Security Screen Blank

Hi WilliamP. That is only a list of your most recent searches. You can ignore it. Can you post a shot of the process list in Task Manager. It might help others to see what is running on your system.

Nick

 

Here is task Manager.

 

Here is some more.

 

The last. Can't get it to take the last attachment.

 

Pilli this is the popup.

 

I cleaned a system the other day where I had to remove a protected "winn.dll" (part of BackDoor-CFB). I could not delete it under the Owner's user account in either Safe or Normal mode. Kept getting the same error as you in both Safe and Normal modes. I had to boot into the Administrator's account in Safe Mode to finally delete it. It seems like you have a similar file-permissions problem. I would try deleting the file Using the Recovery Console. Unless you have set an Administrator's password, just hit Enter when prompted. At the command prompt, type del C:\Windows\System32\procguard.dll and hit Enter. Type exit and reboot. Might work.

Nick

 

Further to Peter's request can you please follow the instructions for HiJackThis, please run it from an administrators account.
Go here: http://www.thespykiller.co.uk/ for the hijackthis file.
put the file into a new folder like c:\hijackthis and run the program - do not take any actions but cut and paste the results into your next post.
I do not suspect spyware but this log will show us a lot more about what is going on in your syatem.

Thanks. Pilli

 

And, William, could you again tell us *when* this popup appears - while trying to install PG or just like that (on reboot maybe?). I'm asking because also maybe the information of which thing is trying to execute the renaming is helpful - maybe it's the PG installer or maybe it's some of windows' own file-renaming/removal routines (you know, those routines that rename or copy files upon the next restart when they currently can't because they're in use).

Peter, Pilli, or anyone else: does maybe someone know where these "do this on the next reboot" values are stored, so William can check it directly?

Andreas

 

I'm home from work, so I will answer your posts. Nick and Peter I cannot find procguard.dll anywhere in Safe Mode or not. Andreas the popup comes up when I try to install PG.

 

Logfile of HijackThis v1.98.0
Scan saved at 5:11:28 PM, on 10/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\BellSouth\Client Foundation\CFD.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\CPal\CPal.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PREVX\Prevx Home\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\Lou Preto\My Documents\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BellSouth\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [hpsjbmgr] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpsjbmgr.exe"
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Cookie Pal.lnk = C:\Program Files\CPal\CPal.exe
O4 - Startup: ProcessGuard.lnk = C:\Program Files\ProcessGuard\procguard.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Expressit Card Creator - http://expressit.broderbund.com/300_Business_Center/380_Card_Creator/dd.cab
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4C470CD2-7394-11D4-9691-00D0B707528C} (Upload Class) - http://www.expressit.com/plugin/UpldPlug.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4025.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab

I know I see processguard what doI do .Can I remove it with Highjack this?

 

I just did a Start Search for pgaccount .exe and nothing came up but it shows in the HJT scan.

 

I didn't read all the posts, but if you have the popup with procguard.dll which cannot be copied/moved while the setup, no need to search further why PG is malfunctioning afterwards.
Something seems to prevent PG from correctly installing apparently.

Did you try to uninstall PG in safe mode, to reboot, to install it again in safe mode (and see if the popup is still here) and to reboot in normal mode ?
(sorry if you already done this, as I said I didn't read every post).

regards,

gkweb.

 

Gkweb I have gone into safe mode and removed everything I could find. I didn't try to install in the safe mode.

 

Praise The Lord. I did another HighJack this scan ,did away with the two entries for PG. I downloaded and INSTALLED PG and so far so good. I am going to load it. I'll let you know.

 

I want to thank all of you who helped. This has been an ordeal,but it looks like it is over. I believe that it may have all started because Ver 2 wasn't removed properly which was my fault. Believe me that won't happen again.

 

Good to hear you have it up and running now William.....have fun mate .

Regards,
Jade.

 

Thank you my friend.

 

Thank you Peter. Now I am going to have to figure out what to do about backing up my system. Will shutting down PG protect it from BounceBack.

 

Well done William, HJT has many uses and I am glad it helped sort out your problem

I notice that you have PrevX on your pc, many programs that run at low level such as prevX, Bounceback your AV etc. can interfere with installs & more importantly in your case, uninstalls. So it may not have been your fault.

Now where's my coffee, I have a bit of a hangover this morning

Cheers. Pilli

 

Glad it works now

When something goes wrong at the installation, it is rare that you can ignore it and that the program works flawlessly afterwards.
To install in safe mode is also a good trick sometimes because the other programs are disabled.

regards,

gkweb.

 

Pilli I am glad that you mentioned HJT. I still don't understand how something can NOT show up in searches or in the registry then show up in HJT. For a long time TDS3 wouldn't show up in HJT but it does now. Still my question how can I do a back up and keep the same thing from happening again? Or at least try.

 

The best way to back up is use a program like Acronis (forum here on Wilders), you can backup to CD, DVD or to another partition or drive by creating an image of your windows drive.
A simple solution is to use windows Restore option, you can create a restore point before making changes to your system, this does sometimes fail to restore though, system restore is really just a quick fix , fortunately it does not effect any work that you may have saved in my documents etc. Whereas a restored image replaces everything so any work you have done since creating such an image will be lost.
Acronis and other back up software usually has the ability to create scheduled incremental backups which can be very handy.

HTH Pilli

 

With the system I have now I have a bootable copy of my entire system on the CMS external hard drive so if my drive dies I can pull it out and replace it. Does the Acronis program do the same?