Valhalla Legends Forums Archive | Visual Basic Programming | Killing A Protected Service

AuthorMessageTime
Clan CDH
I am writing another removal tool using Visual Basic and this virus loads as a service and protects it self. It can not be shutdown via safemode nor can it be via services.msc. So I need to make something that can kill this service. Does anyone know how I would go about writing it to kill a PROTECTED service? And no, setting the process token to SeDebugPriveledges does not help.
January 1, 2007, 7:05 AM
MyStiCaL
I don't think anyone here will help you with a virus..
January 1, 2007, 7:15 PM
Yegg
[quote author=Mystical link=topic=16160.msg162913#msg162913 date=1167678912]
I don't think anyone here will help you with a virus..
[/quote]

Why not? He is trying to remove one. AFAIK... removing viruses is a positive thing.
January 1, 2007, 7:51 PM
MyStiCaL
[quote author=Yegg link=topic=16160.msg162915#msg162915 date=1167681097]
[quote author=Mystical link=topic=16160.msg162913#msg162913 date=1167678912]
I don't think anyone here will help you with a virus..
[/quote]

Why not? He is trying to remove one. AFAIK... removing viruses is a positive thing.
[/quote]

My bad, I mis-read the post, new years night got to me.
January 1, 2007, 9:56 PM
Myndfyr
Have you considered settings its .exe NTFS permissions?  Set permissions for "Everyone" to "Deny - Read and Execute".  Restart.

The event viewer should indicate that the process failed to start.  You should then be able to remove the executable.
January 1, 2007, 10:06 PM
Grok
[quote author=MyndFyre[vL] link=topic=16160.msg162917#msg162917 date=1167689174]
Have you considered settings its .exe NTFS permissions?  Set permissions for "Everyone" to "Deny - Read and Execute".  Restart.

The event viewer should indicate that the process failed to start.  You should then be able to remove the executable.
[/quote]

Additionally, go to the registry key for the service entry and using regedt32, modify the security so the SYSTEM cannot read the key.  Or just modify the entry so the entry points to the wrong executable.
January 1, 2007, 10:43 PM
Clan CDH
How would I go about changing the permissions on this?
January 10, 2007, 7:23 AM
Myndfyr
To edit the file permissions, ensure that you can do this through the Windows UI by going into Folder Options (Control Panel), and under the "View" tab, un-check "Use Simple File Sharing (Recommended)".  Then, navigate to the file, right-click and choose "Properties."  Select the "Security" tab.  Select the "Everyone" group - if "Everyone" is not a list option in the top list, click "Add" and type "Everyone" (without the quotes) and click OK.  Then, select the "Everyone" entry, and check the box in the column labeled "Deny" for the permission "Read and Execute". 

In the Registry Editor, select the key or keys related to the service.  Right-click and select "Permissions...".  Select "SYSTEM" and choose "Deny" for the "Full Control" permission set.
January 10, 2007, 8:04 AM
Clan CDH
[quote author=MyndFyre[vL] link=topic=16160.msg163068#msg163068 date=1168416297]
To edit the file permissions, ensure that you can do this through the Windows UI by going into Folder Options (Control Panel), and under the "View" tab, un-check "Use Simple File Sharing (Recommended)".  Then, navigate to the file, right-click and choose "Properties."  Select the "Security" tab.  Select the "Everyone" group - if "Everyone" is not a list option in the top list, click "Add" and type "Everyone" (without the quotes) and click OK.  Then, select the "Everyone" entry, and check the box in the column labeled "Deny" for the permission "Read and Execute". 

In the Registry Editor, select the key or keys related to the service.  Right-click and select "Permissions...".  Select "SYSTEM" and choose "Deny" for the "Full Control" permission set.
[/quote]

I know this, but how would I go about doing this programatically?
January 10, 2007, 9:43 PM
Topaz
[quote author=Clan CDH link=topic=16160.msg163073#msg163073 date=1168465388]
I know this, but how would I go about doing this programatically?
[/quote]

loles, "programatically"
January 10, 2007, 11:39 PM
Clan CDH
[quote author=topaz link=topic=16160.msg163077#msg163077 date=1168472365]
[quote author=Clan CDH link=topic=16160.msg163073#msg163073 date=1168465388]
I know this, but how would I go about doing this programatically?
[/quote]

loles, "programatically"
[/quote]

prick
January 11, 2007, 12:03 AM
Topaz
[quote author=Clan CDH link=topic=16160.msg163079#msg163079 date=1168473786]
[quote author=topaz link=topic=16160.msg163077#msg163077 date=1168472365]
[quote author=Clan CDH link=topic=16160.msg163073#msg163073 date=1168465388]
I know this, but how would I go about doing this programatically?
[/quote]

loles, "programatically"
[/quote]

prick
[/quote]

Look, don't get angry at me because you're trying too hard to impress members of this forum. It sure isn't my fault, k?
January 11, 2007, 3:22 AM
MyStiCaL
[quote author=topaz link=topic=16160.msg163082#msg163082 date=1168485724]
[quote author=Clan CDH link=topic=16160.msg163079#msg163079 date=1168473786]
[quote author=topaz link=topic=16160.msg163077#msg163077 date=1168472365]
[quote author=Clan CDH link=topic=16160.msg163073#msg163073 date=1168465388]
I know this, but how would I go about doing this programatically?
[/quote]

loles, "programatically"
[/quote]

prick
[/quote]

Look, don't get angry at me because you're trying too hard to impress members of this forum. It sure isn't my fault, k?
[/quote]

If he was trying to impress members on the forum, I think he woulda figured it out and said somthing like "HAHA I GOT IT NEWBS" but anyways programming topics should remain on topic, not just for the people replying but for people that search and are in need of help with out posting a new topic to keep these forums from spam.
January 11, 2007, 4:05 AM
St0rm.iD
hm way to be a dick topaz
January 14, 2007, 6:27 PM
A2
it might not be in a dictionary, but ive seen it on printed text, and even ms uses the term.

'How to programmatically test for canonicalization issues with ASP.NET'
http://support.microsoft.com/kb/887459
February 13, 2007, 2:52 AM

Search