Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help i have trojan horse collected.5.L [RESOLVED]

Started by duglartis , Jun 09 2005 03:25 AM

  • This topic is locked This topic is locked

#151
duglartis
Posted 25 August 2005 - 01:17 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello
here is the notepad info
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Updata"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Updata"=-
and here are the scan results

File: lsass.exe
Status:
OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 b2b6ba905d0e3f8a32a0eb3b4051807b
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing
thanks for your help
  • 0

Advertisements

#152
Metallica
Posted 25 August 2005 - 12:39 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I still don't think we are getting to the nucleus of the problem. We're just keeping the symptoms under control. :tazz:

Can you try this please.

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download CleanUp
Install the program, dont run it yet, we will later.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Finally, restart your computer back into Normal Mode and please post the ewido report log from the Ewido scan.

Regards,
  • 0

#153
duglartis
Posted 26 August 2005 - 03:29 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
Hi Pieter
here is the ewido scan file
--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:22:40 p.m., 26/08/2005
+ Report-Checksum: 19DCD1B8

+ Scan result:

HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CLSID -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CurVer -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Spyware.180Solutions : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Spyware.180Solutions : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Spyware.180Solutions : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF} -> Spyware.SecondThought : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{49DB48FF-02B5-4645-B676-94A4DF1AA026} -> Spyware.SecondThought : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{6E0ED53C-9908-49ED-B055-7CB31B162577} -> Spyware.SecondThought : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{830D3AED-2FA9-454F-B266-D931862BBF34} -> Spyware.SecondThought : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{8C53BD8E-B12D-4C8F-AD0E-C9DDC39D1273} -> Spyware.SecondThought : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{9BCDD51B-4A7B-446C-8452-D32D38004582} -> Spyware.SecondThought : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{A986F4DB-792E-4571-8974-0BB6E024766F} -> Spyware.SecondThought : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{BCCAB53D-0895-40C3-A942-A03538CE227A} -> Spyware.SecondThought : Cleaned without backup
HKLM\SOFTWARE\Classes\ISTbar.BarObj -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\ISTbar.BarObj\CLSID -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\SideFind.Finder -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\SideFind.Finder\CLSID -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\SideFind.Finder\CurVer -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\SWRT01.RT -> Spyware.SecondThought : Cleaned without backup
HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid -> Spyware.SecondThought : Cleaned without backup
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CLSID -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CurVer -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\TypeLib\{5E594162-60A9-487D-84B8-DBDD716CB862} -> Spyware.VirtualBouncer : Cleaned without backup
HKLM\SOFTWARE\ISTbar -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historyfiles -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historystring -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned without backup
HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned without backup
HKLM\SOFTWARE\SearchRelevancy\Update -> Spyware.SearchRelevancy : Cleaned without backup
C:\WINDOWS\SYSTEM32\TFTP1732 -> Backdoor.Rbot : Cleaned without backup
C:\WINDOWS\SYSTEM32\winssh.exe -> Trojan.Crypt.d : Cleaned without backup
C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Spyware.180Solutions : Cleaned without backup
:mozilla.55:C:\Documents and Settings\Dug And Tania\Application Data\Mozilla\Firefox\Profiles\qeo39pma.default\cookies.txt -> Spyware.Cookie.Hypertracker : Cleaned without backup
:mozilla.56:C:\Documents and Settings\Dug And Tania\Application Data\Mozilla\Firefox\Profiles\qeo39pma.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned without backup
:mozilla.16:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Overture : Cleaned without backup
:mozilla.18:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned without backup
:mozilla.21:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned without backup
:mozilla.22:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.23:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.25:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned without backup
:mozilla.38:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
:mozilla.39:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
:mozilla.40:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
:mozilla.41:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
:mozilla.43:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned without backup
:mozilla.44:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned without backup
:mozilla.47:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
:mozilla.49:D:\WINDOWS\Application Data\Mozilla\Profiles\default\d0uetbks.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@trafficmp[3].txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania'[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@pointroll[3].txt -> Spyware.Cookie.Pointroll : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@paycounter[3].txt -> Spyware.Cookie.Paycounter : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@dbbsrv[1].txt -> Spyware.Cookie.Dbbsrv : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@questionmarket[3].txt -> Spyware.Cookie.Questionmarket : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@paycounter[2].txt -> Spyware.Cookie.Paycounter : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania's@ad-logics[1].txt -> Spyware.Cookie.Ad-logics : Cleaned without backup
D:\WINDOWS\Cookies\dug&tania'[email protected][1].txt -> Spyware.Cookie.Ad-logics : Cleaned without backup


