Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Really slow laptop


  • Please log in to reply

#91
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Since it seems to be in rut just run Process Monitor with the filter  in place and make a screenshot.  Close Process Monitor as soon as you have a screenshot as it will otherwise eat all of your RAM and crash the system.


  • 0

Advertisements


#92
BobScott49

BobScott49

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts

Annotation 2020-01-10 103320.jpg


  • 0

#93
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

That worked better than I thought it would but we still need to do it over.

 

We need to add a new Filter. 

Filter

Result IS Success then Exclude.  Add, OK

 

Then I need you to let it fill the page then stop it (File, uncheck  Capture Events or just hit Ctrl + E)

 

Now find the vertical line  on the column header row between Process Name and ID.  Click on the line and drag it to the left so that GWProxy.exe gets shrunk down to G.  Now find the line between ID and Operation and move it to the left so that just one character is visible.  Move the line between Result and Detail to the left so that only 6 characters are visible.  Now move the line between Path and Result TO THE RIGHT so that we can see  all of the path.  Finally move the line between Time of Day and Process Name to the right so that you can see all of the time.  Now make your screen shot.


  • 0

#94
BobScott49

BobScott49

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts

I put that filter on:

 

Annotation 2020-01-10 152145.jpg

 

But when I click ok nothing happens


  • 0

#95
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Scroll down in the list of filters.  There should be one that looks like this:

 

filter.jpg

 

Did you click on Add first? Then OK?

 

 


  • 0

#96
BobScott49

BobScott49

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts

Annotation 2020-01-10 164802.jpg


  • 0

#97
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Put

netapi32.dll

in the FRST Search Box and hit File Search

 

Post the log.


  • 0

#98
BobScott49

BobScott49

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts

Farbar Recovery Scan Tool (x64) Version: 08-01-2020
Ran by Bob Scott (10-01-2020 17:26:47)
Running from C:\Users\Bob Scott\Desktop
Boot Mode: Normal

================== Search Files: "netapi32.dll" =============

C:\Windows\WinSxS\wow64_microsoft-windows-netapi32_31bf3856ad364e35_10.0.18362.1_none_69e63560b3290f0d\netapi32.dll
[2019-03-19 04:45][2019-03-19 04:45] 000068680 _____ (Microsoft Corporation) 6A1994B132643694370EB3B22C55CED6 [File is digitally signed]

C:\Windows\WinSxS\amd64_microsoft-windows-netapi32_31bf3856ad364e35_10.0.18362.1_none_5f918b0e7ec84d12\netapi32.dll
[2019-03-19 04:44][2019-03-19 04:44] 000080600 _____ (Microsoft Corporation) 86A9DF3FA9D5FCAC8EF57601FCCD78F9 [File is digitally signed]

C:\Windows\SysWOW64\netapi32.dll
[2019-03-19 04:45][2019-03-19 04:45] 000068680 _____ (Microsoft Corporation) 6A1994B132643694370EB3B22C55CED6 [File is digitally signed]

C:\Windows\System32\netapi32.dll
[2019-03-19 04:44][2019-03-19 04:44] 000080600 _____ (Microsoft Corporation) 86A9DF3FA9D5FCAC8EF57601FCCD78F9 [File is digitally signed]


====== End of Search ======


  • 0

#99
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

I assume when it couldn't find netapi32.dll in its own directory that it used one of the above so barking up the wrong tree.

 

Guess we are going to have to do the big upload.  Open Process Monitor OK the filter.

 

Let it run for no more than 3 minutes.  Make sure it finds some gwproxy stuff.  Then File uncheck Capture events.

Filter, RESET OK

 

 

File,

Save

All Events

as

Format: Native Process Monitor Format (PML)

to your desktop.

 

That should make a file called logfile.pml on your desktop.

 

Now go to Firefox and go to

https://send.firefox.com/

Select Files to Upload

Point it at logfile.pml

Upload (will take a while to finish)

Copy

move to a Reply

Ctrl + v


  • 0

#100
BobScott49

BobScott49

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts

https://send.firefox...7HYir6rNmgGNmyg


  • 0

Advertisements


#101
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Got it.  Will take some time to go through it.


  • 0

#102
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Can you find:

 

C:\Windows\Temp\GuardWareProxyr.log

 

It spends a lot of time writing to it just before it exits and restarts.  Might be a clue in there.


  • 0

#103
BobScott49

BobScott49

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts

Not sure whats happening here but every time I try and ctrl V Firefox freezes.  So I've attached the file instead

 

Attached File  GuardWareProxyr.log   1.21MB   184 downloads


  • 0

#104
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Probably the log was too big to paste.  It is in a loop.  Repeats the same stuff over and over ending with:

 

 *** Error *** Error openning key keyAppID!

 

Not sure where the   keyAppID is supposed to be or even if that is the correct name but that seems to be the problem.  Try searching for keyAppID in both the files and the Registry with FRST.


  • 0

#105
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

There is also a log at:

C:\ProgramData\Guardware\Integrity Management\LOGS\activity_log.log

 

In process Monitor it spends a lot of time reading the registry at:

 

HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name

 

and

 

HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path

 

over and over


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP