need help disabling anti virus

[roonie]

hi guys,

i have 2 machines setup one is running backtrack and the other is running xp

i have installed avg free on the xp machine and i want to try and disable it using meterpreter.

i have a meterpreter session running and i run getcountermeasure and i run killav but it does not kill avg

any ideas?

thanks in advance

[skull2006]

hi guys,

i have 2 machines setup one is running backtrack and the other is running xp

i have installed avg free on the xp machine and i want to try and disable it using meterpreter.

i have a meterpreter session running and i run getcountermeasure and i run killav but it does not kill avg

any ideas?

thanks in advance

you have session so that's it don't matter if you disable AV or not.

[roonie]

you have session so that's it don't matter if you disable AV or not.

i have a session because i ran the payload on the xp machine to connect back to me. the problem is when i try to add meterpreter as a service using metsvc AVG will pick this up i want to be able to disable AVG somehow

[CKing]

Antivirus Bypass
ps to list processes in meterpeter, kill avg and any daemons that might be monitoring it (they can be sneaky).

[aerokid240]

Get GUI with VNC then goto add and remove programs then remove the offender (AVG). Or yo can follow CKings suggestion if you want to be a little bit more stealthy although killing some of these processes might be more difficult than you think.

[roonie]

thanks for the replies

i tried killing the processes for avg but they keep coming back.

i got my meterpreter session to connect back to me without AVG knowing by using the msfencode and using shitkata_ga_nai to encoded it

my problem is when i run the metsvc script in meterpreter AVG picks this up, i dont know if there is someway to use msfencode on these scripts?

[CKing]

You wouldn't want to encode the script itself, it only runs on you're machine, you would want to encode the executable the script is uploading and running. I'm going to say right now that I have zero experience with metsvc but from looking at the script at http://=https://www.metasploit.com/r...eter/metsvc.rb it looks like you could just encode the metsvc.exe (or whatever avg is detecting) file before its uploaded.
The process keeps coming back because there is a daemon(s) monitoring it. After reading " [urlhttp://www.velocityreviews.com/forums/t622945-p4-how-do-you-stop-avg.html]How do you stop AVG? - Page 4[/url] " I concluded the daemon was called avgwdsvc.exe. You need to kill the daemon(s) and then the process itself immediately after, it is possible that the daemons will be faster than your connection making this approach impossible.
Next i would try renaming(or removing) the avg executable then killing it so the daemon cant find it when it trys to restart it.
This community typically encourages(strongly) a help yourself attitude so in the future try your favourite search engine first, but all the same I hope that helps and post back if it works.

[aerokid240]

You can try to add an "exception" for the offending executables in AVG. Go withing AVG's settings to do so.