Forum Home
Press F1
Thread ID: 104811	2009-11-09 04:50:00	Hard Drives not displaying content when try to open them	gza (13233)	Press F1

Post ID	Timestamp	Content	User
828734	2009-11-17 01:52:00	Speedy, I'll do the best that I can to remove the programs from startup.Not having much luck though as C drive (the 80GB one) simply refuses to open normally now. Constant BSOD, same Technical Data as before. The only way that I can gat into Safe Mode is to press Esc to stop SPTD from running. SAlcohol is not on the computer anymore, nor is DT Pro. Alcohol wasn't listed as installed in both Add/Remove Programs and CCleaner Tools. It was /is virtually impossiblr to remove because when I try to do so from the Start\All Programs Menu I recieve message that the installation of it cannot be validated. So I went into C Programs and manually removed it, then I ran C Cleaner 'Cleaner ' and Registry to remove all traces, best as can be done. Easeus Partition Master is installed to C drive. Has been for 6-8 weeks now. I'll uninstall it. All uninstallations are done with the com in Safe Mode. Can't be done oterwise. I have done Full Scans with TR and Avast and Mwbam in safe mode, but, with out of date Virus DataBases. This weekend I will bring my computer to town( Invercargill) and update all databases. However, as the computer will not Start Windows Normally, I think that its time to bite the bullet and wipe all the drives clean. Hope that'll get rid of the nasties, didn't seem to do so when they had manifested themselves on the Formated Flash Drive I use. I have just checked the peoples computer that my external hdd was connected to for a week and they have the same nasties, ie. nds0q.exe, the Restricted Policies in the "SHOWALL" registry entry. Plus there was autorun.inf and one that isn't on my computer, namely "Win32:Patched-HN[Trj] C:\DOCUME~i\....\cvasds.dll I installed TR and Avast 4.8 Home and updated them to the latest versions as of today : TR 681 7424, and Avast, can't find version but its all fresh up to date. The nasties found on their com were fixed by TR and on reboot the full scans flowed without their being a mention of them. This does not happen on my computer, they are always being bought to the surface again. So, perhaps I wipe the lot, eh, considering that I can't get into Windows normally. No offence, but earlier today when I went to a computer repair shop to enuire about the cost of a new DVD RW ( mine having bit the dust when an optical disc disintergrated inside it from a hairline crack in the hub of the disc), I mentioned the BSOD' s and the SPTD showing in SafeMOde drivers loadup, and the tech there said that SPTD is a part of Windows XP OS. Ha ha!! maybe its not booting into Windows because I (in BOLD letters) did delete it along with nds0q.exe from the Prefetch folder. Just a thought....why ae there entries in the Prefetch Folder for Programs, Games whatever, when I have dome a Full uninstall of them?? Thats another story. Thanks for your help, I suppose a fresh instal wont go wanting. Been a year almost since I did the one between Xmas and New Year. Off to an early start this time. Ta...gza	gza (13233)
828735	2009-11-17 02:03:00	If you want me to check it out, get teamviewer. Install it, and run it, then send the ID and password to me in a PM. I can check it out from here. Boot into safe mode / networking	Speedy Gonzales (78)
828736	2009-11-17 21:25:00	I will bring my com to town at weekend and connect to net through friends ISP. Get the TR, Avast and MalwareBytes updated, do scans and post them. I have Team Viewer already installed on computer so will PM you the password etc when I'm online at weekend. Just thought I'd get into netcafe to mention that I managed to get the 80GB HDD to open into windows, well, to be seen by my computers BIOS. Its been not sahowing either as a Master or Secondary drive. The 80GB drive has always not started if a Slave drive is not connected to the IDE connector cable. Ridiculous really, it only needs the IDE ribbon cable to be inserted to the slave drive, leave the Y connector unplugged and Master drive will open to Windows., message is "Wrong disk inserted. Insert System disk and press enter", so I connect a slave HDD or an optical drive, Windows opens. With both the 80GB and the 4GB connected to the IDE connector, even with the 4GB connected as Secondary Slave drive, junper pin set to slave, only the 4GB will open into Windows. Ha ha,,,even without the Y connector plugged in??? no power and it still opens? This is probably happening because both drives are running XP Pro SP2 and the MBR of the 80GB drive was messed up. I don't know really, just guessing. Anyway, on bus back to Bluff I thought I'd try to repair the 80GB drive using the XP Pro OS disc. Eventually managed to get the drive to run and be accessible to the Boot from cd setup in bios, and managed to get the repair done. Object was to replace the necessary files for XP that I may have removed. I had to go into BIOS to switch the 4GB Slave HDD from 'Auto' to 'None'to get the 80GB to be seen as master. It worked. 