GAME INSTALLS ROOTKIT: "nProtect GameGuard" :: Undecember General Discussions

Store Page

Undecember

All Discussions Screenshots Artwork Broadcasts Videos News Guides Reviews

Undecember > General Discussions > Topic Details

This topic has been locked

Roenie Oct 4, 2022 @ 8:48pm

GAME INSTALLS ROOTKIT: "nProtect GameGuard"

As per title.

// UPDATE #1:

I've been receiving too many friend invites because of this thread. I don't accept them because I have enough people to help IRL. Others just want to 'talk tech' and I appreciate it but I don't want to spend more time chatting on the internet. You get more out of spending that time on (finding) local friends and family IRL so I recommend doing that instead.

The devs have responded in this thread in post #213 (page 15-ish) saying they're working on providing an easy removal method. The devs also wrote: "There are cases where the nProtect program can be used for other games than UNDECEMBER. For this reason, this security module is not being automatically deleted." I understand and had already considered that. My stance on that: the uninstall process should ask the user to make the decision and to help them make the decision ideally provide a link to a webpage that the GameGuard developers should maintain that lists all games currently using GameGuard. The uninstall process should at least inform the user that it's leaving it behind and why it's doing that.

There's now a notice on the store page on the right side to inform you that the game incorporates nProtect GameGuard. They didn't mention adding that notice but I'm pretty sure that wasn't there earlier when I installed the demo. So that's two steps in the right direction.

Because the store page makes you aware and the devs are working on hopefully providing a removal tool, I'm happy if a moderator wants to lock this thread so it doesn't keep coming back to page 1.

I would still strongly suggest adding a notice at the time of installation if at all possible because a lot of people will overlook the tiny warning on the store page. Wanting a rootkit on your system or not is everybody's personal choice. So you should always be made aware before the installation so that people who don't want it can opt out. It shouldn't be installed silently as part of the installation process of something else. When I installed the demo I wasn't aware that GameGuard comes with it.

Being unaware that it installs in the first place is a more important problem than the one where it doesn't get uninstalled when you uninstall the game and doesn't tell you, even though that's also bad.
// end UPDATE #1

// UPDATE #2

Link to removal tool

Link to removal tool provided by developer can now be found in this Undecember news post:
https://store.steampowered.com/news/app/1549250/view/6456498378615365698

By sharing this link I am not responsible for whatever the removal tool does. It's probably made by the Korean company that makes GameGuard. I have not used it myself as I have already removed GameGuard using the manual process I described below.
// end UPDATE #2

nProtect GameGuard

Wikipedia: https://en.wikipedia.org/wiki/NProtect_GameGuard
Product page listing its features: https://gameguard.nprotect.com/en/index.html

This 'malware' will not be removed when you uninstall the game. In fact there is no uninstaller available to the public and there is no removal info on the website of the Korean company that creates it.

Notable sections of the Wikipedia page:

GameGuard hides the game application process, monitors the entire memory range, terminates applications defined by the game vendor and INCA Internet to be cheats (QIP for example[citation needed]), blocks certain calls to Direct X functions and Windows APIs, keylogs keyboard input[citation needed], and auto-updates itself to change as new possible threats surface.[1]

Since GameGuard essentially works like a rootkit,[2][6] players may experience unintended and potentially unwanted side effects. If set, GameGuard blocks any installation or activation of hardware and peripherals (e.g., a mouse) while the program is running. Since GameGuard monitors any changes in the computer's memory, it will cause performance issues when the protected game loads multiple or large resources all at once.[7]

Additionally, some versions of GameGuard had an unpatched privilege escalation bug, allowing any program to issue commands as if they were running under an Administrator account.[8]

GameGuard possesses a database on game hacks based on security references from more than 260 game clients. Some editions of GameGuard are now bundled with INCA Internet's Tachyon anti-virus/anti-spyware library, and others with nProtect Key Crypt, an anti-key-logger software that protects the keyboard input information.

Some of the other threads worth reading with additonal info about GameGuard (GG):

GG opening browser on its own to download file to reinstall itself:
https://steamcommunity.com/app/1549250/discussions/0/3388420307306147309/

GG causing regular players to be unable to play:
https://steamcommunity.com/app/1549250/discussions/0/3388420307303552350/

Thread similar to the current thread you're reading:
https://steamcommunity.com/app/1549250/discussions/0/3388420307299415010/

Removing nProtect GameGuard

There is now a link to a removal tool more toward the top of this post. Look for the blue header: "Link to removal tool" in a section called UPDATE #2. The following is the manual removal process I described earlier:

Find and delete the main executable
Rootkits sometimes hide their main executable from being seen or deleted from within the operating system it's installed to, so just to be sure to not waste time trying to do it from within Windows I used linux to remove the executable after first trying to do it with a file manager program that crashed when I did. Possibly a coincidence. Reports from other users indicate that this particular rootkit doesn't hide or protect its executable file so you probably don't have to use linux but I'll explain the way I personally did it. I booted into linux (stored on a thumb drive) to find and delete GameMon.des that the game's installation process adds to the C:\Windows\SysWOW64 directory. Again reports from other users indicate you can probably see it and delete it from within Windows, so you can try that first.

If the nProtect GameGuard system service exists (see next paragraph) then the file gamemon.des will of course also exist even if you can't see it in File Explorer from within Windows in which case you can liveboot linux to find and delete the file. I briefly explained that process in this post: https://steamcommunity.com/app/1549250/discussions/0/3388420307302919948/?ctp=5#c3388420307306305282

If you can't find the executable, a useful trick is to go to the properties of the nProtect GameGuard system service to check what executable file path it points to. (WinKey+R --> services.msc) If the redirection between system32 and SysWOW64 causes confusion, read this post: https://steamcommunity.com/app/1549250/discussions/0/3388420307302919948/?ctp=25#c3487500856975883781

System service (optional)
After removing the main executable, the system service that points to it no longer functions. Delete the orphaned nProtect GameGuard service that remains in services.msc. To check if it's there: press WinKey+R and type services.msc. To remove the service, open a command prompt run as administrator, then enter the command: sc delete npggsvc. You may have to refresh the Services window with F5 to see the result.

Registry key (optional)
GameGuard creates a registry key called INCAInternet with various subkeys.
Press Windows-Key + R. type "regedit".
Search for (Ctrl+F, F3 to repeat) and delete that entire key. It should be here: HKEY_CURRENT_USER\Software\INCAInternet

"gameMonitor" is added to several values in subkeys of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\ (see post #31 to #34 for why I crossed out the latter: these entries were not related to it.)

Learning about rootkit anti-cheat in general

The 1st video also covers the potential for system instability - big reason for me:
https://www.youtube.com/watch?v=aaL7owZmbEA
The 2nd video is more focused on the security risks, and covers what happened when the game Genshin Impact's rootkit anti-cheat was abused by a ransomware actor to disable antivirus software. (Do note that antivirus even when active is often inadequate to protect against ransomware.)
https://www.youtube.com/watch?v=PY41wMvwrLQ
Server side anti-cheat is a thing but it's not perfect either. It does help to write the game's code in a way that the client doesn't receive and send more data than it strictly needs so it can't manipulate it either, but there is no perfect solution and the more is done server side the more expensive it gets for the deverloper, hardware wise, to get the same server performance. Many multiplayer games employ client side anti-cheat, often a rookit, in an attempt to protect the developer's profits with the unfortunate side effect of making your PC less secure. I don't really play multiplayer games anymore especially not competitive ones so I can realistically avoid having any client side anti-cheat installed. This time though I was unaware that one was getting installed along with the demo.

General advice if you can't avoid anti-cheat rootkits

If you do important things with your system or store important documents and like to play multiplayer games so can't avoid client side anti-cheats, I recommend using a dedicated gaming/entertainment/web browsing PC (inherently insecure) and a 2nd PC or laptop to do everything else with. The entertainment PC should be in a different IP address range so it's not able to communicate with other devices on your home network, it only gets internet access. Even better for security is to use a managed network switch to create VLANs so you can "physically" leave the gaming PC out of your main VLAN. The 2nd PC typically doesn't have to be fast thus can be cheap but if you can't afford one or don't want one: another solution albeit not as secure, is to "dualboot": install another operating system onto your gaming PC so you can choose which one to boot into: your gaming/entertainment OS or your serious/home office OS. I like Linux for the latter but both can be Windows if you want. On the entertainment OS don't assign a drive letter to the storage where you keep your documents. The technical how-to of all this is beyond the scope of this thread, so Google is your friend.

