Zapping f-prot service with process explorer

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hello again all, (well, nearly all)  :)

In yet another failed attempt to install vista sp1 on my dell inspiron
I got sidetracked onto another issue.

I tried killing the process FPAVServer.exe with Process Explorer but
it was immediately restarted and I couldn't kill it. Not a bad trait,
I know, but if F-Prot can avoid being killed then maybe so can some
malware if something slips through.

What actually happened when I killed the "FPAVServer.exe" process was
that "fssf.exe" started up, it was this that appeared to restart
"FPAVServer.exe" and then close itself down. At least it disappeared
from the list of running processes so I couldn't just close down a
process tree. FPAVserver's parent process wasn't visible to do that.

In contrast, on my xp desktop when I zapped FPAVServer.exe with
process explorer, it was gone for good without as much as a complaint.

Incidentally, fssf.exe is located in the main f-prot installation
directory.

So I would like to know what it is that's available to running
processes in vista to stop them being zapped which isn't available in
xp? And also how can I zap something in vista when some invisible
"minder" type process is immediately restarting it?

TIA


Jim


Re: Zapping f-prot service with process explorer



| Hello again all, (well, nearly all)  :)

| In yet another failed attempt to install vista sp1 on my dell inspiron
| I got sidetracked onto another issue.

| I tried killing the process FPAVServer.exe with Process Explorer but
| it was immediately restarted and I couldn't kill it. Not a bad trait,
| I know, but if F-Prot can avoid being killed then maybe so can some
| malware if something slips through.

| What actually happened when I killed the "FPAVServer.exe" process was
| that "fssf.exe" started up, it was this that appeared to restart
| "FPAVServer.exe" and then close itself down. At least it disappeared
| from the list of running processes so I couldn't just close down a
| process tree. FPAVserver's parent process wasn't visible to do that.

| In contrast, on my xp desktop when I zapped FPAVServer.exe with
| process explorer, it was gone for good without as much as a complaint.

| Incidentally, fssf.exe is located in the main f-prot installation
| directory.

| So I would like to know what it is that's available to running
| processes in vista to stop them being zapped which isn't available in
| xp? And also how can I zap something in vista when some invisible
| "minder" type process is immediately restarting it?

| TIA


| Jim


net stop <service_name>
sc stop <service_name>

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Zapping f-prot service with process explorer


On Sun, 21 Jun 2009 10:57:05 -0400, "David H. Lipman"

Quoted text here. Click to load it

Ultimately, it's not the service I want to stop though, Dave, it's the
program which keeps restarting it. My use of F-Prot was just the
example which brought it to my attention. I suspect any malware using
the same technique might not have such an entry in the services list.


Jim.


Re: Zapping f-prot service with process explorer



| On Sun, 21 Jun 2009 10:57:05 -0400, "David H. Lipman"

Quoted text here. Click to load it






| Ultimately, it's not the service I want to stop though, Dave, it's the
| program which keeps restarting it. My use of F-Prot was just the
| example which brought it to my attention. I suspect any malware using
| the same technique might not have such an entry in the services list.


| Jim.


Yes, there are hidden services.  The TDSserv RootKit loads as a hidden service.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Zapping f-prot service with process explorer

Quoted text here. Click to load it

Did you try disabling UAC before "zapping"?

-jen



Re: Zapping f-prot service with process explorer



Quoted text here. Click to load it

Yes. UAC got permanently disabled very early on. I'd rather have the
added risk than the persistent hassle.



Jim.


Re: Zapping f-prot service with process explorer

Quoted text here. Click to load it

Then maybe Windows Defender is thwarting your efforts?

-jen



Site Timeline