CigarBoy
July 22nd, 2006, 05:16 PM
I noticed a lot of background dloading going on.. checked processes and noticed many many svchosts running...
installed ProcessGurad and caught all this crap... what the heck is creating all these in my temp dir, then executing them..
00:42:45 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\33exssd32e.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044]
[EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exssd32e.exe 777 ]
00:42:46 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\60exmodex2.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044]
[EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\60exmodex2.exe http://out.catchonlife.com/nw/r2.txt?jeaa-1_2790_1061 ]
00:42:46 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exssd32e.exe" [4060]
[EXECUTION] Commandline - [ svchost.exe ]
00:42:46 [MODIFY] c:\documents and settings\my-name-here\local settings\temp\33exssd32e.exe [4060] was blocked from modifying c:\windows\system32\svchost.exe [2628]
00:42:47 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\33exmhdd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044]
[EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exmhdd.exe 777 ]
00:42:47 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\my-name-here_p~1.cor\locals~1\temp\60exmodex2.exe" [2204]
[EXECUTION] Commandline - [ svchost.exe ]
00:42:47 [MODIFY] c:\documents and settings\my-name-here\local settings\temp\60exmodex2.exe [2204] was blocked from modifying c:\windows\system32\svchost.exe [3832]
00:42:47 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1528]
[EXECUTION] Commandline - [ svchost.exe
installed ProcessGurad and caught all this crap... what the heck is creating all these in my temp dir, then executing them..
00:42:45 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\33exssd32e.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044]
[EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exssd32e.exe 777 ]
00:42:46 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\60exmodex2.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044]
[EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\60exmodex2.exe http://out.catchonlife.com/nw/r2.txt?jeaa-1_2790_1061 ]
00:42:46 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exssd32e.exe" [4060]
[EXECUTION] Commandline - [ svchost.exe ]
00:42:46 [MODIFY] c:\documents and settings\my-name-here\local settings\temp\33exssd32e.exe [4060] was blocked from modifying c:\windows\system32\svchost.exe [2628]
00:42:47 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\33exmhdd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044]
[EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exmhdd.exe 777 ]
00:42:47 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\my-name-here_p~1.cor\locals~1\temp\60exmodex2.exe" [2204]
[EXECUTION] Commandline - [ svchost.exe ]
00:42:47 [MODIFY] c:\documents and settings\my-name-here\local settings\temp\60exmodex2.exe [2204] was blocked from modifying c:\windows\system32\svchost.exe [3832]
00:42:47 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1528]
[EXECUTION] Commandline - [ svchost.exe