Process Guard finding unknown system process on startup

Discussion in 'ProcessGuard' started by Tarran, Oct 3, 2004.

Thread Status:
Not open for further replies.
  1. Tarran

    Tarran Registered Member

    Joined:
    Feb 2, 2004
    Posts:
    12
    Bit of a weird one. I installed SpySweeper on Thursday and it found lots of keyloggers in the registry that Adaware did not pick up. Anyway, I let it quarantine them. Now, however, on startup I keep getting this system process that keeps trying to run that I keep denying with PG. It ususally has no description, no command line, is 0kb, and says that it was created on 01 Jan 1601(!!). Has anyone come across this? I have run registry checker on systweak to remove spurious registry entries, but still it keeps coming up. IT sometimes comes up with an "e" on the command line or another letter, but most of the time is blank.

    Any ideas?? o_O

    Tarran
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
  3. Tarran

    Tarran Registered Member

    Joined:
    Feb 2, 2004
    Posts:
    12
    Thanks Ronjor.

    I'll check them out.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Tarren, Can you post your Autostart Viewer log available from here please.
    http://www.diamondcs.com.au/index.php?page=products
    In the Main menu select all of the first three choices if they are not already selected.
    Save and say yes to view the file now.
    Cut and paste into your next post.

    Thanks. Pilli
     
  5. Tarran

    Tarran Registered Member

    Joined:
    Feb 2, 2004
    Posts:
    12
    Hi Pilli,

    Done as below. I've highlighted the ones that look strange to me (but I am a novice, so they could be valid!): -

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for craig1@CRAIG, 10-04-2004
    c:\winnt\system32\autoexec.nt
    C:\WINNT\system32\mscdexnt.exe
    C:\WINNT\system32\redir.exe
    C:\WINNT\system32\dosx.exe
    c:\winnt\system32\config.nt
    C:\WINNT\system32\himem.sys
    C:\WINNT\dosstart.bat
    C:\PROGRA~1\MICROS~2\Mouse\mouse.exe
    c:\winnt\wininit.ini [rename]
    NUL=C:\DOCUME~1\craig1\LOCALS~1\Temp\ginstall.dll
    c:\winnt\system.ini [drivers]
    timer=timer.drv
    c:\winnt\system.ini [boot]\shell
    C:\WINNT\Explorer.exe
    c:\winnt\system.ini [boot]\scrnsave.exe
    C:\WINNT\system32\MATRIX~1.SCR
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINNT\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINNT\system32\MATRIX~1.SCR
    HKCR\vbsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTSysVol
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTHelper
    C:\WINNT\system32\CTHELPER.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Share-to-Web Namespace Daemon
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfy
    C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\REGSHAVE
    C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\POINTER
    c:\point32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
    mobsync.exe /logon
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RegProt
    d:\regprot\regprot.exe /start
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
    nwiz.exe /install
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nod32kui
    D:\nod32\antivirus\nod32kui.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
    RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ThrustTSR
    D:\thrustmaster\TMTMTSR.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
    D:\ZoneAlarm\ZoneAlarm\zlclient.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
    C:\Program Files\QuickTime\qttask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\iTunesHelper
    E:\itunes\iTunesHelper.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
    C:\WINNT\system32\internat.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\RemoteCenter
    C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\vTunerStartUp
    C:\PROGRA~1\VTUNER\vTuner.exe WinStart=Yes
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SpySweeper
    Q:\SpySweeper\Spy Sweeper\SpySweeper.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Handy Backup Pro 1.1
    E:\backup\HANDYB~1\hbagent.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
    C:\WINNT\system32\internat.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
    C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINNT\system32\NETSHELL.dll
    C:\WINNT\System32\webcheck.dll
    C:\WINNT\system32\stobject.dll
    C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job
    C:\PROGRA~1\NORTON~1\NAVW32.exe
    C:\WINNT\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\WINNT\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1061124013.job
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
    C:\WINNT\Tasks\WebReg 20030927140100.job
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
    C:\Documents and Settings\craig1\Start Menu\Programs\Startup\Process Guard.lnk
    D:\pguard\ProcessGuard\procguard.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office\OSA9.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
    D:\winzip\WZQKPICK.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINNT\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINNT\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINNT\system32\imon.dll
    C:\WINNT\system32\dcsws2.dll
    C:\WINNT\system32\msafd.dll
    C:\WINNT\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINNT\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINNT\System32\shmgrate.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINNT\System32\shmgrate.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6A5110B5-E14B-4268-A065-EF89FF33C325}\
    regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINNT\System32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
    C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install
    HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\
    C:\WINNT\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINNT\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINNT\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AMON\
    \??\C:\WINNT\system32\drivers\amon.sys
    HKLM\System\CurrentControlSet\Services\ASEService\
    Q:\ALURIA~1\ASE\ASEServ.exe
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\ccEvtMgr\
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    HKLM\System\CurrentControlSet\Services\ccPxySvc\
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    HKLM\System\CurrentControlSet\Services\Creative Service for CDROM Access\
    C:\WINNT\System32\CTsvcCDA.exe
    HKLM\System\CurrentControlSet\Services\DCSUserProt\
    D:\pguard\ProcessGuard\dcsuserprot.exe
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\dmserver\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\enodpl\
    C:\WINNT\System32\drivers\enodpl.sys
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\hidusb\
    C:\WINNT\System32\DRIVERS\hidusb.sys
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\NISUM\
    C:\Program Files\Norton Internet Security\NISUM.EXE
    HKLM\System\CurrentControlSet\Services\NOD32krn\
    D:\nod32\antivirus\nod32krn.exe
    HKLM\System\CurrentControlSet\Services\NtmsSvc\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINNT\system32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\PfModNT\
    \??\C:\WINNT\System32\PfModNT.sys

    HKLM\System\CurrentControlSet\Services\PGMsgProt\
    D:\pguard\ProcessGuard\pg_msgprot.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINNT\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\procguard\
    \??\C:\WINNT\system32\drivers\procguard.sy

    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\RemoteRegistry\
    C:\WINNT\system32\regsvc.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINNT\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINNT\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\SAVRTPEL\
    \??\C:\WINNT\System32\Drivers\SAVRTPEL.SYS
    HKLM\System\CurrentControlSet\Services\SBService\
    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINNT\system32\MSTask.exe
    HKLM\System\CurrentControlSet\Services\SecDrv\
    \??\C:\WINNT\system32\drivers\SECDRV.SYS

    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINNT\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINNT\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\StiSvc\
    C:\WINNT\system32\stisvc.exe
    HKLM\System\CurrentControlSet\Services\tandpl\
    C:\WINNT\System32\drivers\tandpl.sys
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\vsmon\
    C:\WINNT\system32\ZONELABS\vsmon.exe -service
    HKLM\System\CurrentControlSet\Services\WinMgmt\
    C:\WINNT\System32\WBEM\WinMgmt.exe
    HKLM\System\CurrentControlSet\Services\WMDM PMSP Service\
    C:\WINNT\System32\MsPMSPSv.exe
    HKLM\System\CurrentControlSet\Services\WS2IFSL\
    C:\WINNT\System32\drivers\ws2ifsl.sys
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINNT\system32\svchost.exe -k wugroup

    Any help you can offer will be greatly appreciated!

    Tar
     
  6. Tarran

    Tarran Registered Member

    Joined:
    Feb 2, 2004
    Posts:
    12
    Autoruns also shows the below: -

    I think the highlighted one might be the problem. Before I remove it, please can you confirm that I am barking up the right tree!

    Ta,

    Tar : -

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    + C:\WINNT\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\winnt\system32\userinit.exe
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    + Explorer.exe Windows Explorer Microsoft Corporation c:\winnt\explorer.exe
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    + ccApp Common Client CC App Symantec Corporation c:\program files\common files\symantec shared\ccapp.exe
    + ccRegVfy Common Client Registry Integrity Verifier Symantec Corporation c:\program files\common files\symantec shared\ccregvfy.exe
    + CTHelper CtHelper MFC Application (Not verified) Creative Technology Ltd c:\winnt\system32\cthelper.exe
    + CTSysVol CTSysVol.exe (Not verified) Creative Technology Ltd c:\program files\creative\sbaudigy2\surround mixer\ctsysvol.exe
    + iTunesHelper iTunesHelper Module (Not verified) Apple Computer, Inc. e:\itunes\ituneshelper.exe
    + nod32kui d:\nod32\antivirus\nod32kui.exe
    + NvCplDaemon NVIDIA Display Properties Extension (Not verified) NVIDIA Corporation c:\winnt\system32\nvcpl.dll
    + NvMediaCenter NVIDIA Media Center Library (Not verified) NVIDIA Corporation c:\winnt\system32\nvmctray.dll
    + nwiz NVIDIA nView Wizard, Version 61.77 (Not verified) NVIDIA Corporation c:\winnt\system32\nwiz.exe
    + POINTER Cursor features application file (Not verified) Microsoft Corporation C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    + QuickTime Task (Not verified) Apple Computer, Inc. c:\program files\quicktime\qttask.exe
    + RegProt DiamondCS RegistryProt (Not verified) Diamond Computer Systems Pty. Ltd. d:\regprot\regprot.exe
    + REGSHAVE Shaving Registry (Not verified) FUJI PHOTO FILM CO., LTD. c:\program files\regshave\regshave.exe
    + Share-to-Web Namespace Daemon hpgs2wnd (Not verified) Hewlett-Packard c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
    + Synchronization Manager Microsoft Synchronization Manager Microsoft Corporation c:\winnt\system32\mobsync.exe
    + ThrustTSR Thrustmapper 3 Taskbar Utility (Not verified) Guillemot Corporation d:\thrustmaster\tmtmtsr.exe
    + TkBellExe RealNetworks Scheduler (Not verified) RealNetworks, Inc. c:\program files\common files\real\update_ob\realsched.exe
    + Zone Labs Client Zone Labs Client Zone Labs, Inc d:\zonealarm\zonealarm\zlclient.exe
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
    + Flags File not found: €C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    + Exif Launcher.lnk Exif Launcher (Not verified) FUJI PHOTO FILM CO., LTD. c:\program files\finepixviewer\quickdcf.exe
    + hp psc 2000 Series.lnk HP OfficeJet COM Device Objects (Not verified) Hewlett-Packard Co. c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
    + Microsoft Office.lnk Microsoft Office 2000 component (Not verified) Microsoft Corporation c:\program files\microsoft office\office\osa9.exe
    + Microsoft Works Calendar Reminders.lnk Microsoft® Works Calendar Reminder Service (Not verified) Microsoft® Corporation c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
    + officejet 6100.lnk HP OfficeJet COM Device Objects (Not verified) Hewlett-Packard Co. c:\program files\hewlett-packard\digital imaging\bin\hposol08.exe
    + WinZip Quick Pick.lnk WinZip Executable (Not verified) WinZip Computing, Inc. d:\winzip\wzqkpick.exe
    C:\Documents and Settings\craig1\Start Menu\Programs\Startup
    + Process Guard.lnk Defends your system from malware (Not verified) DiamondCS d:\pguard\processguard\procguard.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    + Handy Backup Pro 1.1 Handy Backup Pro 1.1 Agent (Not verified) Novosoft e:\backup\handy backup pro\hbagent.exe
    + internat.exe Keyboard Language Indicator Applet Microsoft Corporation c:\winnt\system32\internat.exe
    + RemoteCenter Remote Control Manager (Not verified) Creative Technology Ltd. c:\program files\creative\mediasource\remotecontrol\rcman.exe
    + SpySweeper Spy Sweeper (Not verified) Webroot Software, Inc. q:\spysweeper\spy sweeper\spysweeper.exe
    + vTunerStartUp File not found: C:\PROGRA~1\VTUNER\vTuner.exe WinStart=Yes
    Task Scheduler
    + Symantec NetDetect.job Symantec NetDetect Symantec Corporation c:\program files\symantec\liveupdate\ndetect.exe
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Tarren, I'm no expert at these either but Gavin is and he should be around tomorrow and if there are any other experts around I'm sure they will respond.