Clarifying my main concern

The user should always be aware of the installation because it's their computer, freedom of choice and all that. The main issue I personally have with rootkit anti-cheat isn't even that it reduces system security, even though that's very important (people don't care about security until it's too late), for me it's that whenever I have a problem with a PC or game I don't want to have additional variables to exclude in search of a possible cause. Especially programs that don't want you to know they're there so you're likely to not think about them. If an anti-cheat ever DOES cause an issue (even if unlikely) you'll spend way too much time eliminating every other possible cause first. And if a game you have an issue with won't start without the anti-cheat, you can't eliminate it as a possible cause at all. So while you stress test RAM, CPU, disable certain programs or overlays etc etc maybe even reinstall your OS you have this nagging voice in the back of your mind saying "what if it's actually the anti-cheat and I'm just wasting my time?"

Last edited by Roenie; Oct 23, 2022 @ 7:44pm

< >

Showing 406-420 of 457 comments

Aria Athena has Undecember

Oct 30, 2022 @ 11:16am

This discussion has been fascinating.

#406

StemZone

Oct 30, 2022 @ 11:17am

Originally posted by GrandpaTrump:
Originally posted by StemZone:
Software that you do not trust is extremely dangerous in ring-0. Proprietary closed-source malware that cannot be uninstalled definitely fits into that description.

GameGuard is used in many online games.

9Dragons
Atlantica Online
Blackshot
Blade & Soul
Cabal Online
City Racer
Combat Arms: Reloaded
Combat Arms: The Classic
Darkeden
Digimon Masters Online
Dragon Saga
Elsword (no longer used as of March 29, 2017)[11]
Flyff
Grand Chase
Lineage 1 & 2
Legend of Mir 3
Seal Online
Smash Legends
Phantasy Star Online: Blue Burst
Priston Tale
Metin2
Playpark Moxiang
Pangya
PUBG: Battlegrounds
Mu Legend
La Tale
MapleStory
PangYa
Phantasy Star Online 2
Riders of Icarus
Rohan: Blood Feud
RF Online
Rumble Fighter
Ran Online
Rappelz
Royal Crown
Uncharted Waters Online
Undecember
Valkyrie Profiles Silmeria (PS2)
Fleet Mission: NavyField
Star Stable Online (removed at 16.6.2022)
Mir4 Global

i'm waiting for all of us gamers to get wiped, lmk when it happens

Thanks for giving a clear list of unsafe games to avoid. Cheers!

#407

StemZone

Oct 30, 2022 @ 11:18am

Originally posted by Aria Athena:
This discussion has been fascinating.

Oh yes, it certainly has.

#408

GrandpaTrump has Undecember

Oct 30, 2022 @ 11:19am

Originally posted by StemZone:
Thanks for giving a clear list of unsafe games to avoid. Cheers!

LOL

#409

Taiji

Oct 30, 2022 @ 11:25am

Originally posted by StemZone:
Originally posted by Taiji:
It owns me? Way to make yourself look insane. I think you need to go outside - Get back in touch with reality. Take up some kind of contact sport, it should help.

You acted as if you didn't understand it before and you've just demonstrated that you don't again. Pearls before swine, I guess. Oh well.

How did they gain 'regular access'? It's your fever dream, remember.

Nothing then? Cheers, bye.

Nothing you just said has any logic to it.

I realize now that you are just trolling and that I have stupidly been feeding the troll, which you shouldn't do .

So, to stop this stupid discussion, I'm saying goodbye. We all have better things to do.

Says he thinks software can own a person, doesn't correct himself when opportunity arises.

Doesn't know what plausibility is, pretends to anyway.

Accuses others of dreaming while recounting a dream where an attacker gets 'regular access' to our PCs as if by magic.

Doesn't actually have any evidence of nProtect having caused any security issues.

Runs away when called on his BS.

