Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

First google redirect virus symptoms then Symantec gets owned


  • This topic is locked This topic is locked
63 replies to this topic

#1 7heRollzRoyce

7heRollzRoyce

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 04 August 2009 - 06:01 PM

Where to begin.

Last night while playing FFXI my internet began to slowed then stopped. After closing FFXI and restarting the wireless adapter I tried to click on a google search link and started going to random sites. Found out about the google redirect virus by using the internet on my phone. I then ran a virus scan from Symantec Endpoint Protections scan. It was able to clean/quarantine everything except this file.

SecurityRisk.Downldr.

Tried to find the file and delete it manually. Couldn't find it. Right after this Symantec proactive threat was disabled and the Anti-virus says WARNING beside it. B/c I couldn't even connect to the internet at that point I reset my modem and router. Google Redirect symptoms were gone. Symantec was still owned so I knew something was still wrong. I try to do a system restore and it wouldn't let me using windows. I just downloaded Advanced System Optimizer a few days ago so I tried it. Still couldn't restore.

Heard alot about MBAM. Downloaded MBAM. got the setup..exe error. Then I downloaded SpywareDoctor. It setup find but didn't find anything. After this I tried rebooting the system in "safe mode with networking" and downloaded Trojan Remover. I finally though I had it. Trojan Remover found two pieces of malware at the beginning of the scan. Then it closed. Tried the scan again. Closed again. Right in the middle of the scan. So then in safe mode I downloaded the XoftspySE scan. It found 60 Items all moderate risk but it found these three Severe Risks.

Megania Avx Trojan- c:\\WINDOWS\system32\remove.exe

Viewpoint- c:\\program files\ viewpoint\ Viewpoint Media Player

Wootbot.ac - software/microsoft/windows/current version/ run/ microsoft update/ active setup (Registry)

I decided I would try a forum like this using hijackthis to see if I could fix the problem b4 buying the program.

I downloaded hijackthis in "safe mode' but the resolution settings wouldn't let me click the agree button. I ran the program in normal and halfway through it got shutdown. Now when I try to run the program I get an windows cannot access the specified path error.

I would've posted this in the hijackthis log malware forum but I can't get a log. Any suggestions?

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 04 August 2009 - 06:25 PM

What was the exact error with MBAM?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 7heRollzRoyce

7heRollzRoyce
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 04 August 2009 - 10:52 PM

The error yesterday was stated "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item". Then I clicked on properties and clicked un-block and received another error message. That was yesterday. I re-downloaded it just now and it installed and updated. I haven't ran it yet. Hijackthis has "Windows cannot access.." error when I try to run it. I also tried to run Trojan Remover but it stated that Norton Anti-virus was running and would interfere with the search.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 05 August 2009 - 12:46 AM

Run a quick-scan with Malwarebytes and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 7heRollzRoyce

7heRollzRoyce
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 05 August 2009 - 01:42 AM

I just tried to run the scan. It ran for a split second and the program terminated. When I tried to run it again I received this error

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 05 August 2009 - 01:45 AM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 7heRollzRoyce

7heRollzRoyce
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 05 August 2009 - 02:41 AM

I downloaded Dr.Web and followed your instructions. The first scan reported nothing. After unchecking "Heuristic Analysis" and starting the complete scan the program crashed. I tried it again and it terminated again. When I rebooted my computer in normal I got the blue screen saying

"One of your disks need to be checked for consistency. you may cancel disk check, but it's strongly recommended you continue." I finished the ChkDsk with no more erros.

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 05 August 2009 - 04:24 AM

Rename this file:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

to this:

winlogon.exe

Then double-click the renamed file and see if it will run.

If that doesn't work try renaming it again to this:

abcde.bat
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 7heRollzRoyce

7heRollzRoyce
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 05 August 2009 - 08:01 AM

"cannot rename mbam: Access is denied. Make sure the disk is not full or write-protected and that the file is not in use."

