vettray'n'process kill demo

Discussion in 'ProcessGuard' started by redwolfe_98, Dec 9, 2003.

Thread Status:
Not open for further replies.
  1. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    when i run the "process-kill demo", it shuts down vettray.exe. i would like some help to try to set things so that it cannot be killed. also, i would like some help with the settings in pg: should either of the two options in "pg/protection/general protection options" be checked?.. i don't know much about how to gather and post whatever information could be used for diagnosis.. here is the log from asviewer: DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Tom@TOMS-PC, 12-09-2003
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCR\htafile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKCR\vbsfile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKCR\vbefile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKCR\jsfile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKCR\jsefile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKCR\wshfile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKCR\wsffile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\POINTER
    point32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IntelliType
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VetTray
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\THGuard
    C:\Program Files\TrojanHunter 3.7\THGuard.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RegProt
    c:\program files\regprot\regprot.exe /start
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    thanks, :) (p.s. something seems peculiar about the point32.exe entry. spybot flags it, but when it "fixes" it, point32.exe no longer runs) also note the "dos" attributes in "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VetTray
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe"
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Redwolf_98,
    Can you download Advanced Process Termination from here: http://diamondcs.com.au/processguard/
    You will need both General protection option enabled. Also "Close message Handling" enabled on the app you wish to protect

    Ensure that th programme you wish to protect is restarted for the PG protection to be enabled.

    If the problem persists can you please post your ASviewer log here: https://www.wilderssecurity.com/showthread.php?t=17322 Please ensure that "Main - Show drivers" is ticked before you post - Thanks

    HTH Pilli
     
  3. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    Check both the Options in General Protection.

    If you require Task Manager to have Terminate privileges, see Privileges (in the Help program), especially the "Allowed v Block" paragraph.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, If you have Task Manager in your PG protected list and give it Allow terminate it can terminate protected programmes as I believe "allowed" always overrides "block"

    HTH Pilli
     
  5. MikeGiann

    MikeGiann Registered Member

    Joined:
    Dec 22, 2002
    Posts:
    12
    Location:
    Montreal, Quebec
    Hi,

    I too have Ez Antivirus (vettray.exe) and I can kill the process with either "Kill Process Demo" or APT. In Process Guard 1.150, I have the vettray.exe set up to be blocked by the 4 default values of Process Guard and also the "Close Message Handling". Any way that vettray.exe can be blocked? Although, once I go to the vettray.exe folder and re-activate it, then it is protected by Process Guard and cannot be terminated by either "Kill Process Demo" or APT. How can I have it protected the first time around?

    Also, the icon in the system tray is sometimes there and at other times it's not when I boot (even though I'm still protected because I can't kill any processes), is this a bug or by design?

    Thanks for all your help.
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Without ticking the 1st General Protection option, programs can be closed by the same method Task Manager uses in some cases called EndTask. So ensure that is ticked, that the 4 default BLOCKS are on the program you are protecting and that the program doing the termination does not have ALLOW access.

    Also posting the Window log of the kill (if there is one) would be handy.

    -Jason-
     
  7. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i started this thread after reading another thread about "aol 9" where jason suggested modifying the regkey(s) with the "dos" attributes.. so.. i tried modifying the regkey at hklm/software/microsoft/windows/current version/run/vettray, replacing the "path" which had the dos attributes with "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe". after that, the "process kill demo" could not kill vettray.exe. :) p.s. i also removed regprot (and my firewall) from protection, for testing, and the "process kill demo" reported that it could not kill regprot (removed from protection) while it actually did kill it.. (it killed my firewall too, which, again, i had also removed from protection). i have all of those processes back in protecton now, and the process kill demo can not kill them (nor can Advance Process Termination). one way or another, after doing that, i also found that THGuard.exe was nolonger "logging" in PG (which is good), not that i didn't have it set so that it would not cause logging anyway, but i found that no "allow" settings were needed after that to keep THGuard.exe from logging in PG. (and i did test to make sure that it was still functioning) :)
     
  8. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    (jooske, another cookie?) :)
     
  9. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Congrats on figuring it out, the DOS path issue should be fixed in the next version. One KARMA cookie for you. :)

    -Jason-
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Just a note on THGuard, I was helping someone last night and suggested it would be CONSIDERABLY more compatible if you rename that THSec.dll to stop it being used for protection, and protect TH with PG instead. Changes wont take effect until you reboot. If you have no problems leave it, but removing it from the equation helps a lot :)
     
  11. MikeGiann

    MikeGiann Registered Member

    Joined:
    Dec 22, 2002
    Posts:
    12
    Location:
    Montreal, Quebec
    That works for me as well, the Dos path was changed and vettray.exe could not be killed anymore, either by "Process Kill Demo" or by APT. Thanks redwolfe_98 for the tip, much appreciated. :)
     
  12. Storm

    Storm Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    46
    Hi!
    Also tried to change the DOS-style path of my AV-Monitor (Gdata AVK 2004 Pro) to "real" path, but to no avail... under Win2k I still can kill the Service with APT#5 :'(

    Greetz

    Storm
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Next version please ? :D Jason has sorted out a solution which will handle any path so it wont matter soon. In your hands as soon as we can sir :)
     
  14. Storm

    Storm Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    46
    :D :D :D

    No offense Gavin! ;)

    Was just testing if that "path-stuff" would solve the APT #5 problem!

    I for sure trust in you guys finding a solution!

    Keep up the good work!

    Storm
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    No offense taken :)

    If that is the only kill method that takes down VET though, thats encouraging and good to know that only very specific trojans might get at it. Someone would have to really make an effort there and the truth is script kiddies wont (cant) bother attacking a hard target.

    Now wheres that drink ;) Enjoy the weekend
     
Thread Status:
Not open for further replies.