    This one is OK though:
    HKLM\System\CurrentControlSet\Services\procguard\
    \??\C:\WINNT\system32\drivers\procguard.sy
    Except that the end .sy should be .sys but that might just be in the viewer copy :)

    Looks like initpki.dll is ok to. http://www.ezgoal.com/channels/developer/c.asp?cid=197759&p=109&o=&s=&l=&t=&Developer software

    PfModNT.sys Could be a creative labs file?

    HTH Pilli
     
  8. Tarran

    Tarran Registered Member

    Joined:
    Feb 2, 2004
    Posts:
    12
    Ok, thanks Pilli, I do wonder about this: -

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
    + Flags File not found: €


    that Autoruns found, but I'll wait till I get a response from Gavin or another expert in that field.

    Thanks for the help so far guys, those programs you directed me too are really useful!

    Tarran
     
  9. Tarran

    Tarran Registered Member

    Joined:
    Feb 2, 2004
    Posts:
    12
    HI guys,

    tried removing what I thought was the path that was causing the problem. It wasnt that. I have rechecked Autoruns, and I think it might be one of the paths highlighted. The process guard one could be the one, because I can't find that particular file, the PG detection occurs after PG starts.

    Any advice you can give will be really helpful.

    Thanks a lot for the help so far. :D

    Tarran


    HKLM\System\CurrentControlSet\Services
    + ASEService Removes spyware during reboot that cannot be removed while Windows is running q:\aluria software\ase\aseserv.exe
    + Browser Maintains an up-to-date list of computers on your network and supplies the list to programs that request it. Microsoft Corporation c:\winnt\system32\services.exe
    + ccEvtMgr Symantec Event Manager Symantec Corporation c:\program files\common files\symantec shared\ccevtmgr.exe
    + ccPxySvc Symantec Proxy Service Symantec Corporation c:\program files\norton internet security\ccpxysvc.exe
    + Creative Service for CDROM Access Creative Service for CDROM Access (Not verified) Creative Technology Ltd c:\winnt\system32\ctsvccda.exe
    + DCSUserProt Used in DiamondCS products for various security purposes (Not verified) DiamondCS d:\pguard\processguard\dcsuserprot.exe
    + Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation c:\winnt\system32\services.exe
    + dmserver Logical Disk Manager Watchdog Service Microsoft Corporation c:\winnt\system32\services.exe
    + Dnscache Resolves and caches Domain Name System (DNS) names. Microsoft Corporation c:\winnt\system32\services.exe
    + Eventlog Logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer. Microsoft Corporation c:\winnt\system32\services.exe
    + lanmanserver Provides RPC support and file, print, and named pipe sharing. Microsoft Corporation c:\winnt\system32\services.exe
    + lanmanworkstation Provides network connections and communications. Microsoft Corporation c:\winnt\system32\services.exe
    + LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation c:\winnt\system32\services.exe
    + NISUM Handles Norton Internet Security Account Management Symantec Corporation c:\program files\norton internet security\nisum.exe
    + NOD32krn d:\nod32\antivirus\nod32krn.exe
    + NtmsSvc Manages removable media, drives, and libraries. Microsoft Corporation c:\winnt\system32\svchost.exe
    + NVSvc Provides system and desktop level support to the NVIDIA display driver (Not verified) NVIDIA Corporation c:\winnt\system32\nvsvc32.exe
    + PGMsgProt Used in Process Guard to monitor messages sent between windows File not found: D:\pguard\ProcessGuard\pg_msgprot.exe
    + PlugPlay Manages device installation and configuration and notifies programs of device changes. Microsoft Corporation c:\winnt\system32\services.exe
    + PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Microsoft Corporation c:\winnt\system32\lsass.exe
    + ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Microsoft Corporation c:\winnt\system32\services.exe
    + RemoteRegistry Allows remote registry manipulation. Microsoft Corporation c:\winnt\system32\regsvc.exe
    + RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Corporation c:\winnt\system32\svchost.exe
    + SamSs Stores security information for local user accounts. Microsoft Corporation c:\winnt\system32\lsass.exe
    + SBService ScriptBlocking registration Symantec Corporation c:\program files\common files\symantec shared\script blocking\sbserv.exe
    + Schedule Enables a program to run at a designated time. Microsoft Corporation c:\winnt\system32\mstask.exe
    + seclogon Enables starting processes under alternate credentials Microsoft Corporation c:\winnt\system32\services.exe
    + SENS Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Microsoft Corporation c:\winnt\system32\svchost.exe
    + Spooler Loads files to memory for later printing. Microsoft Corporation c:\winnt\system32\spoolsv.exe
    + StiSvc Still Image Devices Monitor Microsoft Corporation c:\winnt\system32\stisvc.exe
    + TrkWks Sends notifications of files moving between NTFS volumes in a network domain. Microsoft Corporation c:\winnt\system32\services.exe
    + vsmon Monitors internet traffic and generates alerts for disallowed access. Zone Labs, Inc c:\winnt\system32\zonelabs\vsmon.exe
    + WinMgmt Provides system management information. Microsoft Corporation c:\winnt\system32\wbem\winmgmt.exe
    + WMDM PMSP Service WMDM PMSP Service (Not verified) Microsoft Corporation c:\winnt\system32\mspmspsv.exe
    + wuauserv Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. Microsoft Corporation c:\winnt\system32\svchost.exe
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    + cscdll Offline Network Agent Microsoft Corporation c:\winnt\system32\cscdll.dll
    + SensLogn Common DLL to receive Winlogon notifications Microsoft Corporation c:\winnt\system32\wlnotify.dll
    + wzcnotif Wireless Zero Configuration Service UI Microsoft Corporation c:\winnt\system32\wzcdlg.dll
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    + C:\WINNT\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\winnt\system32\userinit.exe
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    + Explorer.exe Windows Explorer Microsoft Corporation c:\winnt\explorer.exe
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    + ccApp Common Client CC App Symantec Corporation c:\program files\common files\symantec shared\ccapp.exe
    + ccRegVfy Common Client Registry Integrity Verifier Symantec Corporation c:\program files\common files\symantec shared\ccregvfy.exe
    + CTHelper CtHelper MFC Application (Not verified) Creative Technology Ltd c:\winnt\system32\cthelper.exe
    + CTSysVol CTSysVol.exe (Not verified) Creative Technology Ltd c:\program files\creative\sbaudigy2\surround mixer\ctsysvol.exe
    + iTunesHelper iTunesHelper Module (Not verified) Apple Computer, Inc. e:\itunes\ituneshelper.exe
    + nod32kui d:\nod32\antivirus\nod32kui.exe
    + NvCplDaemon NVIDIA Display Properties Extension (Not verified) NVIDIA Corporation c:\winnt\system32\nvcpl.dll
    + NvMediaCenter NVIDIA Media Center Library (Not verified) NVIDIA Corporation c:\winnt\system32\nvmctray.dll
    + nwiz NVIDIA nView Wizard, Version 61.77 (Not verified) NVIDIA Corporation c:\winnt\system32\nwiz.exe
    + POINTER Cursor features application file (Not verified) Microsoft Corporation C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    + QuickTime Task (Not verified) Apple Computer, Inc. c:\program files\quicktime\qttask.exe
    + RegProt DiamondCS RegistryProt (Not verified) Diamond Computer Systems Pty. Ltd. d:\regprot\regprot.exe
    + REGSHAVE Shaving Registry (Not verified) FUJI PHOTO FILM CO., LTD. c:\program files\regshave\regshave.exe
    + Share-to-Web Namespace Daemon hpgs2wnd (Not verified) Hewlett-Packard c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
    + Synchronization Manager Microsoft Synchronization Manager Microsoft Corporation c:\winnt\system32\mobsync.exe
    + ThrustTSR Thrustmapper 3 Taskbar Utility (Not verified) Guillemot Corporation d:\thrustmaster\tmtmtsr.exe
    + TkBellExe RealNetworks Scheduler (Not verified) RealNetworks, Inc. c:\program files\common files\real\update_ob\realsched.exe
    + Zone Labs Client Zone Labs Client Zone Labs, Inc d:\zonealarm\zonealarm\zlclient.exe
    HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
    + Address Book 5 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe
    + Browser Customizations Microsoft Internet Explorer Customization DLL Microsoft Corporation c:\winnt\system32\iedkcs32.dll
    + CRLUpdate UPDCRL (Not verified) Microsoft Corporation c:\winnt\system32\updcrl.exe
    + EnableRevocation Microsoft(C) Register Server Microsoft Corporation c:\winnt\system32\regsvr32.exe
    + Internet Explorer 6 IE 5.0 Per-User Install Utility Microsoft Corporation c:\winnt\system32\ie4uinit.exe
    + Internet Explorer Access Windows NT User Data Migration Tool Microsoft Corporation c:\winnt\system32\shmgrate.exe
    + Microsoft Outlook Express 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe
    + Microsoft Windows Media Player ADVPACK Microsoft Corporation c:\winnt\system32\advpack.dll
    + NetMeeting 3.01 ADVPACK Microsoft Corporation c:\winnt\system32\advpack.dll
    + Outlook Express Access Windows NT User Data Migration Tool Microsoft Corporation c:\winnt\system32\shmgrate.exe
    + Windows Desktop Update Microsoft(C) Register Server Microsoft Corporation c:\winnt\system32\regsvr32.exe
    + Windows Media Player Microsoft Windows Media Player Setup Utility Microsoft Corporation c:\winnt\inf\unregmp2.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    + Exif Launcher.lnk Exif Launcher (Not verified) FUJI PHOTO FILM CO., LTD. c:\program files\finepixviewer\quickdcf.exe
    + hp psc 2000 Series.lnk HP OfficeJet COM Device Objects (Not verified) Hewlett-Packard Co. c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