::Report End
cheers
  • 0

#154
Metallica
Posted 26 August 2005 - 12:49 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
OK this might be something. Although I would have liked to te some unremovable files show up.
But maybe getting rid of the stubborn regsitry keys will help too.

Copy the part in bold below into notepad and save it as cleanist.reg
Set Filetype to "all files"

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ISTbar.BarObj]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SideFind.Finder]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag]

[-HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar]

Reboot into safe mode and doubleclick that file and confirm you want to merge it with the registry.

Repeat the Ewido scan afetr doing so.
Post the new log please.

Regards,
  • 0

#155
duglartis
Posted 27 August 2005 - 10:07 PM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello
here is the log as follows
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:46:24 a.m., 28/08/2005
+ Report-Checksum: B754B03

+ Scan result:

HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CLSID -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CurVer -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Spyware.180Solutions : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Spyware.180Solutions : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Spyware.180Solutions : Error during cleaning
HKLM\SOFTWARE\Classes\ISTbar.BarObj -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\ISTbar.BarObj\CLSID -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\SideFind.Finder -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\SideFind.Finder\CLSID -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\SideFind.Finder\CurVer -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CLSID -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CurVer -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historyfiles -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historystring -> Spyware.ISTBar : Error during cleaning


::Report End
Cheers
  • 0

#156
Metallica
Posted 28 August 2005 - 02:15 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
You performed that in safe mode, right?

Can you make a HijackThis log in safe mode and post that please.
Also a new WinPFind log might be handy.

Regards,
  • 0

#157
duglartis
Posted 30 August 2005 - 11:27 PM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
Hi there
yes the scan was performed in safe mode here is the hijacklog and the ewido log will do the winpfind log and post shortly
Logfile of HijackThis v1.99.1
Scan saved at 8:21:41 p.m., on 30/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Dug And Tania\My Documents\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netaccess.co.nz/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RegProt] c:\documents and settings\dug and tania\my documents\downloads\regprot.exe /start
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Yahoo! Pager] D:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Linked ima&ges - C:\Program Files\IEimage\IEimage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O15 - Trusted Zone: http://www.giftedonl...edusearch.co.nz
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098860877234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:30:43 p.m., 30/08/2005
+ Report-Checksum: D8A1BAFC

+ Scan result:

HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CLSID -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CurVer -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Spyware.180Solutions : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Spyware.180Solutions : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Spyware.180Solutions : Error during cleaning
HKLM\SOFTWARE\Classes\ISTbar.BarObj -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\ISTbar.BarObj\CLSID -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\SideFind.Finder -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\SideFind.Finder\CLSID -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\SideFind.Finder\CurVer -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CLSID -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CurVer -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historyfiles -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historystring -> Spyware.ISTBar : Error during cleaning


::Report End
thanks for your help
  • 0

#158
duglartis
Posted 31 August 2005 - 01:23 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello again here is the winpfind log
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 1/07/2005 20:08:38 5548 C:\pfind.txt
FSG! 1/07/2005 20:08:38 5548 C:\pfind.txt
aspack 1/07/2005 20:08:38 5548 C:\pfind.txt
PTech 1/07/2005 20:08:38 5548 C:\pfind.txt
UPX! 2/06/2004 08:00:34 50176 C:\VCLEANER.EXE

