ProcessGuard Wiped Out!

I was trying to check email and I got a message saying Thunderbird couldn't access the server. I tried to upload a file using dreamweaver to my website but got an error message. I guessed there was a problem with the server which was why my email wasn't working. I decided to go to the website of the hosting company and contact support. Suddenly I noticed that there were few icons bottom right. I thought they were hidden but actually they were disappearing. ProcessGuard, Counterspy, Boclean were wiped out. I actually watch the icons disappear like a stack of vanishing dominoes. Only the Sygate Firewall was left.

What could have caused this? A rootkit? I decided to reformat the hard-drive and restore using Acronis True Image. Things seem OK now. I'm currently running as administrator. I'm thinking of completely starting again and trying to set up using a limited account. I was shocked.

Chris (Hunt)

 

Hi Chris, This may not have been related to what you were doing at the time
If it was the official thunderbird site I would not worry too much but it may pay you to download the trial version of PortExplorer and watch for any unknown processes accessing the net.

Also make sure your windows is fully patched and also update & do full AV, AT and AS scans to be on the safe side..

HTH Pilli

 

Dear Pilli,

Thanks for the tip about PortExplorer. I'm concerned that both ProcessGuard and BoClean seemed to both fail. Of course, I may have some bad settings for ProcessGuard. Can anyone think of any settings I should check that could have allowed ProcessGuard to do do nothing?

Thanks,

Chris

 

Try running PG in learning mode whilst disconnected from the net. Run all your current apps - Reboot and then disable learning mode before reconnecting to the net.
You may have a had a driver contention problem.

HTH Pilli

 

Knowbodynow,

One possibility may have been a Windows explorer crash (which results in most system tray icons disappearing) but now would certainly be a good time to review your security software settings (e.g. if you used Internet Explorer, did you give it the Access Physical Memory privilege in PG? Programs with this option can disable PG and other security software and IE has shown enough vulnerabilities to make this a plausible attack vector).

 

Hi knowbodynow,

My preference would be to first uninstall PG and reinstall it by the book to the restore default settings. If the problem persists, then I would next take a look at BOClean and start troubleshooting by adding commonly running executables to BOClean's Exclusion List. It's been rare, but for me a BOClean incompatibilty usually results in an explorer crash or BSOD.

Nick

 

Thanks for the replies. I hardly ever use Internet Explorer. At the time I was using Firefox 1.0.6. Internet Explorer is on my protected list and is allowed to read from protected applications, the four other options choices are all unchecked (Firefox has the same settings).

I guess it could have been a Windows Explorer crash but it didn't look like one. The processes, including ProcessGuard were actually terminated. Surely, that shouldn't happen? I tried to relaunch ProcessGuard but got message that it wouldn't run because another process it relied on wasn't loaded. Should have written the details down but I forgot. I sincerely hope this doesn't happen again.

Chris

 

Hmm, OK so the icons and their processes were terminated but in the case of PG that does not mean that the protection was terminated as that would require PG's driver to be stopped. Do you know if that was the case?

Pilli

 

Sorry Pilli, I don't really follow your last message. I don't know about the driver but when I attempted to restart ProcessGuard the message indicated it couldn't offer any protection. Everything was greyed out. It seemed I had no protection. Also, surely the function of ProcessGuard is to prevent processes from being terminated? It didn't do it's job. It's possible I made a mistake with the set-up though it had been running for some time and always gave me alerts and basically I avoided giving any programs extra privileges - as I mentioned Firefox and Internet Explorer don't have any. But something went wrong. I did notice when I relaunched AVG that it reported that email wasn't properly protected. I don't know when that went wrong.

Chris

 

Ther could be many reasons for the cause, malware is just one of the possibilities. Remember that some of the default windows services have termination capabilities and that one of these may have been triggered by a system operation

I suggest that if ProcessGuard now appears to be running normally that you test it using DCS's Advanced Process Termination utility, be aware that two of the tests, 7 & 8, if I remember correctly, require that Close message handling is enabled on the app to be tested.

Ensure that the four global protections are enabled and do not put APT on the protection list but do allow it to run once in the security list.



Link: http://www.diamondcs.com.au/index.php?page=apt

HTH Pilli

 

Thanks Pilli,

I downloaded the Advance Process Termination Utility (APT) and tried it out on various processes. ProcessGuard worked every time. Interesting that APT will kill itself - I didn't protect it with ProcessGuard!

I still wonder what happened. I'm still a little nervous that the problem repeats. I guess no-one else has experienced anything similar?

Chris

 

It does sound like the explorer.exe crashing and restarting, it can do this very fast, before you notice it. When it restarts sometimes there are no icons ?? I now use the full version of ProcessGuard, no problems at all, APT tests fail too

 

If explorer crashes does that actually kill off other processes or just clobber the icons? In my case all the programs except Sygate firewall died.

Chris

 

i had this problem myself with Explorer crashing, and loss of icons of security apps that were running, recently. i had just removed some malware that i had picked up through Firefox, using javascript to hop aboard (i had idiotically been browsing with it enabled) and this malware (a host of trojans and adware type visitors) had completely disabled my NAV, and my Sygate firewall. (i ended up using AVG and Outpost, and uninstalling NAV and Sygate, i never could get them working right again)

this, all before i had discovered ProcessGuard (i have the paid version and it is WONDERFUL!)

i do believe my system is clean now. but afterwards, i had a few probs i didn't have before. anytime i tried right clicking a Windows Explorer file, Explorer would crash. i Googled the symptom, and eventually ran across a suggestion to go to Internet Options>Advanced and untick "enable page transitions" and this stopped Explorer from crashing when i right clicked a file (YAY!)

but every once in a while, my security app icons do begin to play this disappearing trick. but when i check Process Explorer, it shows them each running. i read somewhere that Windows 2000 and XP sometimes has that happen, so in my case i decided not to worry; so long as they are actually running. but, when i had malware, they disappeared and weren't running.

this post caught my attention because the other day when i logged on, my AVG email scanner wasn't enabled, nor would it enable. i rebooted and it has been fine since. i have no idea what its issue had been! but i'm keeping my fingers crossed.....

i am still left with an issue in IE though. i can't do online AV scans, nor run PSPitstop tests, because IE crashes everytime! (i only use it for online scans - nothing else!)

i haven't located my XP CD to do a repair. i'm not missing IE at all. and i have completely lost my ability to feel that AV scans can protect me; a trojan i had (forget name off top of my head) was somehow able to remove itself, or hide itself, from detection.

it was ProcessGuard that helped me to figure out what was going on. it alerts me to things wanting to run, and if i don't understand what's going on, i deny, and research, and in the case of the stealthy trojan, i tracked it down that way.

i knew when i downloaded ProcessGuard that i had something bad, but i decided i was going to try it anyway. and promptly decided i wanted the full version

but if your icons are disappearing, and actually being stopped from running, are you sure you don't have malware?

 

Hi, interesting message. I don't know if I had malware or not. After everything appeared to have died I decided to restore my system using True Image. AS far as I know my system is clean now. Apart from running Counterspy I check it with Spybot R&D and Ad-Aware and also occasionally check it out with HijackThis. My concern was that something managed to get past ProcessGuard. It wasn't as if a message popped up and I allowed something - the icons disappeared without warning. I think this means either that:

1. I had ProcessGuard configured incorrectly OR
2. Something was able to defeat ProcessGuard.

I think it would be useful if there was a compiled list of Does and Don'ts, a kind of check these settings list. I think ProcessGuard is a very worthwhile application but if it is configured incorrectly then it may well be useless against a determined attack.

Chris

 

one thing i have noticed is that in my admin acct, which i only use to do admin tasks, PG doesn't even show up in my systray, but when i check, it is running as it should. if i want to change anything, i click the shortcut to open it, and then it does show in my systray.

but in my limited account, it always shows up. (aside from the time it disappeared but was running) in my case it might be because my current user limited account, i used to have as my admin acct when i dl'ed PG, and i have changed it since then.

i don't see anyway to configure PG to run in, or not run in, the systray.

at one point, i was a bit concerned i didn't have things set properly, so i set it back to default, then readded in the security apps i wanted protected. i didn't like learning mode at all. i'd rather give permission as i go. but i found it fairly easy to configure for protection.

i like very much that PG gives me more control over what is allowed to start up.

i like seeing it in my systray, tho. i didn't like it when the icon disappeared! but it hasn't happened to me again, yet. but at least it WAS running, in my case! (since i got my machine clean)

 

I had the opposite experience - no icon in the task bar when running a limited user account. With an administrator account I have the icon.

Chris