    + Microsoft Office.lnk Microsoft Office 2000 component (Not verified) Microsoft Corporation c:\program files\microsoft office\office\osa9.exe
    + Microsoft Works Calendar Reminders.lnk Microsoft® Works Calendar Reminder Service (Not verified) Microsoft® Corporation c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
    + officejet 6100.lnk HP OfficeJet COM Device Objects (Not verified) Hewlett-Packard Co. c:\program files\hewlett-packard\digital imaging\bin\hposol08.exe
    + WinZip Quick Pick.lnk WinZip Executable (Not verified) WinZip Computing, Inc. d:\winzip\wzqkpick.exe
    C:\Documents and Settings\craig1\Start Menu\Programs\Startup
    + Process Guard.lnk Defends your system from malware (Not verified) DiamondCS d:\pguard\processguard\procguard.exe
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
    + Browseui preloader Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Component Categories cache daemon Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    + Network.ConnectionTray Network Connections Shell Microsoft Corporation c:\winnt\system32\netshell.dll
    + SysTray Systray shell service object Microsoft Corporation c:\winnt\system32\stobject.dll
    + WebCheck Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    + Handy Backup Pro 1.1 Handy Backup Pro 1.1 Agent (Not verified) Novosoft e:\backup\handy backup pro\hbagent.exe
    + internat.exe Keyboard Language Indicator Applet Microsoft Corporation c:\winnt\system32\internat.exe
    + RemoteCenter Remote Control Manager (Not verified) Creative Technology Ltd. c:\program files\creative\mediasource\remotecontrol\rcman.exe
    + SpySweeper Spy Sweeper (Not verified) Webroot Software, Inc. q:\spysweeper\spy sweeper\spysweeper.exe
    + vTunerStartUp File not found: C:\PROGRA~1\VTUNER\vTuner.exe WinStart=Yes
    Task Scheduler
    + Symantec NetDetect.job Symantec NetDetect Symantec Corporation c:\program files\symantec\liveupdate\ndetect.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
    + AcroIEHlprObj Class Adobe Acrobat IE Helper Version 6.0 for ActivieX Adobe Systems, Incorporated d:\adobe\reader6\reader\activex\acroiehelper.dll
    + CNavExtBho Class Norton AntiVirusNAVShellExt Module Symantec Corporation c:\program files\norton antivirus\navshext.dll
    + Google Toolbar Helper Google IE Client Toolbar (Not verified) Google Inc. c:\program files\google\googletoolbar1.dll
    + IEPlugin Class Systweak Ad and Popup Blocker - Helper Module (Not verified) Systweak Inc q:\registry\advanced system optimizer\iehelper.dll
    + Yahoo! Companion BHO Yahoo! Companion 5.0 for Internet Explorer (Not verified) Yahoo! Inc. e:\yahoo!\messenger\ycomp.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    + DiamondCS WormGuard Hook DiamondCS WormGuard Core Module (Not verified) Diamond Computer Systems Pty. Ltd. d:\guards\wguard.dll
    + shell32.dll Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
    + &Address Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + &Links Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + .CAB file viewer Cabinet File Viewer Shell Extension Microsoft Corporation c:\winnt\system32\cabview.dll
    + Accessible Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + ActiveDesktop Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + ActiveX Cache Folder Object Control Viewer Microsoft Corporation c:\winnt\system32\occache.dll
    + Add encryption item to context menus in explorer Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + Address Bar Parser Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Address EditBox Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Augmented Shell Folder Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Augmented Shell Folder 2 Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + BandProxy Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Briefcase Windows Briefcase Microsoft Corporation c:\winnt\system32\syncui.dll
    + Briefcase Folder Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + CDF Extension Copy Hook Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    + Channel File Channel Definition File Viewer Microsoft Corporation c:\winnt\system32\cdfview.dll
    + Channel Handler Object Channel Definition File Viewer Microsoft Corporation c:\winnt\system32\cdfview.dll
    + Channel Menu Channel Definition File Viewer Microsoft Corporation c:\winnt\system32\cdfview.dll
    + Channel Properties Channel Definition File Viewer Microsoft Corporation c:\winnt\system32\cdfview.dll
    + Channel Shortcut Channel Definition File Viewer Microsoft Corporation c:\winnt\system32\cdfview.dll
    + CmdFileIcon Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + Code Download Agent Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
    + ConnectionAgent Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
    + Crypto PKO Extension Crypto Shell Extensions Microsoft Corporation c:\winnt\system32\cryptext.dll
    + Crypto Sign Extension Crypto Shell Extensions Microsoft Corporation c:\winnt\system32\cryptext.dll
