vettray'n'process kill demo

when i run the "process-kill demo", it shuts down vettray.exe. i would like some help to try to set things so that it cannot be killed. also, i would like some help with the settings in pg: should either of the two options in "pg/protection/general protection options" be checked?.. i don't know much about how to gather and post whatever information could be used for diagnosis.. here is the log from asviewer: DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Tom@TOMS-PC, 12-09-2003
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\htafile\shell\open\command\
C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
HKCR\vbsfile\shell\open\command\
C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
HKCR\vbefile\shell\open\command\
C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
HKCR\jsfile\shell\open\command\
C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
HKCR\jsefile\shell\open\command\
C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
HKCR\wshfile\shell\open\command\
C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
HKCR\wsffile\shell\open\command\
C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\POINTER
point32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IntelliType
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VetTray
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\THGuard
C:\Program Files\TrojanHunter 3.7\THGuard.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RegProt
c:\program files\regprot\regprot.exe /start
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
thanks, (p.s. something seems peculiar about the point32.exe entry. spybot flags it, but when it "fixes" it, point32.exe no longer runs) also note the "dos" attributes in "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VetTray
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe"

 

Hi Redwolf_98,
Can you download Advanced Process Termination from here: http://diamondcs.com.au/processguard/
You will need both General protection option enabled. Also "Close message Handling" enabled on the app you wish to protect

Ensure that th programme you wish to protect is restarted for the PG protection to be enabled.

If the problem persists can you please post your ASviewer log here: https://www.wilderssecurity.com/showthread.php?t=17322 Please ensure that "Main - Show drivers" is ticked before you post - Thanks

HTH Pilli

 

Check both the Options in General Protection.

If you require Task Manager to have Terminate privileges, see Privileges (in the Help program), especially the "Allowed v Block" paragraph.

 

Yes, If you have Task Manager in your PG protected list and give it Allow terminate it can terminate protected programmes as I believe "allowed" always overrides "block"

HTH Pilli

 

Hi,

I too have Ez Antivirus (vettray.exe) and I can kill the process with either "Kill Process Demo" or APT. In Process Guard 1.150, I have the vettray.exe set up to be blocked by the 4 default values of Process Guard and also the "Close Message Handling". Any way that vettray.exe can be blocked? Although, once I go to the vettray.exe folder and re-activate it, then it is protected by Process Guard and cannot be terminated by either "Kill Process Demo" or APT. How can I have it protected the first time around?

Also, the icon in the system tray is sometimes there and at other times it's not when I boot (even though I'm still protected because I can't kill any processes), is this a bug or by design?

Thanks for all your help.

 

Without ticking the 1st General Protection option, programs can be closed by the same method Task Manager uses in some cases called EndTask. So ensure that is ticked, that the 4 default BLOCKS are on the program you are protecting and that the program doing the termination does not have ALLOW access.

Also posting the Window log of the kill (if there is one) would be handy.

-Jason-

 

i started this thread after reading another thread about "aol 9" where jason suggested modifying the regkey(s) with the "dos" attributes.. so.. i tried modifying the regkey at hklm/software/microsoft/windows/current version/run/vettray, replacing the "path" which had the dos attributes with "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe". after that, the "process kill demo" could not kill vettray.exe. p.s. i also removed regprot (and my firewall) from protection, for testing, and the "process kill demo" reported that it could not kill regprot (removed from protection) while it actually did kill it.. (it killed my firewall too, which, again, i had also removed from protection). i have all of those processes back in protecton now, and the process kill demo can not kill them (nor can Advance Process Termination). one way or another, after doing that, i also found that THGuard.exe was nolonger "logging" in PG (which is good), not that i didn't have it set so that it would not cause logging anyway, but i found that no "allow" settings were needed after that to keep THGuard.exe from logging in PG. (and i did test to make sure that it was still functioning)

 

(jooske, another cookie?)

 

Congrats on figuring it out, the DOS path issue should be fixed in the next version. One KARMA cookie for you.

-Jason-

 

Just a note on THGuard, I was helping someone last night and suggested it would be CONSIDERABLY more compatible if you rename that THSec.dll to stop it being used for protection, and protect TH with PG instead. Changes wont take effect until you reboot. If you have no problems leave it, but removing it from the equation helps a lot

 

That works for me as well, the Dos path was changed and vettray.exe could not be killed anymore, either by "Process Kill Demo" or by APT. Thanks redwolfe_98 for the tip, much appreciated.

 

Hi!
Also tried to change the DOS-style path of my AV-Monitor (Gdata AVK 2004 Pro) to "real" path, but to no avail... under Win2k I still can kill the Service with APT#5

Greetz

Storm

 

Next version please ? Jason has sorted out a solution which will handle any path so it wont matter soon. In your hands as soon as we can sir

 

No offense Gavin!

Was just testing if that "path-stuff" would solve the APT #5 problem!

I for sure trust in you guys finding a solution!

Keep up the good work!

Storm

 

No offense taken

If that is the only kill method that takes down VET though, thats encouraging and good to know that only very specific trojans might get at it. Someone would have to really make an effort there and the truth is script kiddies wont (cant) bother attacking a hard target.

Now wheres that drink Enjoy the weekend