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 19/07/1995 22:00:00 1371436 C:\WINDOWS\system32\VBAR2132.DLL
PEC2 31/03/2003 12:00:00 41397 C:\WINDOWS\system32\dfrg.msc
winsync 31/03/2003 12:00:00 1309184 C:\WINDOWS\system32\wbdbase.deu
UPX! 29/10/2002 13:56:18 128000 C:\WINDOWS\system32\fmod.dll
Umonitor 31/03/2003 12:00:00 631808 C:\WINDOWS\system32\rasdlg.dll
aspack 20/02/2005 20:46:22 197120 C:\WINDOWS\system32\K2_SS_ver1.scr

Checking %System%\Drivers folder and sub-folders...
UPX! 27/08/2005 15:18:46 726016 C:\WINDOWS\system32\drivers\avg7core.sys
FSG! 27/08/2005 15:18:46 726016 C:\WINDOWS\system32\drivers\avg7core.sys
PEC2 27/08/2005 15:18:46 726016 C:\WINDOWS\system32\drivers\avg7core.sys
aspack 27/08/2005 15:18:46 726016 C:\WINDOWS\system32\drivers\avg7core.sys

Checking the Windows folder for system and hidden files within the last 60 days...
23/08/2005 21:25:06 54156 QTFont.qfn
31/07/2005 09:56:44 749 WindowsShell.Manifest
31/07/2005 09:57:52 864256 ntuser.dat
31/07/2005 09:56:44 749 cdplayer.exe.manifest
31/07/2005 09:56:48 488 WindowsLogon.manifest
31/07/2005 09:56:44 749 ncpa.cpl.manifest
31/07/2005 09:56:44 749 nwc.cpl.manifest
31/07/2005 09:56:44 749 sapi.cpl.manifest
31/07/2005 09:56:44 749 wuaucpl.cpl.manifest
31/07/2005 09:56:48 488 logonui.exe.manifest
24/08/2005 19:41:00 0 .exe
31/08/2005 17:42:00 1024 system.LOG
31/08/2005 19:09:02 1024 software.LOG
31/08/2005 17:25:14 1024 default.LOG
31/07/2005 09:57:56 1024 userdiff.LOG
31/07/2005 09:49:44 1024 TempKey.LOG
31/08/2005 17:21:30 1024 SAM.LOG
31/08/2005 17:23:12 1024 SECURITY.LOG
31/07/2005 09:57:56 1024 userdifr.LOG
31/07/2005 10:21:04 67 desktop.ini
31/07/2005 10:21:04 67 desktop.ini
31/07/2005 10:21:04 67 desktop.ini
31/07/2005 10:21:04 67 desktop.ini
31/07/2005 10:21:04 67 desktop.ini
20/07/2005 21:41:26 24 Preferred
20/07/2005 21:41:26 388 e61fb5b9-5597-4ce6-a6d0-06bc2571b417
31/07/2005 11:36:00 13698 filelist.xml
31/07/2005 09:57:18 67 desktop.ini
14/08/2005 10:46:48 331776 drmstore.hds
14/08/2005 10:46:48 35790 migration.log
31/07/2005 09:56:48 65 desktop.ini
31/07/2005 09:56:48 65 desktop.ini
31/08/2005 17:21:30 6 SA.DAT
3/07/2005 17:46:52 0 oem15.inf
3/07/2005 17:46:52 0 oem15.PNF
18/07/2005 20:03:40 0 oem16.inf
18/07/2005 20:03:40 0 oem16.PNF

»»»»»»»»»»»»»»»»»»»»»»»» Checking Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
19/10/2004 20:01:14 1493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
16/11/2004 22:42:20 13 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameG.txt

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
17/09/2004 16:33:28 1441 C:\Documents and Settings\Dug And Tania\Application Data\DW.LOG
31/05/2005 19:33:02 91864 C:\Documents and Settings\Dug And Tania\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
AdaptecDirectCD C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
NeroCheck C:\WINDOWS\System32\\NeroCheck.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
RegProt c:\documents and settings\dug and tania\my documents\downloads\regprot.exe /start
nwiz nwiz.exe /install
!1_pgaccount "C:\Program Files\ProcessGuard\pgaccount.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NVIEW rundll32.exe nview.dll,nViewLoadHook
!1_ProcessGuard_Startup "C:\Program Files\ProcessGuard\procguard.exe" -minimize
Yahoo! Pager D:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
CDRAutoRun
LinkResolveIgnoreLinkInfo 1
NoStartBanner 1
NoWindowsUpdate 0
NoActiveDesktop 1
NoActiveDesktopChanges 1
NoCustomizeWebView 1
NoFavoritesMenu 1
NoInternetIcon 1
NoSetActiveDesktop 1
NoSettingsWizards 1
NoWebMenu 1
EditLevel 0
NoRun 0
NoClose 0
NoSaveSettings 0
NoFileMenu 0
SpecifyDefaultButtons 0
Btn_Search 0
NoBandCustomize 0
NoToolbarCustomize 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\UPnPMonitor
{e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\System32\upnpui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.15 - Log file written to "WinPFind.Txt" in the WinPFind folder.
thanks for your help
  • 0

#159
Metallica
Posted 31 August 2005 - 11:42 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
  • Download the Registry Search Tool.
  • Unzip the contents of RegSrch.zip to a convenient location.
  • Double-click on RegSrch.vbs.
  • If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
  • In the "Enter search string (case insensitive) and click OK..." box paste this string:
    • e61fb5b9-5597-4ce6-a6d0-06bc2571b417
  • Click "OK" to search the registry for that string.
  • Wait for a few minutes while it completes the search.
  • Click "OK" to open the results in WordPad.
  • Copy and paste the entire results into your next post.
Regards,
  • 0

#160
duglartis
Posted 01 September 2005 - 12:55 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
Hi there
there were no instances of this found was the message i got back from the search
thanks for the help
Cheers Dug
  • 0

Advertisements

#161
Metallica
Posted 01 September 2005 - 11:54 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
That is strange.

Can you check in your Windows folder if there is a file/subfolder called e61fb5b9-5597-4ce6-a6d0-06bc2571b417

Let me know.

Regards,
  • 0

#162
duglartis
Posted 02 September 2005 - 01:53 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello again did not find a folder but found a file of the same name here
C:\windows\system32\microsoft\protect\S-1-5-18\user called system file 1KB
hope this helps
cheers
  • 0

#163
Metallica
Posted 02 September 2005 - 12:08 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you upload that file at TheSpykiller forum?

I'd like to have a look.

Regards,
  • 0

#164
duglartis
Posted 03 September 2005 - 04:32 PM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hi there
have uploaded file to the site as requested and while i was online a couple of little nasties were stopped by PG have posted whole log
---Process Guard Log Started---
Sun 04 - 10:26:43 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Sun 04 - 10:26:43 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1348]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Sun 04 - 10:26:44 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Sun 04 - 10:26:44 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Sun 04 - 10:26:44 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Sun 04 - 10:26:44 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Sun 04 - 10:26:44 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Sun 04 - 10:26:45 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Sun 04 - 10:26:45 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1692]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Sun 04 - 10:26:46 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Sun 04 - 10:26:46 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Sun 04 - 10:26:46 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Sun 04 - 10:26:47 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Sun 04 - 10:26:47 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Sun 04 - 10:26:48 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Sun 04 - 10:26:48 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Sun 04 - 10:26:48 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Sun 04 - 10:26:49 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1884]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Sun 04 - 10:26:50 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Sun 04 - 10:26:56 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Sun 04 - 10:27:38 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds4a18b0adfc8e4548aa19a1f203163a9e ]
Sun 04 - 10:27:38 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds008d02a042612745bb190c0cc19e2e3c ]
Sun 04 - 10:27:38 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds08b197db6599b148b4e5ca7353032eb3 ]
Sun 04 - 10:27:39 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds4173be42a2d6224baae1bb4caa7b2663 ]
Sun 04 - 10:28:18 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_09_2005.txt ]
  • 0

#165
Metallica
Posted 04 September 2005 - 02:56 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I don't see any blocked nasties in that part of the log. :tazz:

Did you post the part you intended to?

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP