Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious logon/logoff entries in event viewer


  • Please log in to reply
13 replies to this topic

#1 mjt27

mjt27

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 PM

Posted 22 May 2012 - 09:44 AM

Hi there,


I have dozens of logon/logoff entries in my event viewer
most of which are supposedly done by NT AUTHORITY
or NETWORK SERVICE. Running WINXP HOME SP3 IE8



5/21/2012 1:58:01 PM Security Success Audit Policy Change
858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.

5/21/2012 1:57:58 PM Security Success Audit Policy Change
858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.

5/21/2012 9:43:51 AM Security Success Audit Privilege Use
576 NT AUTHORITY\NETWORK SERVICE PAS "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"

5/21/2012 9:43:51 AM Security Success Audit Logon/Logoff
528 NT AUTHORITY\NETWORK SERVICE PAS "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: -"

5/21/2012 7:17:49 AM Security Success Audit Privilege Use
576 NT AUTHORITY\NETWORK SERVICE PAS "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"

5/21/2012 7:17:49 AM Security Success Audit Logon/Logoff
528 NT AUTHORITY\NETWORK SERVICE PAS "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: -"

5/21/2012 3:03:02 AM Security Success Audit Policy Change
858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.

5/21/2012 3:03:02 AM Security Success Audit Policy Change
858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.

5/21/2012 3:02:58 AM Security Success Audit Policy Change
858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.

5/21/2012 2:46:21 AM Security Success Audit Privilege Use
576 NT AUTHORITY\NETWORK SERVICE PAS "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"

5/21/2012 2:46:21 AM Security Success Audit Logon/Logoff
528 NT AUTHORITY\NETWORK SERVICE PAS "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: -"

5/21/2012 2:42:09 AM Security Success Audit Privilege Use
576 PAS\PAS PAS "Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x1D23690)
Privileges: SeChangeNotifyPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege"

5/21/2012 2:42:09 AM Security Success Audit Logon/Logoff
528 PAS\PAS PAS "Successful Logon:
User Name: PAS
Domain: PAS
Logon ID: (0x0,0x1D23690)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: PAS
Logon GUID: -"

5/21/2012 2:42:08 AM Security Success Audit Account Logon
680 NT AUTHORITY\SYSTEM PAS Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: PAS
Source Workstation: PAS
Error Code: 0x0

5/21/2012 2:41:45 AM Security Success Audit Logon/Logoff
538 PAS\PAS PAS "User Logoff:
User Name: PAS
Domain: PAS
Logon ID: (0x0,0x1C7A2FA)
Logon Type: 2
"
5/21/2012 2:40:27 AM Security Success Audit Logon/Logoff
551 PAS\PAS PAS "User initiated logoff:
User Name: PAS
Domain: PAS
Logon ID: (0x0,0x1c7a2fa)
"

5/21/2012 2:14:58 AM Security Success Audit Policy Change
858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.

5/21/2012 2:14:58 AM Security Success Audit Policy Change
858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.

5/21/2012 2:14:55 AM Security Success Audit Policy Change
858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.

5/21/2012 2:14:53 AM Security Success Audit Policy Change
858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.

5/21/2012 2:13:26 AM Security Success Audit Privilege Use
576 NT AUTHORITY\NETWORK SERVICE PAS "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"

5/21/2012 2:13:26 AM Security Success Audit Logon/Logoff
528 NT AUTHORITY\NETWORK SERVICE PAS "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: -"



These are just a few of the ones listed....this seems to
happen almost everyday I have attached my security log
file for the complete list.....

There are also alot of Event ID 849 and 850 Policy Changes
listed further down the list 5/8 5/9 5/11 not sure if this
is when it all started

I'm not sure what all these mean.....should I be
concerned about any malicious activity. ?

Please advise

Thank you

Edited by mjt27, 22 May 2012 - 09:46 AM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:55 PM

Posted 22 May 2012 - 10:25 AM

First what alerted you of these "warnings"?

#3 mjt27

mjt27
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 PM

Posted 22 May 2012 - 05:31 PM

Well I periodically check my event viewer app and security logs and
when they get really big I save them then delete the entries...that
is what alerted me...and as I scrolled further down the log 5/7 I saw
all these security audits and policy changes made...some of these
programs I don't even have on my pc....so I was alittle concerned
as to why they were listed ie. flashget limewire AVG8

Edited by mjt27, 22 May 2012 - 05:46 PM.


#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:55 AM

Posted 22 May 2012 - 05:52 PM

.some of these programs I don't even have on my pc

Are you 100% sure of this statement ?

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:

•Flush DNS
•Report IE Proxy Settings
•Reset IE Proxy Settings
•Report FF Proxy Settings
•Reset FF Proxy Settings
•List content of Hosts
•List IP configuration
•List last 10 Event Viewer log
•List Installed Programs
•List Users, Partitions and Memory size.
•List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

Publish a Snapshot using Speccy =<< Directions

These will help us to check some of your errors and programs -

Thank You -

Edited by noknojon, 22 May 2012 - 05:55 PM.


#5 mjt27

mjt27
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 PM

Posted 23 May 2012 - 05:01 AM

Well lets just say I'm about 98% sure I don't have them
I did at one time...but they have since been removed
quite some time ago....getting on this now

Thanks so much for your help....be back soon

#6 mjt27

mjt27
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 PM

Posted 23 May 2012 - 05:10 AM

http://speccy.piriform.com/results/Kr1euHyyi6hiC55H10KaJch

#7 mjt27

mjt27
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 PM

Posted 23 May 2012 - 05:18 AM

I have attached the MiniToolBox result log as requested

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:55 PM

Posted 23 May 2012 - 07:22 AM

Can you post the limwire, avg, and flashget event logs that you noticed?

#9 mjt27

mjt27
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 PM

Posted 23 May 2012 - 09:14 PM

Sure I can post them...but you should have them in my seclog attachment
they were posted on 5/7 5/8 5/9 but this is what I was referring to
there were entries like this........



5/7/2012 1:34:04 AM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE PAS "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
5/7/2012 1:34:04 AM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE PAS "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: -"
5/7/2012 1:33:42 AM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE PAS "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
5/7/2012 1:33:42 AM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE PAS "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: -"
5/7/2012 1:33:11 AM Security Success Audit Policy Change 858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.
5/7/2012 1:33:11 AM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM PAS A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: Windows Remote Management
Port number: 5985
Protocol: TCP
State: Disabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM PAS A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: Remote Desktop
Port number: 3389
Protocol: TCP
State: Disabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM PAS A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: UPnP Framework over TCP
Port number: 2869
Protocol: TCP
State: Disabled
Scope: Local subnet only
5/7/2012 1:33:11 AM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM PAS A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: SSDP Component of UPnP Framework
Port number: 1900
Protocol: UDP
State: Disabled
Scope: Local subnet only
5/7/2012 1:33:11 AM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM PAS A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: Incoming Connection VPN (PPTP)
Port number: 1723
Protocol: TCP
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM PAS A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: Incoming Connection VPN (L2TP)
Port number: 1701
Protocol: UDP
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM PAS A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: IP Security (IPsec - IKE)
Port number: 500
Protocol: UDP
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM PAS A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: SMB over TCP
Port number: 445
Protocol: TCP
State: Disabled
Scope: Local subnet only
5/7/2012 1:33:11 AM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM PAS A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: NetBIOS Session Service
Port number: 139
Protocol: TCP
State: Disabled
Scope: Local subnet only
5/7/2012 1:33:11 AM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM PAS A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: NetBIOS Datagram Service
Port number: 138
Protocol: UDP
State: Disabled
Scope: Local subnet only
5/7/2012 1:33:11 AM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM PAS A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: NetBIOS Name Service
Port number: 137
Protocol: UDP
State: Disabled
Scope: Local subnet only
5/7/2012 1:33:11 AM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM PAS A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: Windows Remote Management - Compatibility Mode (HTTP-In)
Port number: 80
Protocol: TCP
State: Disabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: Remote Assistance
Path: %windir%\system32\sessmgr.exe
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: Network Diagnostics for Windows XP
Path: %windir%\Network Diagnostic\xpnetdiag.exe
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: Windows Live Messenger 8.1
Path: C:\Program Files\MSN Messenger\msnmsgr.exe
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: Windows Live Messenger 8.1 (Phone)
Path: C:\Program Files\MSN Messenger\livecall.exe
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: Windows Messenger
Path: C:\Program Files\Messenger\msmsgs.exe
State: Enabled
Scope: All subnets