    + Custom MRU AutoCompleted List Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Darwin App Publisher Shell Application Manager (Not verified) Microsoft Corporation c:\winnt\system32\appwiz.cpl
    + Desktop Explorer NVIDIA Desktop Explorer, Version 61.77 (Not verified) NVIDIA Corporation c:\winnt\system32\nvshell.dll
    + Desktop Explorer Menu NVIDIA Desktop Explorer, Version 61.77 (Not verified) NVIDIA Corporation c:\winnt\system32\nvshell.dll
    + DiamondCS WormGuard Hook DiamondCS WormGuard Core Module (Not verified) Diamond Computer Systems Pty. Ltd. d:\guards\wguard.dll
    + Directory Context Menu Verbs Directory Service Common UI Microsoft Corporation c:\winnt\system32\dsuiext.dll
    + Directory Namespace Directory Service UI Microsoft Corporation c:\winnt\system32\dsfolder.dll
    + Directory Object Find Directory Service Find Microsoft Corporation c:\winnt\system32\dsquery.dll
    + Directory Property UI Directory Service Common UI Microsoft Corporation c:\winnt\system32\dsuiext.dll
    + Directory Query UI Directory Service Find Microsoft Corporation c:\winnt\system32\dsquery.dll
    + Directory Start/Search Find Directory Service Find Microsoft Corporation c:\winnt\system32\dsquery.dll
    + Disk Copy Extension Windows DiskCopy Microsoft Corporation c:\winnt\system32\diskcopy.dll
    + Disk Quota UI Windows Shell Disk Quota UI DLL Microsoft Corporation c:\winnt\system32\dskquoui.dll
    + Display Adapter CPL Extension Advanced display adapter properties Microsoft Corporation c:\winnt\system32\deskadp.dll
    + Display Control Panel HTML Extensions Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + Display Monitor CPL Extension Advanced display monitor properties Microsoft Corporation c:\winnt\system32\deskmon.dll
    + Display Panning CPL Extension File not found: deskpan.dll
    + Display TroubleShoot CPL Extension Advanced display performance properties Microsoft Corporation c:\winnt\system32\deskperf.dll
    + Download Status Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + DS Security Page Directory Service Security UI Microsoft Corporation c:\winnt\system32\dssec.dll
    + Explorer Band Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    + Favorites Band Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    + File Property Page Extension Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + File Types Page Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + Folder Options Property Page Extension Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + Folder Shortcut Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + Fonts Windows Font Folder Microsoft Corporation c:\winnt\system32\fontext.dll
    + For &People... Find People Microsoft Corporation c:\program files\outlook express\wabfind.dll
    + Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\winnt\system32\mscoree.dll
    + Global Folder Settings Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Handy Backup Handy Backup Pro Shell Extension DLL (Not verified) Novosoft e:\backup\handy backup pro\hbshell.dll
    + History Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    + HTML Thumbnail Extractor Thumbnail View Extension Microsoft Corporation c:\winnt\system32\thumbvw.dll
    + HyperTerminal Icon Ext HyperTerminal Applet Library (Not verified) Hilgraeve, Inc. c:\winnt\system32\hticons.dll
    + ICC Profile Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\winnt\system32\icmui.dll
    + ICM Monitor Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\winnt\system32\icmui.dll
    + ICM Printer Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\winnt\system32\icmui.dll
    + ICM Scanner Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\winnt\system32\icmui.dll
    + IE4 Suite Splash Screen Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    + In-pane search Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Installed Apps Enumerator Shell Application Manager (Not verified) Microsoft Corporation c:\winnt\system32\appwiz.cpl
    + Internet Name Space Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    + InternetShortcut Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    + ISFBand OC Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    + IShellFolderBand Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + LNK file thumbnail interface delegator Thumbnail View Extension Microsoft Corporation c:\winnt\system32\thumbvw.dll