#410

Taiji

Oct 30, 2022 @ 11:28am

Originally posted by GrandpaTrump:
Originally posted by StemZone:
Thanks for giving a clear list of unsafe games to avoid. Cheers!
LOL

He wants an open source anti-cheat. What do you reckon? Must be a cheater, right? :)

Last edited by Taiji; Oct 30, 2022 @ 11:29am

#411

GrandpaTrump has Undecember

Oct 30, 2022 @ 11:44am

Originally posted by Taiji:
Originally posted by GrandpaTrump:
LOL
He wants an open source anti-cheat. What do you reckon? Must be a cheater, right? :)

is that really what he's advocating? haven't laughed that hard in a while lol

#412

Taiji

Oct 30, 2022 @ 12:18pm

Originally posted by GrandpaTrump:
Originally posted by Taiji:
He wants an open source anti-cheat. What do you reckon? Must be a cheater, right? :)

is that really what he's advocating? haven't laughed that hard in a while lol

Ok, not in so many words but:

Originally posted by StemZone:
Not to mention that many exploits are never public and are either used by hackers in secret (without being discovered) or silently patched by developers in hopes that nobody will find out about their security vulnerability. This is different with open-source software where any new patch or update has a viewable source code change, and these vulnerabilities are therefore publicly disclosed after being patched.

We can see where he's going with that hehe ;)

#413

Whitebleidd has Undecember

Oct 30, 2022 @ 1:08pm

Originally posted by GrandpaTrump:

GameGuard is used in many online games.

...

How many games use it doesn’t change what it is and how it operates, that said, that list is quite small compared to other anti-cheat systems and to make it worse no game in that list would be worth taking the risk tbh, the fact stuff like Mir4 and PUBG use it, simply instils even less confidence in this anti-cheat.

The fact that this type of anti-cheat is becoming common place, doesn’t change that it operates in a way that places all its users at a potential risk (yes a Plausible risk), if the average user wasn’t so trusting and had a bit of forethought, the issue would be easy to resolve, but on the contrary things will just keep getting worse and more invasive as ppl keep ignoring the escalation. I would rather have to deal with cheaters than with systems like these.

I will never understand why ppl would prefer a “medicine” that imo is worse than the “decease”, especially since the decease is usually caused by developer incompetence and/or them cutting corners. When it’s an online game, the cheat protection can and should be dealt with server side, that is the responsibility of the devs and how they design their game from the ground up, and if it’s a single player game, then the issue simply doesn’t exist anyway, no one reasonable cares if someone cheats there, so this is an issue that the user should not be dealing with in any situation.

#414

tankanidis Oct 30, 2022 @ 2:53pm

Originally posted by StemZone:
Originally posted by Taiji:
It owns me? Way to make yourself look insane. I think you need to go outside - Get back in touch with reality. Take up some kind of contact sport, it should help.

You acted as if you didn't understand it before and you've just demonstrated that you don't again. Pearls before swine, I guess. Oh well.

How did they gain 'regular access'? It's your fever dream, remember.

Nothing then? Cheers, bye.

Nothing you just said has any logic to it.

I realize now that you are just trolling and that I have stupidly been feeding the troll, which you shouldn't do .

So, to stop this stupid discussion, I'm saying goodbye. We all have better things to do.

Yeah, unfortunately they are trolls

(or a single troll using both accounts to make it appear there's more people who agree with them? Sounds like twitter style bots... where's Elon when you need him!)

both accounts were created in 2010 on Steam, one of them only has 4 games on their account... in 12 years.

You'd think Steam would work to remove trolls over a series of years when they don't even financially back the platform they are trolling on

#415

Aria Athena has Undecember

Oct 30, 2022 @ 5:31pm

*cough* Genshin Impact *cough*

#416

Taiji

Oct 31, 2022 @ 1:39am

Originally posted by Whitebleidd:
Originally posted by GrandpaTrump:

GameGuard is used in many online games.

...

How many games use it doesn’t change what it is and how it operates, that said, that list is quite small compared to other anti-cheat systems and to make it worse no game in that list would be worth taking the risk tbh, the fact stuff like Mir4 and PUBG use it, simply instils even less confidence in this anti-cheat.

The fact that this type of anti-cheat is becoming common place, doesn’t change that it operates in a way that places all its users at a potential risk (yes a Plausible risk), if the average user wasn’t so trusting and had a bit of forethought, the issue would be easy to resolve, but on the contrary things will just keep getting worse and more invasive as ppl keep ignoring the escalation. I would rather have to deal with cheaters than with systems like these.

