[Metallica]

Yes. That's a nice dilemma.

When you allow the Command Prompt more malware gets downloaded.
A firewall would be nice

Let's see if we can get a batch to do the job.

Please try this:
Copy the code below into notepad and save it as tasks.bat
Set Filetype to "All files"

TASKLIST /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running" >tasks.txt
start notepad tasks.txt

Start the file by doubleclicking tasks.bat
That will open a file called tasks.txt. Post the content of that file.

If this doesn't work I'll ask someone more knowledgeable to write us one.

Regards,

Pieter

[Advertisements]

hi there
you wouldnt believe it it carried out the actions but the tasklist is blank not a secric of information to be had
Cheers

[duglartis]

hi there
you wouldnt believe it it carried out the actions but the tasklist is blank not a secric of information to be had
Cheers

[Metallica]

Can you repeat the action, but for this batfile:

Tasklist /FI "PID eq 652" >tasks.txt
start notepad tasks.txt

[duglartis]

hello again you wont believe this but another blank txt file is created sorry i am not being much help

[Metallica]

Not your fault. Don't worry about that.

It's just me stabbing at the problem from different angles, trying to make it go away.

Using tasklist will not do us much good it seems.

Can you see if this new program tells us something new:
http://www.resplende...om/hookanalyzer

Don't act on the results please. Just let me know what files are found.
To give you an example, ProcessGuard will also show up in that list.

Regards,

[duglartis]

hi there it found 19 kernal hooks all linking back to process guard did you want me to post them all, and how to i copy and paste out of rootkit hook analyzer
thanks for your help

[Metallica]

No. All I needed was the names of the Files listed in the Module column.

If they all pointed to procguard.sys then that is OK.

Not sure if I asked this before but are you using a firewall of any kind?

Regards,

[duglartis]

Hello yes all the 19 files in module link to process guard i am running standard xp firewall
cheers

[Metallica]

How do you feel about installing a more easy to configure firewall?

There are free options like Sygate, Kerio and ZoneAlarm if you do not want to spend any money on one.

The Windows firewall can be disabled once we have ionstalled one.
In your case I think it would be handy to have a application based firewall rather then a portblocker (like the Windows firewall) since it will give us more control over what we let go in and out.

Some background information:
http://www.dslreport.....onal Firewall
http://www.wilders.org/firewalls.htm

Regards,

[duglartis]

will do when i am back at the computer late tommorow
Cheers

[duglartis]

hello i had a copy of zone alarm have installed it and have it up and running where to from here
thanks for your help

[Metallica]

Hi Doug,

Sorry it took me so long to get back to you.
Have had some problems lately.

Now in your ZoneAlarm Control Panel, see if you can find "program control". Click on it
Now you would see list of programs displayed . In that check if you trust each and every one of the programs listed there.

Please post a new ProcessGuard log and any programs you have questions about.

Regards,

[duglartis]

hello i have been away too here is the pg log ---Process Guard Log Started---
Thu 15 - 19:05:13 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Thu 15 - 19:05:13 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\rnms3270.dll" rnmsgcheckdb ]
Thu 15 - 19:05:13 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\services.exe" [492]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Thu 15 - 19:05:13 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1572]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Thu 15 - 19:05:14 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Thu 15 - 19:05:14 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\rnms3270.dll" rnmsgautocheck ]
Thu 15 - 19:05:15 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [492]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Thu 15 - 19:05:15 [EXECUTION] "c:\program files\zone labs\zonealarm\zlclient.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\program files\zone labs\zonealarm\zlclient.exe" ]
Thu 15 - 19:05:16 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\upgr3270.dll" autoupdateevent ]
Thu 15 - 19:05:16 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Thu 15 - 19:05:17 [EXECUTION] "c:\windows\system32\zonelabs\vsmon.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [492]
[EXECUTION] Commandline - [ c:\windows\system32\zonelabs\vsmon.exe -service ]
Thu 15 - 19:05:19 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1220]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avginet.exe" /sched=5 ]
Thu 15 - 19:05:19 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Thu 15 - 19:05:19 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1852]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Thu 15 - 19:05:19 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Thu 15 - 19:05:23 [EXECUTION] "c:\windows\system32\imapi.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\services.exe" [492]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Thu 15 - 19:05:45 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realevent.exe" [1808]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\faus3270.dll" rnathshutdown ]
Thu 15 - 19:05:46 [EXECUTION] "c:\program files\common files\real\update_ob\realsched.exe" was blocked from running
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realevent.exe" [1808]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realsched.exe" ]
Thu 15 - 19:06:00 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Thu 15 - 19:06:19 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\rnms3270.dll" rnmsgdialupobserver ]
Thu 15 - 19:06:19 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\upgr3270.dll" upgradedialupobserver ]
Thu 15 - 19:06:20 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realevent.exe" [556]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\faus3270.dll" rnathshutdown ]
Thu 15 - 19:06:25 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realevent.exe" [556]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\rnms3270.dll" rnmsgaureport ]
Thu 15 - 19:09:09 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realevent.exe" [556]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\rnms3270.dll" rnmsgaureport ]
Thu 15 - 19:15:45 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\rnms3270.dll" rnmsgautocheck ]
Thu 15 - 19:15:46 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\upgr3270.dll" autoupdateevent ]
Thu 15 - 19:19:07 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_12_2005.txt ]
not to sure what i am doing in zone alarm yet will keep looking
cheers

[Metallica]

Looks good sofar. The main thing is to keep an eye out for untrusted apps first.

We can concentrate on limiting other applications to what is needed later on.

If you see one of our old "friends" active, please post a PG log for the relevant period.

Regards,

[Metallica]

I found another method to look inside the suspected instance of svchost.exe

Download http://www.diamondcs...onsoletools.zip

Unzip the content of that file into this folder: C:\console (you will probably need to create it)

Then click Start > Run > cmd > OK

In the command prompt use these commands:

cd\
cd console
procs -m:652


Now there should be a list of modules in your command prompt.

Copy that list into your next post.

Regards,