    + Media Band Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Menu Band Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Menu Desk Bar Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Menu Shell Folder Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Menu Site Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Microsoft AutoComplete Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Microsoft Browser Architecture Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    + Microsoft BrowserBand Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Microsoft CopyTo Service Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + Microsoft History AutoComplete List Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Microsoft Internet Toolbar Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Microsoft MoveTo Service Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + Microsoft Multiple AutoComplete List Container Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Microsoft New Object Service Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + Microsoft Outlook Custom Icon Handler Microsoft Outlook Shell Hook for Start/Find (Not verified) Microsoft Corporation c:\program files\microsoft office\office\olkfstub.dll
    + Microsoft SendTo Service Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + Microsoft Shell Folder AutoComplete List Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Microsoft Url History Service Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    + Microsoft Url Search Hook Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    + MIME File Types Hook Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + MMC Icon Handler MMC Shell Extension DLL Microsoft Corporation c:\winnt\system32\mmcshext.dll
    + Mounted Volume Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + MRU AutoComplete List Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Multimedia File Property Sheet Control Panel Drivers Applet (Not verified) Microsoft Corporation c:\winnt\system32\mmsys.cpl
    + My Computer Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + MyDocs Copy Hook My Documents Folder UI Microsoft Corporation c:\winnt\system32\mydocs.dll
    + MyDocs Drop Target My Documents Folder UI Microsoft Corporation c:\winnt\system32\mydocs.dll
    + MyDocs Folder My Documents Folder UI Microsoft Corporation c:\winnt\system32\mydocs.dll
    + MyDocs Properties My Documents Folder UI Microsoft Corporation c:\winnt\system32\mydocs.dll
    + Network and Dial-up Connections Network Connections Shell Microsoft Corporation c:\winnt\system32\netshell.dll
    + NOD32 Context Menu Shell Extension d:\nod32\antivirus\nodshex.dll
    + NTFS Security Page Security Shell Extension Microsoft Corporation c:\winnt\system32\rshx32.dll
    + nView Desktop Context Menu NVIDIA Desktop Explorer, Version 61.77 (Not verified) NVIDIA Corporation c:\winnt\system32\nvshell.dll
    + Office Graphics Filters Thumbnail Extractor Thumbnail View Extension Microsoft Corporation c:\winnt\system32\thumbvw.dll
    + Offline Files Folder Client Side Caching UI Microsoft Corporation c:\winnt\system32\cscui.dll
    + Offline Files Folder Options Client Side Caching UI Microsoft Corporation c:\winnt\system32\cscui.dll
    + Offline Files Menu Client Side Caching UI Microsoft Corporation c:\winnt\system32\cscui.dll
    + OLE Docfile Property Page OLE DocFile Property Page Microsoft Corporation c:\winnt\system32\docprop.dll
    + Open With Context Menu Handler Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + PlusPack CPL Extension Effects Control Panel extension Microsoft Corporation c:\winnt\system32\plustab.dll
    + PostAgent Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
    + Printers Security Page Security Shell Extension Microsoft Corporation c:\winnt\system32\rshx32.dll
    + Registry Tree Options Utility Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Scheduled Tasks Task Scheduler interface DLL Microsoft Corporation c:\winnt\system32\mstask.dll
    + Search Assistant OC Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    + Search Band Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Sendmail service Send Mail Microsoft Corporation c:\winnt\system32\sendmail.dll
    + Sendmail service Send Mail Microsoft Corporation c:\winnt\system32\sendmail.dll
    + Share-to-Web Upload Folder S2WNSRES (Not verified) Hewlett-Packard c:\program files\hewlett-packard\hp share-to-web\hpgs2wns.dll
    + Shell Application Manager Shell Application Manager (Not verified) Microsoft Corporation c:\winnt\system32\appwiz.cpl
    + Shell Automation Folder View Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + Shell Automation Inproc Service Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    + Shell Automation Service Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
    + Shell Band Site Menu Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Shell DeskBar Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Shell DeskBarApp Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
    + Shell DocObject Viewer Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
    +
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Tarren, That messge relates to a process guard file that is no longer used and was replaced by DCSuserprot from Version 2 onwards and can safely be deleted if it still exists, check your Start - Programs - Startup folder to see if a shortcut is still there that may be causing the entry in your log.
    I gues the tuner start entry is the same or maybe a one time occurrance when the program was installed.

