Cannot start Book Collector due to "Themida"

gschizas · **Joined:** Thu Mar 11, 2004 11:31 am **Posts:** 11

I'm trying to start Book Collector, but a program (obviously some kind of anti-crack protection) called "Themida" complains that I'm running a "monitor program", when in fact I am not.

Attachment:

Themida.png [ 19.79 KiB | Viewed 206 times ]

I've tried stopping almost everything, but no result. I'm running Windows 7 64-bit, my antivirus is Avast Home. Also, Movie Collector 6.4 build 1 (the latest version at this moment) doesn't complain at all. Also, I am using the latest version of Book Collector (6.3 build 1). Please help me!

The task list when I gave up has the following programs running:

Code:

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0         24 K
System                           4 Services                   0     24.972 K
smss.exe                       280 Services                   0        528 K
csrss.exe                      384 Services                   0      3.832 K
wininit.exe                    472 Services                   0      1.920 K
csrss.exe                      504 Console                    1      9.040 K
winlogon.exe                   536 Console                    1      5.376 K
services.exe                   580 Services                   0      8.692 K
lsass.exe                      596 Services                   0     11.452 K
lsm.exe                        604 Services                   0      4.984 K
svchost.exe                    732 Services                   0      7.100 K
nvvsvc.exe                     812 Services                   0      1.884 K
svchost.exe                    852 Services                   0      8.016 K
svchost.exe                    920 Services                   0     17.084 K
svchost.exe                    112 Services                   0    141.156 K
svchost.exe                    312 Services                   0     39.840 K
svchost.exe                   1048 Services                   0     11.372 K
nvvsvc.exe                    1120 Console                    1      4.872 K
svchost.exe                   1184 Services                   0     22.212 K
aswUpdSv.exe                  1244 Services                   0        876 K
ashServ.exe                   1340 Services                   0     56.656 K
spoolsv.exe                   1548 Services                   0      8.732 K
svchost.exe                   1576 Services                   0     13.592 K
svchost.exe                   1656 Services                   0      3.700 K
svchost.exe                   1720 Services                   0     12.132 K
SMSvcHost.exe                 1976 Services                   0      5.620 K
SeaPort.exe                   1324 Services                   0      6.540 K
svchost.exe                   1288 Services                   0      5.420 K
svchost.exe                   2132 Services                   0      3.992 K
WLIDSVC.EXE                   2228 Services                   0     14.404 K
taskhost.exe                  2468 Console                    1      9.920 K
WLIDSVCM.EXE                  2908 Services                   0      1.208 K
dwm.exe                       3036 Console                    1     33.860 K
explorer.exe                  3048 Console                    1     68.788 K
ipoint.exe                    2304 Console                    1     12.708 K
ashDisp.exe                   3452 Console                    1     18.516 K
svchost.exe                   3592 Services                   0      4.300 K
wmpnetwk.exe                  4160 Services                   0     16.000 K
svchost.exe                   4604 Services                   0     10.192 K
dllhost.exe                   4840 Services                   0      3.024 K
svchost.exe                    860 Services                   0     32.192 K
svchost.exe                   6684 Services                   0      1.880 K
taskhost.exe                  6532 Console                    1     15.772 K
SearchIndexer.exe             3124 Services                   0     36.740 K
notepad.exe                   2700 Console                    1      6.440 K
iexplore.exe                  3372 Console                    1     34.528 K
iexplore.exe                  7112 Console                    1     73.176 K
audiodg.exe                    680 Services                   0     15.856 K
taskmgr.exe                   5872 Console                    1     13.036 K
wlcrasvc.exe                  6440 Services                   0     16.412 K
iexplore.exe                  6236 Console                    1     32.832 K
FlashUtil10c.exe              7560 Console                    1      5.452 K
iexplore.exe                  5580 Console                    1     28.976 K
mspaint.exe                   5456 Console                    1     44.040 K
TSVNCache.exe                 8012 Console                    1      8.588 K
MovieCollector.exe            5844 Console                    1     38.452 K
explorer.exe                  5776 Console                    1     40.688 K
taskeng.exe                   3444 Console                    1      5.888 K
tcc.exe                       8168 Console                    1     17.508 K
conhost.exe                   7688 Console                    1      6.072 K
WmiPrvSE.exe                  7188 Services                   0      6.668 K
tasklist.exe                  8088 Console                    1      5.444 K

gschizas · **Joined:** Thu Mar 11, 2004 11:31 am **Posts:** 11

Never mind - a reboot resolved the problem...

Alwin Hoogerdijk · **Posted:** Tue Nov 03, 2009 4:03 am

Thanks for letting me know.
Any hints on what might have been the problem ? Which program I mean?

gschizas · **Joined:** Thu Mar 11, 2004 11:31 am **Posts:** 11

No idea - I was killing processes left and right, but with no result. The last thing I installed was Live Mesh, but I had killed it during this problem.

My PC is freshly (more or less - September 18 in fact) installed (to put Windows 7 obviously), so there isn't much software installed. I do use Sysinternals utilities from time to time (mostly in my work PC though), but of course there wasn't anything running at that time. The only program I could think of that was remotely monitor-like was indeed procmon, but as you can see, it was not running. I probably had started it during that session (I had closed it a long time ago), but again, why wasn't Movie Collector affected?

While writing these I thought of another experiment. I opened procmon, let it run for a while, and closed it. After closing it, I started Book Collector again. And lo and behold: The "Themis" message came up again! Again, Book Collector only, Movie Collector didn't even blink!

(Yes, it helps being a developer

)

Alwin Hoogerdijk · **Posted:** Wed Nov 04, 2009 4:06 am

Thanks for the extra info, that must be it then.
Movie Collector is not protected with Themida (yet).

gschizas · **Joined:** Thu Mar 11, 2004 11:31 am **Posts:** 11

I'd like to point out though that it doesn't seem right that Themida/Book Collector should complain after a program has been closed.

Alwin Hoogerdijk · **Posted:** Wed Nov 04, 2009 4:57 am

Maybe that program does not close correctly and after closing it is still in the Windows processlist.

gschizas · **Joined:** Thu Mar 11, 2004 11:31 am **Posts:** 11

A program made by Mark Russinovich? The man that knows more about Windows Kernel than Microsoft itself? (ok, now that he *is* in Microsoft, that's recursion, but you know what I mean). Hardly likely

PTA3487 · **Joined:** Sat Nov 07, 2009 8:05 am **Posts:** 2

I can confirm gschizas' observations. As soon as "Process Monitor" from SysInternals has been run on a system BookCollector refuses to start due to "Themida". (On Windows 7 Ultimate x64 Eng)
As I have to use ProcMon quite frequently on my machine, this "improvement" is pretty annoying.

I would appreciate if you could find a way to protect your product in a less intrusive way and would dispense with using Themida in other products.

Alwin Hoogerdijk · **Posted:** Sat Nov 07, 2009 11:15 am

We've been using other protection systems in the past and Themida is proving to be the least intrusive of all.
So I am afraid the only alternative would be no protection at all...

PTA3487 · **Joined:** Sat Nov 07, 2009 8:05 am **Posts:** 2

Alwin Hoogerdijk wrote:

So I am afraid the only alternative would be no protection at all...

I could live with that...

gschizas · **Joined:** Thu Mar 11, 2004 11:31 am **Posts:** 11

PTA3487 wrote:

Alwin Hoogerdijk wrote:

So I am afraid the only alternative would be no protection at all...

I could live with that...

Perhaps Alwin couldn't though...

I'm not saying "remove protection", I'm just suggesting to raise a bug to Oreans (maker of "Themida") to correct their false positive detection of procmon.exe after it has indeed been removed from memory.

Collectorz.com Forum

Cannot start Book Collector due to "Themida"

Who is online