MSFN Forum: [Help] winresd32.dll - MSFN Forum

Jump to content



Unattended CD/DVD Guide Homepage · MSFN Forum Rules

If you have questions about customizing Windows XP that are nLite-specific, please post them in the nLite forum, not here. If you have questions regarding the unattended installation of Windows XP, please post them in the Unattended Windows 2000/XP/2003 section.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

[Help] winresd32.dll help me trace this Rate Topic: -----

#1 User is offline   betamax 

  • Member
  • PipPip
  • Group: Members
  • Posts: 103
  • Joined: 11-March 05

  Posted 05 February 2006 - 11:26 AM

My virus protection keeps detecting the virus Win32/Saliy.G in C:\windows\system32\winresd32.dll. It deletes the vile and says it's gone, which it is. A few hours later, the file is back again and the virus protection pops up and says it found a virus and removed it. This happens every few hours.

I decided to run filemon over night and catch it in the act.

This is what I found:

The file was opened by process 419478232.tmp. 419478232.tmp was created in executed by explorer.exe.

That's the kicker right there. What is making explorer create and execute this process (which is still running in the background?)

I can't post my filemon log file because it's 256MB. I can show the part that I'm looking at though. It's kinda tough to read but here it is.

I also noted via proc exp that the .tmp process was reading some file index.dat in content.ie5. Is it okay to just boot up in safe mode and blow everything away in my Temporary Internet Files folder?

485272 4:00:57 AM explorer.exe:356 CREATE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: OverwriteIf Access: All
485273 4:00:57 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS Options: Open Directory Access: 00000000
485274 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 1024
485275 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 1024 Length: 1024
485276 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 2048 Length: 1024
485277 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 3072 Length: 1024
485278 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 4096 Length: 1024
485279 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 5120 Length: 1024
485280 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 6144 Length: 1024
485281 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 7168 Length: 1024
485282 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 8192 Length: 1024
485283 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 9216 Length: 1024
485284 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 10240 Length: 1024
485285 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 11264 Length: 1024
485286 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 12288 Length: 1024
485287 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 13312 Length: 1024
485288 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 14336 Length: 1024
485289 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 15360 Length: 1024
485290 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 16384 Length: 1024
485291 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 17408 Length: 1024
485292 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 18432 Length: 1024
485293 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 19456 Length: 1024
485294 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 20480 Length: 1024
485295 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 21504 Length: 1024
485296 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 22528 Length: 1024
485297 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 23552 Length: 1024
485298 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 24576 Length: 1024
485299 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 25600 Length: 1024
485300 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 26624 Length: 1024
485301 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 27648 Length: 1024
485302 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 28672 Length: 1024
485303 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 29696 Length: 1024
485304 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 30720 Length: 1024
485305 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 31744 Length: 1024
485306 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 32768 Length: 1024
485307 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 33792 Length: 1024
485308 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 34816 Length: 1024
485309 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 35840 Length: 1024
485310 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 36864 Length: 1024
485311 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 37888 Length: 1024
485312 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 38912 Length: 1024
485313 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 39936 Length: 1024
485314 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 40960 Length: 1024
485315 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 41984 Length: 1024
485316 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 43008 Length: 1024
485317 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 44032 Length: 1024
485318 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 45056 Length: 1024
485319 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 46080 Length: 1024
485320 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 47104 Length: 1024
485321 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 48128 Length: 1024
485322 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 49152 Length: 1024
485323 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 50176 Length: 1024
485324 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 51200 Length: 51
485325 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS
485326 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All
485327 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 51251
485328 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 16384
485329 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 16384 Length: 2048
485330 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 18432 Length: 2048
485331 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 20480 Length: 2048
485332 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 22528 Length: 2048
485333 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 24576 Length: 2048
485334 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 26624 Length: 2048
485335 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 28672 Length: 2048
485336 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 30720 Length: 2048
485337 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 32768 Length: 2048
485338 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 34816 Length: 2048
485339 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 36864 Length: 2048
485340 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 38912 Length: 2048
485341 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 40960 Length: 2048
485342 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 43008 Length: 2048
485343 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 45056 Length: 2048
485344 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 46131 Length: 5120
485345 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\CAVTemp\TEMPMON_1652_0 NOT FOUND Options: Open Access: All
485346 4:00:58 AM explorer.exe:356 CREATE C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Options: Create Access: All
485347 4:00:58 AM explorer.exe:356 SET INFORMATION C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Length: 0
485348 4:00:58 AM explorer.exe:356 SET INFORMATION C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Length: 0
485349 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All
485350 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All
485351 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 51251
485352 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 16384
485353 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 16384 Length: 2048
485354 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 18432 Length: 2048
485355 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 20480 Length: 2048
485356 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 22528 Length: 2048
485357 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 24576 Length: 2048
485358 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 26624 Length: 2048
485359 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 28672 Length: 2048
485360 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 30720 Length: 2048
485361 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 32768 Length: 2048
485362 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 34816 Length: 2048
485363 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 36864 Length: 2048
485364 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 38912 Length: 2048
485365 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 40960 Length: 2048
485366 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 43008 Length: 2048
485367 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 45056 Length: 2048
485368 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 46131 Length: 5120
485369 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\CAVTemp\TEMPMON_1652_0 NOT FOUND Options: Open Access: All
485370 4:00:58 AM explorer.exe:356 CREATE C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Options: Create Access: All
485371 4:00:58 AM explorer.exe:356 SET INFORMATION C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Length: 0
485372 4:00:58 AM explorer.exe:356 SET INFORMATION C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Length: 0
485373 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 51251
485374 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 51251
485375 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS
485376 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All
485377 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS FileAttributeTagInformation
485378 4:00:58 AM explorer.exe:356 DELETE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS
485379 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS
485380 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: OpenIf Access: All
485381 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 25625
485382 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS
485383 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All
485384 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 25625
485385 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 16384
485386 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 20505 Length: 5120
485387 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All
485388 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Attributes: A
485389 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS
485390 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All
485391 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Attributes: A
485392 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS
485393 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All
485394 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All
485395 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 25625
485396 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 16384
485397 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 20505 Length: 5120
485398 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 25625
485399 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Options: Open Access: All
485400 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Options: Open Access: All
485401 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796
485402 4:00:58 AM explorer.exe:356 READ C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Offset: 0 Length: 16384
485403 4:00:58 AM explorer.exe:356 READ C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Offset: 1185676 Length: 5120
485404 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\CAVTemp\TEMPMON_1652_0 NOT FOUND Options: Open Access: All
485405 4:00:58 AM explorer.exe:356 CREATE C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Options: Create Access: All
485406 4:00:58 AM explorer.exe:356 SET INFORMATION C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Length: 0
485407 4:00:58 AM explorer.exe:356 SET INFORMATION C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Length: 0
485408 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796
485409 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796
485410 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796
485411 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\AppPatch\systest.sdb NOT FOUND Options: Open Access: All
485412 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\AppPatch\systest.sdb NOT FOUND Options: Open Access: All
485413 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS Options: Open Directory Access: All
485414 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS FileBothDirectoryInformation: 419478232.tmp
485415 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS
485416 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All
485417 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Attributes: A
485418 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS
485419 4:00:58 AM explorer.exe:356 OPEN C:\ SUCCESS Options: Open Directory Access: All
485420 4:00:58 AM explorer.exe:356 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: DOCUME~1
485421 4:00:58 AM explorer.exe:356 CLOSE C:\ SUCCESS
485422 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\ SUCCESS Options: Open Directory Access: All
485423 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\ SUCCESS FileBothDirectoryInformation: betamax
485424 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\ SUCCESS
485425 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\ SUCCESS Options: Open Directory Access: All
485426 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\betamax\ SUCCESS FileBothDirectoryInformation: LOCALS~1
485427 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\ SUCCESS
485428 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\ SUCCESS Options: Open Directory Access: All
485429 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\betamax\LOCALS~1\ SUCCESS FileBothDirectoryInformation: Temp
485430 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\ SUCCESS
485431 4:00:58 AM explorer.exe:356 CLOSE C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS
485432 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS FileNameInformation
485433 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All
485434 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Attributes: A
485435 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS
485436 4:00:58 AM explorer.exe:356 OPEN C:\ SUCCESS Options: Open Directory Access: All
485437 4:00:58 AM explorer.exe:356 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: DOCUME~1
485438 4:00:58 AM explorer.exe:356 CLOSE C:\ SUCCESS
485439 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\ SUCCESS Options: Open Directory Access: All
485440 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\ SUCCESS FileBothDirectoryInformation: betamax
485441 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\ SUCCESS
485442 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\ SUCCESS Options: Open Directory Access: All
485443 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\betamax\ SUCCESS FileBothDirectoryInformation: LOCALS~1
485444 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\ SUCCESS
485445 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\ SUCCESS Options: Open Directory Access: All
485446 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\betamax\LOCALS~1\ SUCCESS FileBothDirectoryInformation: Temp
485447 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\ SUCCESS
485448 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 25625
485449 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 25625
485450 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp.Manifest NOT FOUND Options: Open Access: All
485451 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp.Manifest NOT FOUND Options: Open Access: All
485452 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS Options: Open Access: All
485453 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS Attributes: D
485454 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS
485455 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS
485456 4:00:58 AM 419478232.tmp:2404 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS FileNameInformation
485457 4:00:58 AM 419478232.tmp:2404 OPEN C:\WINDOWS\Prefetch\419478232.TMP-006197D3.pf NOT FOUND Options: Open Access: All
485458 4:00:58 AM 419478232.tmp:2404 OPEN C:\WINDOWS\Prefetch\419478232.TMP-006197D3.pf NOT FOUND Options: Open Access: All
485459 4:00:58 AM 419478232.tmp:2404 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS Options: Open Directory Access: Traverse
485460 4:00:58 AM 419478232.tmp:2404 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp.Local NOT FOUND Options: Open Access: All
485461 4:00:58 AM 419478232.tmp:2404 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 1024 Length: 1024
485462 4:00:58 AM 419478232.tmp:2404 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 10240 Length: 15360
485463 4:00:58 AM 419478232.tmp:2404 OPEN C:\WINDOWS\system32\winresd32.dll SUCCESS Options: OpenIf Access: All
485464 4:00:58 AM winlogon.exe:532 DIRECTORY C:\WINDOWS\system32 SUCCESS Change Notify
485465 4:00:58 AM 419478232.tmp:2404 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 2048 Length: 8192
485466 4:00:58 AM 419478232.tmp:2404 WRITE C:\WINDOWS\system32\winresd32.dll SUCCESS Offset: 0 Length: 23040
485467 4:00:58 AM 419478232.tmp:2404 CLOSE C:\WINDOWS\system32\winresd32.dll SUCCESS
485468 4:00:58 AM winlogon.exe:532 DIRECTORY C:\WINDOWS\system32 SUCCESS Change Notify
485469 4:00:58 AM 419478232.tmp:2404 OPEN C:\WINDOWS\system32\winresd32.dll SUCCESS Options: Open Access: All
485470 4:00:58 AM 419478232.tmp:2404 QUERY INFORMATION C:\WINDOWS\system32\winresd32.dll SUCCESS Length: 23040
485471 4:00:58 AM 419478232.tmp:2404 READ C:\WINDOWS\system32\winresd32.dll SUCCESS Offset: 0 Length: 16384
485472 4:00:58 AM 419478232.tmp:2404 READ C:\WINDOWS\system32\winresd32.dll SUCCESS Offset: 17920 Length: 5120
485473 4:00:58 AM 419478232.tmp:2404 READ C:\WINDOWS\system32\winresd32.dll SUCCESS Offset: 13312 Length: 4096
485474 4:00:58 AM 419478232.tmp:2404 OPEN C:\WINDOWS\system32\winresd32.dll SUCCESS Options: Open Access: All
485475 4:00:58 AM 419478232.tmp:2404 READ C:\$Directory SUCCESS Offset: 16384 Length: 4096
485476 4:00:58 AM svchost.exe:864 DIRECTORY C:\$Extend\$ObjId SUCCESS Change Notify
485477 4:00:58 AM VetMsg.exe:2028 OPEN C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vete.dll

Please NOW, in Microsoft Windows XP section, use [TAGS] in your topic's title.
See rules.
--Sonic

#2 User is offline   Sonic 

  • Sonic
  • Group: Patrons
  • Posts: 1,600
  • Joined: 04-December 03

Posted 05 February 2006 - 12:26 PM

Try to rescan your system in Safe mode, if can't disable all non-microsoft services & startup apps using msconfig and reboot to rescn your system.

Try to rescan your system in Safe mode, if can't, disable all non-microsoft services & startup apps using msconfig and reboot to rescan your system.

#3 User is offline   betamax 

  • Member
  • PipPip
  • Group: Members
  • Posts: 103
  • Joined: 11-March 05

Posted 05 February 2006 - 03:59 PM

I did rescan but it finds nothing because it already removed it upon it reappearing. What i'm trying to find out is what's causing it to re appear.

#4 User is offline   LLXX 

  • MSFN Junkie
  • PipPipPipPipPipPipPipPipPip
  • Group: Banned
  • Posts: 3,399
  • Joined: 04-December 05

Posted 05 February 2006 - 07:14 PM

Remove all unnecessary items from your startup with AutoRuns utility from www.sysinternals.com

Clearing out all the temporary internet files is also a good idea.

#5 User is offline   betamax 

  • Member
  • PipPip
  • Group: Members
  • Posts: 103
  • Joined: 11-March 05

Posted 07 February 2006 - 08:44 AM

I don't see any non-microsoft items that I can remove. I'll post a log of my startup list later when I get home. In the meantime, I have another question about this.

My av software periodically finds files in C:\system volume information\_restore..... that are infected.

Is it possible these bad files are getting pulled from backup?

Is it safe to blow away all the backup folders from the day I started having problems to present?

Also, is it normal for me to get an access denied message when trying to open C:\system volume information from windows explorer?

#6 User is offline   jftuga 

  • Member
  • PipPip
  • Group: Members
  • Posts: 283
  • Joined: 27-October 05

Posted 07 February 2006 - 02:55 PM

View Postbetamax, on Feb 7 2006, 09:44 AM, said:

I don't see any non-microsoft items that I can remove. I'll post a log of my startup list later when I get home. In the meantime, I have another question about this.

My av software periodically finds files in C:\system volume information\_restore..... that are infected.

Is it possible these bad files are getting pulled from backup?

Is it safe to blow away all the backup folders from the day I started having problems to present?

Also, is it normal for me to get an access denied message when trying to open C:\system volume information from windows explorer?


I think this is one of your problems. Symantec's website recommends turning off System Restore before trying to clean a virus because it will be automatically restored once deleted.

from their website...
1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

Disabling or Enabling System Restore on Windows XP

-John

#7 User is offline   LLXX 

  • MSFN Junkie
  • PipPipPipPipPipPipPipPipPip
  • Group: Banned
  • Posts: 3,399
  • Joined: 04-December 05

Posted 07 February 2006 - 11:30 PM

Re-extract explorer.exe from your Windows CD, that should get rid of any virus residing within it.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users



All trademarks mentioned on this page are the property of their respective owners
Copyright © 2001 - 2011 msfn.org
Privacy Policy