    HTH Pilli
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    This is a problem

    NUL=C:\DOCUME~1\craig1\LOCALS~1\Temp\ginstall.dll
    it's a trojan and drops other files normally

    post a hjt log please as I can understand them better
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks for looking derek & your help. :)
     
  13. Tarran

    Tarran Registered Member

    Joined:
    Feb 2, 2004
    Posts:
    12
    Hi Derek,

    Sorry for being dense, but how do I get a HJT log!! Pretty new to this!! (Strange that TDS didn't pick up on this)

    Also, Pilli, for the PGMsgProt issue, in the startup Processguard appears, but the path is processguard.exe - minimise. I can see PGMsgProt in the registry, but can't delete it.

    Thanks again for your time

    Tar.
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Tarren, Go here : http://www.thespykiller.co.uk/ on the right there is a box "Downloads", click that and then click on th HiJackthis : Version 1.98.2 at 01.08.2004
    Save to your desktop, create a new folder called something like: C:\HJT move the downloaded file to the new folder then run it. Copy and paste the findings into your next post.

    Thanks. Pilli :)
     
  15. Tarran

    Tarran Registered Member

    Joined:
    Feb 2, 2004
    Posts:
    12
    Hi guys

    Results as below: -

    thanks Tar.

    Logfile of HijackThis v1.98.2
    Scan saved at 16:45:39, on 06/10/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\WINNT\System32\CTsvcCDA.exe
    D:\pguard\ProcessGuard\dcsuserprot.exe
    C:\WINNT\System32\svchost.exe
    D:\nod32\antivirus\nod32krn.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\WINNT\system32\CTHELPER.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    D:\regprot\regprot.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\nod32\antivirus\nod32kui.exe
    C:\WINNT\system32\RUNDLL32.EXE
    D:\thrustmaster\TMTMTSR.exe
    D:\ZoneAlarm\ZoneAlarm\zlclient.exe
    C:\Program Files\QuickTime\qttask.exe
    E:\itunes\iTunesHelper.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    Q:\SpySweeper\Spy Sweeper\SpySweeper.exe
    E:\backup\HANDYB~1\hbagent.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    D:\winzip\WZQKPICK.EXE
    D:\pguard\ProcessGuard\procguard.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINNT\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    Q:\hjt\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Yahoo!\Messenger\ycomp.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\adobe\Reader6\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - Q:\Registry\Advanced System Optimizer\IEHelper.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Yahoo!\Messenger\ycomp.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [RegProt] d:\regprot\regprot.exe /start
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [nod32kui] "D:\nod32\antivirus\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ThrustTSR] D:\thrustmaster\TMTMTSR.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "D:\ZoneAlarm\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] E:\itunes\iTunesHelper.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    O4 - HKCU\..\Run: [SpySweeper] "Q:\SpySweeper\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [Handy Backup Pro 1.1] "E:\backup\HANDYB~1\hbagent.exe" -logon
    O4 - Startup: Process Guard.lnk = D:\pguard\ProcessGuard\procguard.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = D:\winzip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\YAHOO!\MESSEN~1\YPAGER.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/signup/en/wowbeta/Si.cab
    O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  16. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    nothing showing in the hjt log so

    as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it (repeat for every user name/account )

    and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well and everything in C:\temp

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive
     
  17. Tarran

    Tarran Registered Member

    Joined:
    Feb 2, 2004
    Posts:
    12
    Hi dvk01

    Thanks for the reply. I have done as you have said and rebooted the pc.

    PG now picks up the message on startup as

    0c91ec756}\treatas.

    No command line still, but maybe that is more helpful.

    Also, you said earlier that: -

    NUL=C:\DOCUME~1\craig1\LOCALS~1\Temp\ginstall.dll

    is a trojan. TDS is not picking it up. How can I remove it, or was removing the file from temp enough?

    Many thanks.

    T.
     
    Last edited: Oct 7, 2004
  18. Tarran

    Tarran Registered Member

    Joined:
    Feb 2, 2004
    Posts:
    12
    Still getting the process guard problem on startup. It has also started to get worse. For the last couple of days, the same problem has been detected by process guard during normal operation of the pc, and has twice caused the pc to hang. The most common system process is still blank, but it does come up with spurious charactors as, and a couple of times with process guard/DCSuserprot.exe appearing, but all without command lines and all have the 1601 date.

    Are there any other programs I can run to remove the problem?

    I have run all the ones suggested on this post, as well as TDS. The only other thing I can think of is that process guard has become corrupted somehow, so I will try uninstalling and reinstalling it.

    Apart from that, anyone got any other suggestions?

    Tar.
     
  19. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    If you are using ProcessGuard v2.0 not being able to show file information for some files (files which are encrypted using EFS or on a network) is already a known problem. v3.000 of ProcessGuard fixes this problem.
     
  20. Tarran

    Tarran Registered Member

    Joined:
    Feb 2, 2004
    Posts:
    12
    Thanks mate

    I'll give that a try

    :)
     
Thread Status:
Not open for further replies.