I checked processes and programs running in the task list. It's not running. Also the logos for MBAM and Hijackthis have been changed into a white window with the blue bar at the top. Neither Run.

Also automatic updates is telling me I have three updates to install. Should I go ahead and download them?

Edited by 7heRollzRoyce, 05 August 2009 - 08:03 AM.


#10 7heRollzRoyce

7heRollzRoyce
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 05 August 2009 - 01:32 PM

I had already downloaded the updates and assumed they'd been installed. They hadn't. When I tried to install from IE 8 and from the automated update I received these messages.

"Can't install windows update." "Cumulative Security update for IE 8 Windows XP failed Installation."

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 05 August 2009 - 04:50 PM

Try the DrWebCureIt scan again.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 7heRollzRoyce

7heRollzRoyce
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 05 August 2009 - 06:16 PM

I went to the alternate download link this time. On it it recommended a driver updating program called Uniblue. Installed it and as soon as the scan started it shut down. After this I went to original link and downloaded Dr.Web. (Btw these files are downloading to a folder called downloads. Is that a problem?) When I reboot the computer in safe mode before windows loads I get a hole bunch of these taking up the whole computer screen.

"multi(0)disk(0)rdisk(0)partition(1)/windows/system32/drivers/BATTC.SYS"

the names are the same until after driver. I then followed the directions you posted above about running Dr.Web. This time the Express Scan found one virus and deleted it.

"Win32.H22LW.Lime.3"

When I ran the complete scan again it terminated during the scan again.

Btw While going through my documents I found a log of the first Trojan Remover scan I did before coming here. Here it is...

======================================
[INCOMPLETE SCAN LOG RECOVERED]
======================================
***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.8.0.2586. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 6:09:13 PM 04 Aug 2009
Using Database v7370
Operating System: Windows XP Professional (SP3) [Build: 5.1.2600]
File System: NTFS
UserData directory: C:\Documents and Settings\filesmer\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Documents and Settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Documents and Settings\filesmer\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************
The following Anti-Malware program(s) are loaded:
Nortons Anti-Virus

************************************************************


************************************************************
6:09:13 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

************************************************************
6:09:13 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033728 bytes
Created: 7/28/2008 12:24 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
26112 bytes
Created: 7/28/2008 12:26 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
This key's "Taskman" value calls the following program:
Key value: [C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe]
File: C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe
128000 bytes
Created: 8/2/2009 3:29 PM
Modified: 8/4/2009 3:30 PM
Company: [no info]
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - this registry value has been removed
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - process is either not running or could not be terminated
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - file renamed to: C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe.vir
This file will also be marked for renaming during PC restart, in case it is re-created
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 7/28/2008 12:24 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: NvCplDaemon
Value Data: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
C:\WINDOWS\system32\NvCpl.dll
7405568 bytes
Created: 5/9/2007 4:58 PM
Modified: 5/9/2007 11:45 AM
Company: NVIDIA Corporation
--------------------
Value Name: NWTRAY
Value Data: NWTRAY.EXE
C:\WINDOWS\system32\NWTRAY.EXE
28672 bytes
Created: 2/21/2008 5:50 PM
Modified: 3/12/2002 11:37 AM
Company: Novell, Inc.
--------------------
Value Name: ccApp
Value Data: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
115560 bytes
Created: 2/23/2009 7:18 PM
Modified: 2/23/2009 7:18 PM
Company: Symantec Corporation
--------------------
Value Name: WD Drive Manager
Value Data: C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
450560 bytes
Created: 10/24/2008 11:09 AM
Modified: 10/24/2008 11:09 AM
Company: WDC
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1067912 bytes
Created: 8/4/2009 3:26 PM
Modified: 8/3/2009 2:36 PM
Company: Simply Super Software
--------------------
Value Name: ISTray
Value Data: "C:\Program Files\Spyware Doctor\pctsTray.exe"
C:\Program Files\Spyware Doctor\pctsTray.exe
1181064 bytes
Created: 8/4/2009 3:40 PM
Modified: 7/22/2009 10:44 PM
Company: PC Tools
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 7/28/2008 12:23 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
--------------------
Value Name: MicrosoftUpdate
Value Data: C:\Documents and Settings\filesmer\Application Data\taskeng.exe
C:\Documents and Settings\filesmer\Application Data\taskeng.exe
55296 bytes
Created: 8/3/2009 11:06 PM
Modified: 8/4/2009 3:22 PM
Company: [no info]
--------------------
Value Name: Startup Manager
Value Data: "C:\Program Files\Advanced System Optimizer\startUp manager.exe"
C:\Program Files\Advanced System Optimizer\startUp manager.exe
919280 bytes
Created: 8/2/2009 3:42 PM
Modified: 6/22/2007 11:55 AM
Company: Systweak Inc
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty

************************************************************
6:09:19 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------
ValueName: {763370C4-268E-4308-A60C-D8DA0342BE32}
File: C:\Program Files\Novell\ZENworks\NalShell.dll
C:\Program Files\Novell\ZENworks\NalShell.dll
458752 bytes
Created: 8/8/2007 1:08 PM
Modified: 8/8/2007 1:08 PM
Company: Novell, Inc
----------
ValueName: {56F9679E-7826-4C84-81F3-532071A8BCC5}
File: C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
304128 bytes
Created: 5/26/2008 10:19 PM
Modified: 5/24/2009 10:41 PM
Company: Microsoft Corporation
----------

************************************************************
6:09:19 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************************
6:09:20 PM: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\system32\UOFD20~1.SCR
C:\WINDOWS\system32\UOFD20~1.SCR
87761295 bytes
Created: 9/4/2008 3:00 PM
Modified: 6/3/2008 9:29 AM
Company: [no info]
--------------------

************************************************************
6:09:20 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Key: {5945c046-1e7d-11d1-bc44-00c04fd912be}
Path: rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
C:\WINDOWS\INF\msmsgs.inf, - [file not found to scan]
----------

************************************************************
6:09:20 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------

************************************************************
6:09:22 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Key: Ad-Watch Connect Filter
ImagePath: \??\C:\WINDOWS\system32\drivers\NSDriver.sys
C:\WINDOWS\system32\drivers\NSDriver.sys - [file not found to scan]
----------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[INCOMPLETE SCAN LOG RECOVERED]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

======================================
[INCOMPLETE SCAN LOG RECOVERED]
======================================
***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.8.0.2586. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 4:11:00 PM 04 Aug 2009
Using Database v7370
Operating System: Windows XP Professional (SP3) [Build: 5.1.2600]
File System: NTFS
UserData directory: C:\Documents and Settings\filesmer\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Documents and Settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Documents and Settings\filesmer\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************
PC appears to be in SAFE MODE with Network Support.

************************************************************


************************************************************
4:11:00 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

************************************************************
4:11:00 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033728 bytes
Created: 7/28/2008 12:24 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
26112 bytes
Created: 7/28/2008 12:26 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
This key's "Taskman" value calls the following program:
Key value: [C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe]
File: C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe
128000 bytes
Created: 8/2/2009 3:29 PM
Modified: 8/4/2009 3:30 PM
Company: [no info]
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe appears to contain: TRASHED.FILE
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - this registry value has been removed
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - process is either not running or could not be terminated
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - file ownership assigned to: FILESMER-WS\filesmer
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - process is either not running or could not be terminated
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - file backed up to C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe.vir
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - file has been neutralised
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - marked for renaming when the PC is restarted
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 7/28/2008 12:24 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: NvCplDaemon
Value Data: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
C:\WINDOWS\system32\NvCpl.dll
7405568 bytes
Created: 5/9/2007 4:58 PM
Modified: 5/9/2007 11:45 AM
Company: NVIDIA Corporation
--------------------
Value Name: NWTRAY
Value Data: NWTRAY.EXE
C:\WINDOWS\system32\NWTRAY.EXE
28672 bytes
Created: 2/21/2008 5:50 PM
Modified: 3/12/2002 11:37 AM
Company: Novell, Inc.
--------------------
Value Name: ccApp
Value Data: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
115560 bytes
Created: 2/23/2009 7:18 PM
Modified: 2/23/2009 7:18 PM
Company: Symantec Corporation
--------------------
Value Name: WD Drive Manager
Value Data: C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
450560 bytes
Created: 10/24/2008 11:09 AM
Modified: 10/24/2008 11:09 AM
Company: WDC
--------------------
Value Name: MSConfig
Value Data: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
169984 bytes
Created: 9/3/2008 2:22 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1067912 bytes
Created: 8/4/2009 3:26 PM
Modified: 8/3/2009 2:36 PM
Company: Simply Super Software
--------------------
Value Name: ISTray
Value Data: "C:\Program Files\Spyware Doctor\pctsTray.exe"
C:\Program Files\Spyware Doctor\pctsTray.exe
1181064 bytes
Created: 8/4/2009 3:40 PM
Modified: 7/22/2009 10:44 PM
Company: PC Tools
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value Name: NoIE4StubProcessing
Value Data: C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
C:\WINDOWS\system32\reg.exe
50176 bytes
Created: 7/28/2008 12:25 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 7/28/2008 12:23 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
--------------------
Value Name: MicrosoftUpdate
Value Data: C:\Documents and Settings\filesmer\Application Data\taskeng.exe
C:\Documents and Settings\filesmer\Application Data\taskeng.exe
55296 bytes
Created: 8/3/2009 11:06 PM
Modified: 8/4/2009 3:22 PM
Company: [no info]
--------------------
Value Name: Startup Manager
Value Data: C:\Program Files\Advanced System Optimizer\startUp manager.exe
C:\Program Files\Advanced System Optimizer\startUp manager.exe
919280 bytes
Created: 8/2/2009 3:42 PM
Modified: 6/22/2007 11:55 AM
Company: Systweak Inc
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty

************************************************************
4:11:08 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------
ValueName: {763370C4-268E-4308-A60C-D8DA0342BE32}
File: C:\Program Files\Novell\ZENworks\NalShell.dll
C:\Program Files\Novell\ZENworks\NalShell.dll
458752 bytes
Created: 8/8/2007 1:08 PM
Modified: 8/8/2007 1:08 PM
Company: Novell, Inc
----------
ValueName: {56F9679E-7826-4C84-81F3-532071A8BCC5}
File: C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
304128 bytes
Created: 5/26/2008 10:19 PM
Modified: 5/24/2009 10:41 PM
Company: Microsoft Corporation
----------

************************************************************
4:11:08 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************************
4:11:08 PM: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\system32\UOFD20~1.SCR
C:\WINDOWS\system32\UOFD20~1.SCR
87761295 bytes
Created: 9/4/2008 3:00 PM
Modified: 6/3/2008 9:29 AM
Company: [no info]
--------------------

************************************************************
4:11:08 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Key: {5945c046-1e7d-11d1-bc44-00c04fd912be}
Path: rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
C:\WINDOWS\INF\msmsgs.inf, - [file not found to scan]
----------

************************************************************
4:11:08 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------

************************************************************
4:11:09 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Key: Ad-Watch Connect Filter
ImagePath: \??\C:\WINDOWS\system32\drivers\NSDriver.sys
C:\WINDOWS\system32\drivers\NSDriver.sys - [file not found to scan]
----------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[INCOMPLETE SCAN LOG RECOVERED]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

======================================
[INCOMPLETE SCAN LOG RECOVERED]
======================================
***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.8.0.2586. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 3:33:19 PM 04 Aug 2009
Using Database v7370
Operating System: Windows XP Professional (SP3) [Build: 5.1.2600]
File System: NTFS
UserData directory: C:\Documents and Settings\filesmer\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Documents and Settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Documents and Settings\filesmer\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************
PC appears to be in SAFE MODE with Network Support.

************************************************************


************************************************************
3:33:19 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

************************************************************
3:33:20 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033728 bytes
Created: 7/28/2008 12:24 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
26112 bytes
Created: 7/28/2008 12:26 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
This key's "Taskman" value calls the following program:
Key value: [C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe]
File: C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe
128000 bytes
Created: 8/2/2009 3:29 PM
Modified: 8/4/2009 3:30 PM
Company: [no info]
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe appears to contain: TRASHED.FILE
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - this registry value has been removed
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - process is either not running or could not be terminated
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - file ownership assigned to: FILESMER-WS\filesmer
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - process is either not running or could not be terminated
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - file backed up to C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe.vir
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - file has been neutralised
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - marked for renaming when the PC is restarted
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 7/28/2008 12:24 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: NvCplDaemon
Value Data: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
C:\WINDOWS\system32\NvCpl.dll
7405568 bytes
Created: 5/9/2007 4:58 PM
Modified: 5/9/2007 11:45 AM
Company: NVIDIA Corporation
--------------------
Value Name: NWTRAY
Value Data: NWTRAY.EXE
C:\WINDOWS\system32\NWTRAY.EXE
28672 bytes
Created: 2/21/2008 5:50 PM
Modified: 3/12/2002 11:37 AM
Company: Novell, Inc.
--------------------
Value Name: ccApp
Value Data: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
115560 bytes
Created: 2/23/2009 7:18 PM
Modified: 2/23/2009 7:18 PM
Company: Symantec Corporation
--------------------
Value Name: WD Drive Manager
Value Data: C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
450560 bytes
Created: 10/24/2008 11:09 AM
Modified: 10/24/2008 11:09 AM
Company: WDC
--------------------
Value Name: MSConfig
Value Data: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
169984 bytes
Created: 9/3/2008 2:22 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1067912 bytes
Created: 8/4/2009 3:26 PM
Modified: 8/3/2009 2:36 PM
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value Name: NoIE4StubProcessing
Value Data: C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
C:\WINDOWS\system32\reg.exe
50176 bytes
Created: 7/28/2008 12:25 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 7/28/2008 12:23 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
--------------------
Value Name: MicrosoftUpdate
Value Data: C:\Documents and Settings\filesmer\Application Data\taskeng.exe
C:\Documents and Settings\filesmer\Application Data\taskeng.exe
55296 bytes
Created: 8/3/2009 11:06 PM
Modified: 8/4/2009 3:22 PM
Company: [no info]
--------------------
Value Name: Startup Manager
Value Data: C:\Program Files\Advanced System Optimizer\startUp manager.exe
C:\Program Files\Advanced System Optimizer\startUp manager.exe
919280 bytes
Created: 8/2/2009 3:42 PM
Modified: 6/22/2007 11:55 AM
Company: Systweak Inc
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty

************************************************************
3:34:15 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------
ValueName: {763370C4-268E-4308-A60C-D8DA0342BE32}
File: C:\Program Files\Novell\ZENworks\NalShell.dll
C:\Program Files\Novell\ZENworks\NalShell.dll
458752 bytes
Created: 8/8/2007 1:08 PM
Modified: 8/8/2007 1:08 PM
Company: Novell, Inc
----------
ValueName: {56F9679E-7826-4C84-81F3-532071A8BCC5}
File: C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
304128 bytes
Created: 5/26/2008 10:19 PM
Modified: 5/24/2009 10:41 PM
Company: Microsoft Corporation
----------

************************************************************
3:34:15 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************************
3:34:15 PM: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\system32\UOFD20~1.SCR
C:\WINDOWS\system32\UOFD20~1.SCR
87761295 bytes
Created: 9/4/2008 3:00 PM
Modified: 6/3/2008 9:29 AM
Company: [no info]
--------------------

************************************************************
3:34:15 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Key: {5945c046-1e7d-11d1-bc44-00c04fd912be}
Path: rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
C:\WINDOWS\INF\msmsgs.inf, - [file not found to scan]
----------

************************************************************
3:34:16 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------

************************************************************
3:34:16 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Key: Ad-Watch Connect Filter
ImagePath: \??\C:\WINDOWS\system32\drivers\NSDriver.sys
C:\WINDOWS\system32\drivers\NSDriver.sys - [file not found to scan]
----------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[INCOMPLETE SCAN LOG RECOVERED]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

======================================
[INCOMPLETE SCAN LOG RECOVERED]
======================================
***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.8.0.2586. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 3:31:13 PM 04 Aug 2009
Using Database v7370
Operating System: Windows XP Professional (SP3) [Build: 5.1.2600]
File System: NTFS
UserData directory: C:\Documents and Settings\filesmer\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Documents and Settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Documents and Settings\filesmer\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************
PC appears to be in SAFE MODE with Network Support.

************************************************************


************************************************************
3:31:13 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

************************************************************
3:31:13 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033728 bytes
Created: 7/28/2008 12:24 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
26112 bytes
Created: 7/28/2008 12:26 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
This key's "Taskman" value calls the following program:
Key value: [C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe]
File: C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe
128000 bytes
Created: 8/2/2009 3:29 PM
Modified: 8/4/2009 3:30 PM
Company: [no info]
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe appears to contain: TRASHED.FILE
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - this registry value has been removed
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - process is either not running or could not be terminated
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - file ownership assigned to: FILESMER-WS\filesmer
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - process is either not running or could not be terminated
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - file backed up to C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe.vir
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - file has been neutralised
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - marked for renaming when the PC is restarted
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 7/28/2008 12:24 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: NvCplDaemon
Value Data: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
C:\WINDOWS\system32\NvCpl.dll
7405568 bytes
Created: 5/9/2007 4:58 PM
Modified: 5/9/2007 11:45 AM
Company: NVIDIA Corporation
--------------------
Value Name: NWTRAY
Value Data: NWTRAY.EXE
C:\WINDOWS\system32\NWTRAY.EXE
28672 bytes
Created: 2/21/2008 5:50 PM
Modified: 3/12/2002 11:37 AM
Company: Novell, Inc.
--------------------
Value Name: ccApp
Value Data: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
115560 bytes
Created: 2/23/2009 7:18 PM
Modified: 2/23/2009 7:18 PM
Company: Symantec Corporation
--------------------
Value Name: WD Drive Manager
Value Data: C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
450560 bytes
Created: 10/24/2008 11:09 AM
Modified: 10/24/2008 11:09 AM
Company: WDC
--------------------
Value Name: MSConfig
Value Data: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
169984 bytes
Created: 9/3/2008 2:22 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1067912 bytes
Created: 8/4/2009 3:26 PM
Modified: 8/3/2009 2:36 PM
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value Name: NoIE4StubProcessing
Value Data: C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
C:\WINDOWS\system32\reg.exe
50176 bytes
Created: 7/28/2008 12:25 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 7/28/2008 12:23 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
--------------------
Value Name: MicrosoftUpdate
Value Data: C:\Documents and Settings\filesmer\Application Data\taskeng.exe
C:\Documents and Settings\filesmer\Application Data\taskeng.exe
55296 bytes
Created: 8/3/2009 11:06 PM
Modified: 8/4/2009 3:22 PM
Company: [no info]
--------------------
Value Name: Startup Manager
Value Data: C:\Program Files\Advanced System Optimizer\startUp manager.exe
C:\Program Files\Advanced System Optimizer\startUp manager.exe
919280 bytes
Created: 8/2/2009 3:42 PM
Modified: 6/22/2007 11:55 AM
Company: Systweak Inc
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty

************************************************************
3:31:27 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------
ValueName: {763370C4-268E-4308-A60C-D8DA0342BE32}
File: C:\Program Files\Novell\ZENworks\NalShell.dll
C:\Program Files\Novell\ZENworks\NalShell.dll
458752 bytes
Created: 8/8/2007 1:08 PM
Modified: 8/8/2007 1:08 PM
Company: Novell, Inc
----------
ValueName: {56F9679E-7826-4C84-81F3-532071A8BCC5}
File: C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
304128 bytes
Created: 5/26/2008 10:19 PM
Modified: 5/24/2009 10:41 PM
Company: Microsoft Corporation
----------

************************************************************
3:31:27 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************************
3:31:27 PM: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\system32\UOFD20~1.SCR
C:\WINDOWS\system32\UOFD20~1.SCR
87761295 bytes
Created: 9/4/2008 3:00 PM
Modified: 6/3/2008 9:29 AM
Company: [no info]
--------------------

************************************************************
3:31:27 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Key: {5945c046-1e7d-11d1-bc44-00c04fd912be}
Path: rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
C:\WINDOWS\INF\msmsgs.inf, - [file not found to scan]
----------

************************************************************
3:31:27 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------

************************************************************
3:31:28 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Key: Ad-Watch Connect Filter
ImagePath: \??\C:\WINDOWS\system32\drivers\NSDriver.sys
C:\WINDOWS\system32\drivers\NSDriver.sys - [file not found to scan]
----------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[INCOMPLETE SCAN LOG RECOVERED]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

======================================
[INCOMPLETE SCAN LOG RECOVERED]
======================================
***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.8.0.2586. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 3:26:35 PM 04 Aug 2009
Using Database v7370
Operating System: Windows XP Professional (SP3) [Build: 5.1.2600]
File System: NTFS
UserData directory: C:\Documents and Settings\filesmer\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Documents and Settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Documents and Settings\filesmer\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************
PC appears to be in SAFE MODE with Network Support.

************************************************************


************************************************************
3:26:35 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

************************************************************
3:26:35 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033728 bytes
Created: 7/28/2008 12:24 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
26112 bytes
Created: 7/28/2008 12:26 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
This key's "System" value calls the following program:
Key value: [ziswin.exe]
File: ziswin.exe
C:\WINDOWS\system32\ziswin.exe
192512 bytes
Created: 11/13/2006 4:23 PM
Modified: 11/13/2006 4:23 PM
Company: Novell
C:\WINDOWS\system32\ziswin.exe - this registry value has been removed
C:\WINDOWS\system32\ziswin.exe - process is either not running or could not be terminated
C:\WINDOWS\system32\ziswin.exe - file renamed to: C:\WINDOWS\system32\ziswin.exe.vir
This file will also be marked for renaming during PC restart, in case it is re-created
----------
This key's "Taskman" value calls the following program:
Key value: [C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe]
File: C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe
-RHS- 128000 bytes
Created: 8/2/2009 3:29 PM
Modified: 8/2/2009 3:29 PM
Company: [no info]
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - this registry value has been removed
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - process is either not running or could not be terminated
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - READ-ONLY, HIDDEN and SYSTEM file attributes removed
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - file ownership assigned to: FILESMER-WS\filesmer
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - process is either not running or could not be terminated
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - file backed up to C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe.vir
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - file has been neutralised
C:\RECYCLER\S-1-5-21-9000209774-1572713274-788418603-2046\rundll32.exe - marked for renaming when the PC is restarted
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 7/28/2008 12:24 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: NvCplDaemon
Value Data: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
C:\WINDOWS\system32\NvCpl.dll
7405568 bytes
Created: 5/9/2007 4:58 PM
Modified: 5/9/2007 11:45 AM
Company: NVIDIA Corporation
--------------------
Value Name: NWTRAY
Value Data: NWTRAY.EXE
C:\WINDOWS\system32\NWTRAY.EXE
28672 bytes
Created: 2/21/2008 5:50 PM
Modified: 3/12/2002 11:37 AM
Company: Novell, Inc.
--------------------
Value Name: ccApp
Value Data: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
115560 bytes
Created: 2/23/2009 7:18 PM
Modified: 2/23/2009 7:18 PM
Company: Symantec Corporation
--------------------
Value Name: WD Drive Manager
Value Data: C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
450560 bytes
Created: 10/24/2008 11:09 AM
Modified: 10/24/2008 11:09 AM
Company: WDC
--------------------
Value Name: MSConfig
Value Data: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
169984 bytes
Created: 9/3/2008 2:22 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1067912 bytes
Created: 8/4/2009 3:26 PM
Modified: 8/3/2009 2:36 PM
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value Name: NoIE4StubProcessing
Value Data: C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
C:\WINDOWS\system32\reg.exe
50176 bytes
Created: 7/28/2008 12:25 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 7/28/2008 12:23 PM
Modified: 4/14/2008 8:00 AM
Company: Microsoft Corporation
--------------------
Value Name: MicrosoftUpdate
Value Data: C:\Documents and Settings\filesmer\Application Data\taskeng.exe
C:\Documents and Settings\filesmer\Application Data\taskeng.exe
55296 bytes
Created: 8/3/2009 11:06 PM
Modified: 8/4/2009 3:22 PM
Company: [no info]
--------------------
Value Name: Startup Manager
Value Data: C:\Program Files\Advanced System Optimizer\startUp manager.exe
C:\Program Files\Advanced System Optimizer\startUp manager.exe
919280 bytes
Created: 8/2/2009 3:42 PM
Modified: 6/22/2007 11:55 AM
Company: Systweak Inc
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty

************************************************************
3:30:41 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------
ValueName: {763370C4-268E-4308-A60C-D8DA0342BE32}
File: C:\Program Files\Novell\ZENworks\NalShell.dll
C:\Program Files\Novell\ZENworks\NalShell.dll
458752 bytes
Created: 8/8/2007 1:08 PM
Modified: 8/8/2007 1:08 PM
Company: Novell, Inc
----------
ValueName: {56F9679E-7826-4C84-81F3-532071A8BCC5}
File: C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
304128 bytes
Created: 5/26/2008 10:19 PM
Modified: 5/24/2009 10:41 PM
Company: Microsoft Corporation
----------

************************************************************
3:30:41 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************************
3:30:41 PM: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\system32\UOFD20~1.SCR
C:\WINDOWS\system32\UOFD20~1.SCR
87761295 bytes
Created: 9/4/2008 3:00 PM
Modified: 6/3/2008 9:29 AM
Company: [no info]
--------------------

************************************************************
3:30:42 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Key: {5945c046-1e7d-11d1-bc44-00c04fd912be}
Path: rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
C:\WINDOWS\INF\msmsgs.inf, - [file not found to scan]
----------

************************************************************
3:30:42 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------

************************************************************
3:30:44 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Key: Ad-Watch Connect Filter
ImagePath: \??\C:\WINDOWS\system32\drivers\NSDriver.sys
C:\WINDOWS\system32\drivers\NSDriver.sys - [file not found to scan]
----------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[INCOMPLETE SCAN LOG RECOVERED]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 05 August 2009 - 06:20 PM

Let's try a different scan altogether.

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 7heRollzRoyce

7heRollzRoyce
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 05 August 2009 - 06:55 PM

Atf ran fine. When I found the SAS program on my desktop it had been changed to a shortcut. I tried to run it anyway and got the "Windows cannot access..." error.

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 05 August 2009 - 07:00 PM

Try the fix at Kelly's Korner.

EXE (lnk and regfile) Fix for Windows XP - #12 on the left.

Right click on it and save the .reg file to your desktop. Then, double click on the file icon (on your desktop) to merge it into your registry.


Then try Malwarebytes and SUPERAntiSpyware again. If neither work reboot your computer and try again.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users