caught it and asked user for approval (if disable new program exe) and auto locked it and showed entries in log (if enable new program exe); learning mode : I did not dare to try yet to see what will be going on.
Later on, I also gave spysweeper3 right to install driver, the log entry on spysware tried to install "mchInjDrv" gone, but other misterious unspecific name of .exe shown. If I removed spysweeper3, such things are gone.
Any ideas? Thx for help.

 

Hi for spysweeper I have the following flags set

First four block flags
Allow flage are: Write, Setinfo ,Getinfo and Read
And in Options, Allow Driver / server install

This works perfectly on my machine with no Red log entries.

HTH Pilli

 

MchInjdrv looks highly suspicious. I cannot find it anywhere on my system (registry included) with my Spy Sweeper V3.0 Build 129.

It is also referred to in the following link

http://computercops.biz/print-1-59714.html

where the user with a problem was instructed to delete it.

You might use WebRoot support on their website and ask them if it is valid. Of course you may or may not get a reply from them...or it might take a couple of weeks.

 

Thx for the information which someone had the same :
mchInjDrv: \??\C:\DOCUME~1\SCOTTM~1\LOCALS~1\Temp\mc22.tmp
If other spysweeper3 users have not had this "mchInjDrv" on their machine then probably that my box had already some bugs implanted on it before I installed PG2 (trial, full) and SpySweeper3 -> caused strange behaviors.

I searched for another post related to this mchInjDrv which is said not bad for it:
[http://216.239.39.104/translate_c?h...=/search?q=mchinjdrv&hl=en&lr=&ie=UTF-8&sa=G]

How to get a clean machine?
thx.

 

Seems that I was wrong.
There is a post on that page which seems to show mchInjDrv to try defeat PG protection:

Hope someone help clearly on this. thx.

 

Maybe you can send the mchinjdrv file to Diamondcs and they can analyze it to determine if it is malicious. If it is trying to compromise PG, I would think it would have the status of a virus or trojan.

 

That was the driver a² installed ? well it would be OK for you to allow that program to install a driver, since you trust it ? Any program which you trust should be given rights in ProcessGuard

MCH = MadCodeHook, used by a².. I cant see the screenshot sorry but I do vaguely remember this was the name a² used for a driver..

Ahh ok can see the screenshot.. seems like Spysweeper also uses that library too. You probably wont find the file because it gets dropped and after the install failed, it gets deleted

 

Re: need help on PG fullver

Thx so much for the confirmation which relieved me from mchInjDrv at the moment. It seemed you forgot to mention that mchInjDrv is good / malicious intention (mostly not malicious since spysweeper3 probably uses it and drops it in place when neccessary?).
There are some PG users posted on this forum that they have not seen any things like mchInjDrv when they have used spysweeper3 also. How that?
Another concern I still should to ask again for your support, I have seen "remote registry service" - regsvc.exe although set blocked to run by PG (licensed), it still could start if it is set to start automatically in MMC setting of windows 2000. If I understand what you provided to help users to understand things better (in your first reply) , no way to be sure 100% order of services being loaded when windows booting up, right? which probably drivers of a security software can start later than some (this case, PG driver vs. regsvc.exe of windows 2000). If it is correct, how about malicious drivers can not take advantages of it to race ahead of security software installed? I am only home users, so if this is idiot concern, please help me out to understand clearly and shape my mind about computer safe/security things.
Thanks so much again.
.PGLover.

 

I forgot another thing I should report so that it can give some info might be useful for me to have help from others:
- For a long time, I had very difficulty to install norton antivirus (2001, 2002, 2003, 2004 - dislike 2004 since activation; all free after rebates) - often got error messages like not found *.cab file - infact, it was on installation cdrom - nav got some changed since something so it was disabled; sometimes, tried removing nav was tough.
- On the same box, after installed PG, I dont have any more weird things above when installed NAV2003 and NAV2004.

I dont really know why the story seemed concident like this. Hope to have others jump in for help.
TIA.

 

Hi PGlover,

PG starts very early in the boot process, providing you have the General option to Block drivers/services from installing you should be OK, also providing that your machine was clean when PG was installed.

Any new or changed drivers will be picked up by the secure desktop. I have even seen this when a trusted Windows service has been changed by a Winupdate when I have forgotten to disable Process Guard during the update's install process. On reboot the Secure desktop jumps in asking if I wish to allow the change or I see blocked log entry in the PG log.

I also know that if such a vulnerability was found DCS would update PG to stop it.

HTH Pilli

 

Thx. That rests "my paranoid"
For a long time of using pc without a security software like PG, how I can say my box has been clean from malicious programs implanted without my knowledge? Hope there is an absolute solution to be able to protect a machine with PG2x/TDS3-4/WG3-4 even onto an unsure clean box. Is this possible?
I have heard there have been malicious programs to be able to exist and alive even with a reformatting, reparttioning? It always come back alive after all? Is it possible or just craps?
TIA.

 

Hi again PG lover, Unfortunately there is no such thing as 100% security, all we can do is protect against what is known or even what may occur so a layered defence, such as yours, is currently the best way. Ensuring you get the latest operating system updates and that of your security apps is the first rule.

Pilli

 

If you wipe a system properly and install from known clean backups, NO, nothing can survive.

Boot sector viruses are those which can survive a format if you dont use fdisk /mbr to wipe the MBR (master boot record) of a disc. Boot viruses are VERY small and can only infect other boot sectors, such as a floppy disc.

All new BIOS'es for many years offer an option to write protect the boot sector, this should be used ! When you install Windows you will get an alert that it is trying to modify the boot sector, you allow it.. you should never see that warning again - if you do then its a boot virus trying to infect your MBR and you could deny it..