HERES THE LIMEWIRE ENTRY


5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: LimeWire
Path: C:\Program Files\LimeWire\LimeWire.exe
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: Internet Explorer
Path: C:\Program Files\Internet Explorer\IEXPLORE.EXE
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: GamingPeak
Path: C:\Program Files\GamingPeak\GamingPeak.exe
State: Enabled
Scope: All subnets




HERES THE FLASHGET ENTRY


5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: Flashget
Path: C:\Program Files\FlashGet\flashget.exe
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: Nero ProductSetup
Path: C:\Program Files\Common Files\Ahead\Nero Web\SetupX.exe
State: Enabled
Scope: All subnets






HERES THE AVG8 ENTRY



5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: avgupd.exe
Path: C:\Program Files\AVG\AVG8\avgupd.exe
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: avgnsx.exe
Path: C:\Program Files\AVG\AVG8\avgnsx.exe
State: Enabled
Scope: All subnets



AVG8 AGAIN



5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: avgemc.exe
Path: C:\Program Files\AVG\AVG8\avgemc.exe
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: avgam.exe
Path: C:\Program Files\AVG\AVG8\avgam.exe
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM PAS An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: windows media player streaming service
Path: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe
State: Enabled
Scope: All subnets
5/7/2012 1:33:11 AM Security Success Audit Policy Change 848 NT AUTHORITY\SYSTEM PAS The following policy was active when the Windows Firewall started.

Group Policy applied: Yes
Profile used: Standard
Interface: All interfaces
Operational mode: On
Services:
File and Printer Sharing: Disabled
Remote Desktop: Disabled
UPnP Framework: Disabled
Allow remote administration: Disabled
Allow unicast responses to multicast/broadcast traffic: Disabled
Security Logging:
Log dropped packets: Enabled
Log successful connections Disabled
ICMP:
Allow incoming echo request: Disabled
Allow incoming timestamp request: Disabled
Allow incoming mask request: Disabled
Allow incoming router request: Disabled
Allow outgoing destination unreachable: Disabled
Allow outgoing source quench: Disabled
Allow outgoing parameter problem: Disabled
Allow outgoing time exceeded: Disabled
Allow redirect: Disabled
Allow outgoing packet too big: Disabled




No idea what these policy changes are especially for
programs I don't have installed


Thanks!

#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:55 PM

Posted 23 May 2012 - 09:19 PM

They changes in the firewall rules to allow access. Please do the following:

Bring up a command prompt via Start > Run > cmd.exe

In the black box navigate to c:\program files


you will do a

cd "C:\Program Files\" hit enter

then do a dir >> c:\dir_listing.txt

copy the contents from that file into your next post.