I will never understand why ppl would prefer a “medicine” that imo is worse than the “decease”, especially since the decease is usually caused by developer incompetence and/or them cutting corners. When it’s an online game, the cheat protection can and should be dealt with server side, that is the responsibility of the devs and how they design their game from the ground up, and if it’s a single player game, then the issue simply doesn’t exist anyway, no one reasonable cares if someone cheats there, so this is an issue that the user should not be dealing with in any situation.

In life, for a mentally healthy individual, it is not enough that a thing contains some risk. The risk, not to mention the consequences, needs to be severe enough that our sane person finds it plausible enough that the harm will occur. In this case the harm done is controlled by the user - They decide what they put on a PC that connects to the internet. The risk is measured by looking at how prevalent an activity is and how often it results in harm. And that is all there is to it.

As for why the user has to deal with this risk, it's because the market (people like you and me) has decided that F2P games are a good way forward. In F2P games, where people pay for convenience, cheating is at best theft - Although our boomer legislature hasn't caught up yet. This forces devs to go further than ever to protect themselves from cheaters - And that's why we are seeing invasive technology like this becoming standard.

Originally posted by tankanidis:
Originally posted by StemZone:

Nothing you just said has any logic to it.

I realize now that you are just trolling and that I have stupidly been feeding the troll, which you shouldn't do .

So, to stop this stupid discussion, I'm saying goodbye. We all have better things to do.

Yeah, unfortunately they are trolls

(or a single troll using both accounts to make it appear there's more people who agree with them? Sounds like twitter style bots... where's Elon when you need him!)

both accounts were created in 2010 on Steam, one of them only has 4 games on their account... in 12 years.

You'd think Steam would work to remove trolls over a series of years when they don't even financially back the platform they are trolling on

So your defence, when accused of being paranoid, is to deliver a new paranoid delusion about the accuser. It's appreciated.

Last edited by Taiji; Oct 31, 2022 @ 1:42am

#417

tankanidis Oct 31, 2022 @ 2:19am

Originally posted by Taiji:
Originally posted by Whitebleidd:

How many games use it doesn’t change what it is and how it operates, that said, that list is quite small compared to other anti-cheat systems and to make it worse no game in that list would be worth taking the risk tbh, the fact stuff like Mir4 and PUBG use it, simply instils even less confidence in this anti-cheat.

The fact that this type of anti-cheat is becoming common place, doesn’t change that it operates in a way that places all its users at a potential risk (yes a Plausible risk), if the average user wasn’t so trusting and had a bit of forethought, the issue would be easy to resolve, but on the contrary things will just keep getting worse and more invasive as ppl keep ignoring the escalation. I would rather have to deal with cheaters than with systems like these.

I will never understand why ppl would prefer a “medicine” that imo is worse than the “decease”, especially since the decease is usually caused by developer incompetence and/or them cutting corners. When it’s an online game, the cheat protection can and should be dealt with server side, that is the responsibility of the devs and how they design their game from the ground up, and if it’s a single player game, then the issue simply doesn’t exist anyway, no one reasonable cares if someone cheats there, so this is an issue that the user should not be dealing with in any situation.

In life, for a mentally healthy individual, it is not enough that a thing contains some risk. The risk, not to mention the consequences, needs to be severe enough that our sane person finds it plausible enough that the harm will occur. In this case the harm done is controlled by the user - They decide what they put on a PC that connects to the internet. The risk is measured by looking at how prevalent an activity is and how often it results in harm. And that is all there is to it.

As for why the user has to deal with this risk, it's because the market (people like you and me) has decided that F2P games are a good way forward. In F2P games, where people pay for convenience, cheating is at best theft - Although our boomer legislature hasn't caught up yet. This forces devs to go further than ever to protect themselves from cheaters - And that's why we are seeing invasive technology like this becoming standard.

Originally posted by tankanidis:

Yeah, unfortunately they are trolls

(or a single troll using both accounts to make it appear there's more people who agree with them? Sounds like twitter style bots... where's Elon when you need him!)

both accounts were created in 2010 on Steam, one of them only has 4 games on their account... in 12 years.

You'd think Steam would work to remove trolls over a series of years when they don't even financially back the platform they are trolling on

So your defence, when accused of being paranoid, is to deliver a new paranoid delusion about the accuser. It's appreciated.