Protection is not enabled

Discussion in 'WormGuard' started by TouchuvGrey, Jul 8, 2005.

Thread Status:
Not open for further replies.
  1. TouchuvGrey

    TouchuvGrey Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    441
    Location:
    South Mississippi USA ( ya'll )
    Just now checking stuff, i opened up Wormguard and it says " UNREGISTERED TRIAL VERSION" which it is not because i paid for it. and i click on "install" to install protection, then on "Test" and i get "Protection is not enabled" i'm puzzled here ( though that is nothing new, sigh ) any suggestions ?



    Mike
     
  2. dog

    dog Guest

    Hi Mike, ;)

    Re-copy your keyfile (wormguard.kf) to the Wormguard directory, which by default is C/Wormguard - it may have become corrupt or removed.

    Steve
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, few questions:
    - did you reboot after installation?

    - did you make changes to your system, change location or name of the WormGuard directory since it's install,

    - did you press the "install" button and which result does that one give you?
    The unregistered message is a glitch which some systems see but the protection should be working correctly.

    - has it ever been different after the install?

    If still not working you can close all protection and all scanners and install WormGuand one more time over itself,
    if that is still not ok uninstall it, reboot, and with all other applications and resident protection and scanners closed install wormguard, reboot and see if all is ok now.

    Keep us informed please.
     
  4. TouchuvGrey

    TouchuvGrey Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    441
    Location:
    South Mississippi USA ( ya'll )
    Hello Jooske:

    First, my thanks to you and everyone else here for helping me so much over the past few years.


    Hi there, few questions:
    - did you reboot after installation?


    this was not a new install, i was looking around on my computer and just found this out

    - did you make changes to your system, change location or name of the WormGuard directory since it's install,

    Very likely, i'm always changing things around, i probably did change the location but not the name.

    - did you press the "install" button and which result does that one give you?
    The unregistered message is a glitch which some systems see but the protection should be working correctly.


    Yes i did and i get a message "WormGuard core components have been installed". And i found my keyfile and WG admits that it is registered to me now.

    If still not working you can close all protection and all scanners and install WormGuand one more time over itself,
    if that is still not ok uninstall it, reboot, and with all other applications and resident protection and scanners closed install wormguard, reboot and see if all is ok now.


    I have now tried all of the above, i still get a " Protection is not enabled " message. I'm now waiting on a new Keyfile from Diamond CS on the possibility that my current one is corrupt.

    Thanks again

    Mike
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I don't expect the keyfile to be the problem.
    Maybe something is blocking your correct installation of the protection. The ünregistered"is not the main thing, it's the protection installation.
    Are you really sure there was not any protective application active? Have you tried in safe mode?
    When the last time you uninstalled did you make sure the whole directory was removed as well, registry clean and rebooted before the new install?

    If it's not all this, nor safe mode, we might need to have a look at your Autostartviewer log to see if anything is blocking or a HJT log. But wait if the new keyfile or safe mode operation might help wonders.
     
  6. TouchuvGrey

    TouchuvGrey Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    441
    Location:
    South Mississippi USA ( ya'll )
    I don't expect the keyfile to be the problem.
    Maybe something is blocking your correct installation of the protection. The ünregistered"is not the main thing, it's the protection installation.
    Are you really sure there was not any protective application active? Have you tried in safe mode?


    i shut down all my protection, anti virus, TDS-3, BHO Demon, WinPatrol, MSAntiSpy, same result, tried to install in safe mode, same result.

    When the last time you uninstalled did you make sure the whole directory was removed as well, registry clean and rebooted before the new install?

    Yes, i searched and removed every trace of the old install i could find

    If it's not all this, nor safe mode, we might need to have a look at your Autostartviewer log to see if anything is blocking or a HJT log. But wait if the new keyfile or safe mode operation might help wonders.

    on the last uninstall of WormGuard i received an error message

    16 Bit MS-Dos Subsystem
    C:\Windows\System32Command.com
    C:\Program1\Symantec\S32EVNT1.Dll an installable virtual device driver failed Dll initialization.

    Choose Close to terminate the application


    Mike
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I hope you first uninstalled before cleaning out the registry. :)
    I see descriptions to solve this error message in every language and for many programs and each time pointing to different files to get rid of. Most of time it is after an uninstall some parts are left pointing to the original program, like in the msconfig startup, and in the registry.

    http://castlecops.com/postt88954.html
    "We also recommend reading the following support document from Microsoft. There have been reports of some spyware removing this file to prevent programs like WinPatrol from deleting it on reboot.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;324767
    This link will instruct you on how to recover this file and others that might be missing if that's the case. "



    Programs like WormGuard should not be moved around once installed, as i guess it was all running ok originally and most probably showing "registered"as well.

    That S32EVNT1.Dll sounts like a symantec event component; did you do anything with your norton too?


    Maybe after re-installing WormGuard again you get at least rid of that error message and then please leave it in that spot where you installed it, default.

    Can you go back to an old system restore point before all this happened and rebuild from there?
     
    Last edited: Jul 10, 2005
  8. TouchuvGrey

    TouchuvGrey Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    441
    Location:
    South Mississippi USA ( ya'll )
    i can try that, but consider it to be a last resort, i'm willing to keep trying other stuff for a while yet.


    Mike
     
  9. FanJ

    FanJ Guest

    Slightly off-topic (maybe already mentioned):

    The protection from WormGuard has to be removed before uninstalling WormGuard (removing the protection in WG itself).

    BTW:
    Have you perhaps an entry in Add/Remove:
    DiamondCS WormGuard Hook ?
     
  10. TouchuvGrey

    TouchuvGrey Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    441
    Location:
    South Mississippi USA ( ya'll )
    one of the probably 10 times i have installed/uninstalled WG by now i did, i used add/remove to remove it too
     
  11. TouchuvGrey

    TouchuvGrey Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    441
    Location:
    South Mississippi USA ( ya'll )
    I just received the keyfile from DCS, re downloaded WormGuard, reinstalled, put keyfile in WG directory, still " Protection not enabled"



    Mike
     
  12. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    that's because You've been already infected Touch...

    You've been infected with the 2late2bworm2B.exe trojan...

    ...:D


    ps: have you tried to install the protection? it's something you have to do first to let it work ;)

    press: "Install Prot." and you'll be protected.

    have fun

    Inf
     
  13. TouchuvGrey

    TouchuvGrey Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    441
    Location:
    South Mississippi USA ( ya'll )
    Just now checking stuff, i opened up Wormguard and it says " UNREGISTERED TRIAL VERSION" which it is not because i paid for it. and i click on "install" to install protection, then on "Test" and i get "Protection is not enabled" i'm puzzled here ( though that is nothing new, sigh ) any suggestions ?



    Mike

    this was my original post on the matter several days ago, been there, tried that, still "Protection not enabled"


    still puzzled Mike
     
  14. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    just let's start over again. probably in the beginning you did a few steps after eachother while not being registered that caused this situation...hope I am clear?

    1. uninstall WG and reboot.
    2. delete any leftovers in program files and registry (use eg. CCleaner: http://www.filehippo.com/download_ccleaner.html)

    3. Install WormGuard again, without anything else doing: paste the Keyfile (*.kf) into C:\Wormguard folder.

    then install the protection. In the meantime your copy should be registered...

    Hope this helps.
     
  15. TouchuvGrey

    TouchuvGrey Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    441
    Location:
    South Mississippi USA ( ya'll )
    Pasting the Keyfile over and getting it to admit that is registered to me worked fine. As per your suggestion i then installed protection and clicked "Test" the same old box pops up and tells me "Protection is not enabled". grrrrrrrr, mumble mumble. If i was still a drinking man i'd have a few right now.



    Mike
     
  16. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    lol, probably I would too ;)

    when I copy paste the keyfile, I *first* click "done" and so WG closes.

    *Then* I open WG again and I click protect and it does it.

    I wouldn't understand why it would not protect you. that happend never here...
     
  17. TouchuvGrey

    TouchuvGrey Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    441
    Location:
    South Mississippi USA ( ya'll )
    I don't understand it either, It seems to me very likely that Jooskes suggestion of several posts ago that something is blocking a correct install is likely the case. Unfortunatly i have no idea at all what might be blocking it.


    Mike
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    post your HJT log and the autostartviewer log with all options showing from the latter.
     
  19. TouchuvGrey

    TouchuvGrey Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    441
    Location:
    South Mississippi USA ( ya'll )
    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Owner@PUTER, 07-13-2005
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\wininit.ini [rename]
    c:\aaws\software\Commdlg.dll=c:\aaws\software\Commdlg.1
    NUL=C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\ginstall.dll
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\boinc.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\boinc.scr
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TDS3
    C:\Program Files\TDS3\TDS-3.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nod32kui
    C:\Program Files\Eset\nod32kui.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Look 'n' Stop
    C:\Program Files\Soft4Ever\looknstop\looknstop.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gcasServ
    E:\Program Files\MSAnti\gcasServ.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinPatrol
    e:\PROGRA~1\WinPatrol.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\!1_pgaccount
    E:\Program Files\ProcessGuard\pgaccount.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\!1_ProcessGuard_Startup
    E:\Program Files\ProcessGuard\procguard.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\1-Click Maintenance.job
    C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
    C:\WINDOWS\Tasks\Scheduled Checkpoint.job
    C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE
    C:\Documents and Settings\Owner.YOUR-6JNHHU0520\Start Menu\Programs\Startup\BHODemon 2.0.lnk
    C:\Program Files\BHODemon 2\BHODemon.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BOINC.lnk
    C:\Program Files\BOINC\boinc_gui.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\imon.dll
    C:\WINDOWS\system32\dcsws2.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}\
    C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
    C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
    HKLM\Software\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AMON\
    \??\C:\WINDOWS\System32\drivers\amon.sys
    HKLM\System\CurrentControlSet\Services\AppMgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\aspnet_admin\
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\DcomLaunch\
    C:\WINDOWS\system32\svchost -k DcomLaunch
    HKLM\System\CurrentControlSet\Services\DCSPGSRV\
    E:\Program Files\ProcessGuard\dcsuserprot.exe
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\Fax\
    C:\WINDOWS\system32\fxssvc.exe
    HKLM\System\CurrentControlSet\Services\Fix-It Task Manager\
    C:\PROGRA~1\VCOM\Fix-It\mxtask.exe -Service
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\NOD32krn\
    C:\Program Files\Eset\nod32krn.exe
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINDOWS\System32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\procguard\
    \??\C:\WINDOWS\system32\drivers\procguard.sys
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RasAuto\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SharedAccess\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Speed Disk service\
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TUWinStylerThemeSvc\
    C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
    HKLM\System\CurrentControlSet\Services\UMWdf\
    C:\WINDOWS\system32\wdfmgr.exe
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wscsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs





    Logfile of HijackThis v1.99.1
    Scan saved at 9:42:33 AM, on 7/13/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
    E:\Program Files\ProcessGuard\dcsuserprot.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\TDS3\TDS-3.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Soft4Ever\looknstop\looknstop.exe
    E:\Program Files\MSAnti\gcasServ.exe
    E:\PROGRA~1\WinPatrol.exe
    E:\Program Files\ProcessGuard\pgaccount.exe
    C:\WINDOWS\system32\wdfmgr.exe
    E:\Program Files\ProcessGuard\procguard.exe
    E:\Program Files\MSAnti\gcasDtServ.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\BOINC\boinc_gui.exe
    C:\Program Files\BHODemon 2\BHODemon.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_4.18_windows_intelx86.exe
    C:\WINDOWS\Explorer.EXE
    C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [TDS3] C:\Program Files\TDS3\TDS-3.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
    O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\MSAnti\gcasServ.exe"
    O4 - HKLM\..\Run: [WinPatrol] "e:\PROGRA~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [!1_pgaccount] "E:\Program Files\ProcessGuard\pgaccount.exe"
    O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "E:\Program Files\ProcessGuard\procguard.exe" -minimize
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
    O4 - Global Startup: BOINC.lnk = C:\Program Files\BOINC\boinc_gui.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120500481453
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - E:\Program Files\ProcessGuard\dcsuserprot.exe
    O23 - Service: Fix-It Task Manager - Unknown owner - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe (file missing)
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe (file missing)
    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you have WormGuard on C:\ or E:\ ?
    Did you have ProcessGuard temporary closed at installing and enabling protection in WormGuard and exclude (or allow permanently) the WormGuard exe in ProcessGuard?
     
  21. TouchuvGrey

    TouchuvGrey Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    441
    Location:
    South Mississippi USA ( ya'll )

    I currently have WormGuard installed in C:\ though i had it in E:\ previously, as a matter of habit i do not generally install security programs in the default location. Process Guard was not installed until the day before yesterday and so i would think can be discounted as a possible source of the issue.


    Mike
     
  22. Robert Reed

    Robert Reed Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    1
    Drag the wguard.kf registration file and drop it on wguard.exe and dig it!
     
Thread Status:
Not open for further replies.