#11 mjt27

mjt27
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 PM

Posted 23 May 2012 - 09:23 PM

OK I will be right back with that for you




here it is




Volume in drive C has no label.
Volume Serial Number is C0D8-4433

Directory of C:\Program Files

05/23/2012 10:49 AM <DIR> .
05/23/2012 10:49 AM <DIR> ..
07/14/2010 09:11 PM <DIR> ! 69
08/07/2011 01:10 AM <DIR> Adobe
07/06/2011 03:26 AM <DIR> Ashampoo
05/07/2012 02:08 AM <DIR> AVAST Software
05/26/2010 11:28 AM <DIR> Belarc
03/02/2010 06:36 PM <DIR> BroadJump
07/31/2011 10:14 AM <DIR> Canon
05/03/2012 04:26 AM <DIR> CCleaner
09/23/2011 10:48 PM <DIR> Citrix
05/20/2012 09:06 AM <DIR> Clue Buddy Pogo
05/04/2012 03:07 AM <DIR> Common Files
02/25/2012 07:03 AM <DIR> ComPlus Applications
02/25/2012 08:59 AM <DIR> Creative
07/16/2010 01:11 PM <DIR> Dell
11/07/2008 03:11 AM <DIR> Dell Support Center
05/07/2012 10:17 PM <DIR> Desktop Icon Toy
08/12/2011 12:29 AM <DIR> DivX
05/26/2009 03:29 AM <DIR> Elecard
06/27/2009 12:32 AM <DIR> ffdshow
05/23/2012 05:40 PM <DIR> GamingSafari
07/16/2010 04:36 PM <DIR> Intel
04/24/2012 12:19 AM <DIR> Internet Explorer
08/19/2008 05:01 AM <DIR> Jasc Software Inc
04/22/2012 11:49 AM <DIR> Java
04/19/2012 02:45 PM <DIR> keyexp
04/21/2012 10:32 PM <DIR> Loader
04/18/2012 09:21 AM <DIR> Malwarebytes' Anti-Malware
05/07/2012 06:27 PM <DIR> Microsoft
02/28/2012 04:50 PM <DIR> Microsoft Baseline Security Analyzer 2
03/12/2012 05:01 AM <DIR> Microsoft Fix it Center
12/07/2007 07:19 AM <DIR> microsoft frontpage
12/30/2007 01:39 AM <DIR> Microsoft Plus! Digital Media Edition
06/14/2010 03:51 AM <DIR> Microsoft SQL Server
05/24/2010 03:54 AM <DIR> Microsoft SQL Server Compact Edition
05/24/2010 03:54 AM <DIR> Microsoft Synchronization Services
08/12/2011 01:04 PM <DIR> Microsoft.NET
02/25/2012 02:16 PM <DIR> Movie Maker
05/08/2012 03:39 AM <DIR> Mozilla Firefox
08/12/2011 12:29 PM <DIR> MSBuild
07/31/2011 08:08 AM <DIR> msn gaming zone
09/29/2011 09:55 PM <DIR> Musicmatch
02/25/2012 10:06 PM <DIR> Nero
02/25/2012 12:06 PM <DIR> NetMeeting
01/31/2012 02:58 PM <DIR> Oberon Media
02/25/2012 09:55 PM <DIR> Online Services
02/25/2012 02:22 PM <DIR> Outlook Express
02/06/2012 02:42 AM <DIR> PrintFolders
05/14/2010 01:19 AM <DIR> PSP Thumbnail Handler
08/12/2011 12:29 PM <DIR> Reference Assemblies
05/07/2012 12:43 PM <DIR> SafeHarborGames
05/22/2012 12:52 AM <DIR> SpywareBlaster
05/08/2012 12:34 PM <DIR> SUPERAntiSpyware
12/07/2011 05:14 AM <DIR> SystemRequirementsLab
05/09/2012 04:09 AM <DIR> Trend Micro
08/12/2011 12:46 AM <DIR> Unlocker
12/12/2010 09:02 PM <DIR> wgcenter
01/29/2011 12:43 AM <DIR> Windows Installer Clean Up
05/07/2012 06:27 PM <DIR> Windows Live
05/07/2012 06:26 PM <DIR> Windows Live SkyDrive
07/01/2010 01:09 AM <DIR> Windows Media Connect 2
02/28/2012 04:22 PM <DIR> Windows Media Player
02/25/2012 12:06 PM <DIR> Windows NT
02/25/2012 09:50 AM <DIR> WinRAR
09/07/2010 05:10 AM <DIR> xerox
05/26/2009 03:33 AM <DIR> Xiph.Org
02/09/2011 02:38 PM <DIR> Xvid
0 File(s) 0 bytes
68 Dir(s) 56,121,786,368 bytes free

Edited by mjt27, 23 May 2012 - 09:25 PM.


#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:55 PM

Posted 24 May 2012 - 04:41 AM

I will have more instructions later on.

Edited by cryptodan, 24 May 2012 - 04:42 AM.


#13 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:55 PM

Posted 24 May 2012 - 12:44 PM

Lets look for some files:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :filefind
    avgam.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#14 mjt27

mjt27
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 PM

Posted 24 May 2012 - 02:37 PM

OK I will be back with that info



SystemLook 30.07.11 by jpshortstuff
Log created at 12:42 on 24/05/2012 by PAS
Administrator - Elevation successful

========== filefind ==========

Searching for "avgam.exe"
No files found.

-= EOF =-

Edited by mjt27, 24 May 2012 - 05:22 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users