80GB repaired and seems to be running ok. Allows me to get at it to remove programs and update AV's and other security measures and to further remove/contain viruses etc. the nds0q.exe thing is still causing Comodo Firewall to raise alerts about the nds0q.exe file trying to gain elevated privileges and access Service Control Manager. I thought these nasties had been deactivated by TR......however, I used the 'Block' and 'Remember this instruction' facilities of CFP. I may be back online later today about 3pm and will come visit. I might even go get connected to Woosh wireless. Back later with a list of programs, games and drivers installed to com in the past 4-6 weeks. I thought about what you said about the Easeus Partition Master 4 Home Edition that I installed to my com and the Reference to the it in the TR scan as a possible trojan. I haven't as yet removed the program but will do later today. I downloaded Easeus and the two Gparted programs/Apps on the neighbours computer and net connection. Took them home on my USB stick. As their com shows the same bugs as mine its possible that I picked the bug up from their com...or infected their com. Anyway I digress,,,, the nds0q.exe started showing up on my computer shortly after i installed Easeus PMaster 4. Just a thought I had last night.	gza (13233)
828737	2009-11-17 23:44:00	Run this (www.microsoft.com). You may have to run it more than once. Then reboot. See what happens	Speedy Gonzales (78)
828738	2009-11-22 23:45:00	Lastest development is that after having removed Easeus Partition Master 4 and about 30 other programs/games the computer worked faultlessly. I think that you were right about the Easeus PM which is strange that it was faulty. However, once all that was done I had to remove Avast becaise it was red X'd in the task bar and attempts to open it bought up on screen a notice that said, AAV... RPC Error. It wouldn'r open. Uninstalled it and loaded a 30 day trial of Nod32 that I had d-loaded a year ago and never used. Did a full scan, 3 viruses found, deleted/quaranteened. Com was in great shape. I even managed to use F.A.S.TWIZ to do a back up of 'WINDOWS'. Attempts before to use it to send backup to internal or external drives resulted in messages that Backup cannot be sent to an external drive" and "CATOSTROPIC FAILURE". I was playing a game on it two days ago and computer froze, had to turn it off at power button. When rebooted and had trouble again finding the 80GB Master HDD. When it was found, I got another BSOD.....UNMOUNTABLE_BOOT_VOLUME. The technical information I don't have on me at moment; left it at home. Tried repair again with OS CD but won't do it. Boot from CD is set in BIOS and the HDD is found there also. Tried GParted to view the HDD details, the drive is flagged as problem is Boot error. Also the drive shows no coloured section of data on it. This has got me beat now. I will buy another battery for the CMOS and try that out. Maybe the one I bought 2 months ago is faulty. Never had this glut of errors before, seems to be never-ending. THe 80GB HDD is uninstalled, 'til a solution is thought up or advised. I'm currently using the 4GB which is virtually devoid of space to add anything to...185MB free space. Oh well, I can play the game of "Fate" on it while i think and stew : ( Thats it, I'll be back on wednesday about midday (NZT) and I will get your above suggestion onto my USB stick, because I left the thing at home today.......I'm losing it.....hmmmmm...did I have 'it' to lose. hahahah. Cheers, gza	gza (13233)
828739	2009-12-09 19:07:00	Well the good news is that I'm online again. Wireless BB bit slow but better than none. Bad news is that my 80GB HDD is kaput. Is found in Boot diagnostic and in Setup.When set to boot from it, it won't. Also I cannot format or install WXP to it. Can't even access it if installed as a Primary slave.I think its stuffed. One thing left to try is to instal it into another computer and see if access to it can be obtained.Got me beat, was good as, 100pc reliability was the diagnosis given in the HDD Inspector program I had on the computer. I have just updated the Avast 4.8 Home and the Trojan Remover. MalwareBytes isn't installed at moment. Running the computer on a massive 4GB HDD and it's almost chokka. When updated Avast an infection, Win32:Amvo[Trj], was found. Recommended reboot and to do a Boot Scan, 52 infections were found, all of them Win32:Amvo[Trj]; the nds0q.exe showed as well and it also was infected with the Win32Amvo[Trj] A lot were found in System Restore, all of them are put in the Chest. I have tried to open the Avast! Log viewer so I can submit it here, but the Log viewer won't open up. Here are the TR Scan logs.There aren't any bugs in it , I think, because Avast! had locked them away before TR was run. ***** NORMAL SCAN FOR ACTIVE MALWARE ***** Trojan Remover Ver 6.8.1.2592. For information, email support@simplysup.com [Unregistered version] Scan started at: 5:39:51 AM 10 Dec 2009 Using Database v7435 Operating System: Windows XP Professional (SP2) [Build: 5.1.2600] File System: NTFS UserData directory: C:\Documents and Settings\gza\Application Data\Simply Super Software\Trojan Remover\ Database directory: C:\Documents and Settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\ Logfile directory: C:\Documents and Settings\gza\My Documents\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Program Files\Trojan Remover\ Running with Administrator privileges ************************************************** ********** The following Anti-Malware program(s) are loaded: Avast! Antivirus ************************************************** ********** ************************************************** ********** 5:39:51 AM: ----- SCANNING FOR ROOTKIT SERVICES ----- No hidden Services were detected. ************************************************** ********** 5:39:52 AM: Scanning -----WINDOWS REGISTRY----- -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon This key's "Shell" value calls the following program(s): Key value: [Explorer.exe] File: Explorer.exe C:\WINDOWS\Explorer.exe 1032192 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- This key's "Userinit" value calls the following program(s): Key value: [C:\WINDOWS\system32\userinit.exe,] File: C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\userinit.exe 24576 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- This key's "System" value appears to be blank ---------- This key's "UIHost" value calls the following program: Key value: [logonui.exe] File: logonui.exe C:\WINDOWS\system32\logonui.exe 514560 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Value Name: load -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value Name: TrojanScanner Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot C:\Program Files\Trojan Remover\Trjscan.exe 1070984 bytes Created: 11/13/2009 8:54 PM Modified: 12/10/2009 4:43 AM Company: Simply Super Software -------------------- Value Name: avast! Value Data: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe 81000 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:51 PM Company: ALWIL Software -------------------- Value Name: YSearchProtection Value Data: "C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe" C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe 111856 bytes Created: 2/24/2009 2:05 AM Modified: 2/24/2009 2:05 AM Company: Yahoo! Inc -------------------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Value Name: Messenger ( Yahoo! ) Value Data: "C:\PROGRA~1\ Yahoo! \Messenger\YahooMessenger.exe" -quiet C:\PROGRA~1\ Yahoo! \Messenger\YahooMessenger.exe 5244216 bytes Created: 12/10/2009 4:19 AM Modified: 11/10/2009 3:39 PM Company: Yahoo! Inc. -------------------- Value Name: Search Protection Value Data: C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe 111856 bytes Created: 2/24/2009 2:05 AM Modified: 2/24/2009 2:05 AM Company: Yahoo! Inc -------------------- -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty ************************************************** ********** 5:40:00 AM: Scanning -----SHELLEXECUTEHOOKS----- ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972} File: shell32.dll - this file is expected and has been left in place ---------- ************************************************** ********** 5:40:00 AM: Scanning -----HIDDEN REGISTRY ENTRIES----- Taskdir check completed ---------- No Hidden File-loading Registry Entries found ---------- ************************************************** ********** 5:40:00 AM: Scanning -----ACTIVE SCREENSAVER----- ScreenSaver: C:\WINDOWS\System32\logon.scr C:\WINDOWS\System32\logon.scr 220672 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- ************************************************** ********** 5:40:00 AM: Scanning ----- REGISTRY ACTIVE SETUP KEYS ----- ************************************************** ********** 5:40:01 AM: Scanning ----- SERVICEDLL REGISTRY KEYS ----- Key: HidServ %SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found) -------------------- ************************************************** ********** 5:40:03 AM: Scanning ----- SERVICES REGISTRY KEYS ----- Key: aswFsBlk ImagePath: system32\DRIVERS\aswFsBlk.sys C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys 20560 bytes Created: 12/10/2009 3:30 AM Modified: 11/25/2009 12:50 PM Company: ALWIL Software ---------- Key: aswUpdSv ImagePath: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 18752 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:43 PM Company: ALWIL Software ---------- Key: avast! Antivirus ImagePath: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" C:\Program Files\Alwil Software\Avast4\ashServ.exe 138680 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:51 PM Company: ALWIL Software ---------- Key: avast! Mail Scanner ImagePath: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe 254040 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:51 PM Company: ALWIL Software ---------- Key: avast! Web Scanner ImagePath: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service C:\Program Files\Alwil Software\Avast4\ashWebSv.exe 352920 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:48 PM Company: ALWIL Software ---------- Key: ipw_mdfl ImagePath: system32\DRIVERS\ipw_mdfl.sys C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys 15312 bytes Created: 12/9/2009 4:51 PM Modified: 2/12/2003 6:21 PM Company: MCCI ---------- Key: ipw_mdm ImagePath: system32\DRIVERS\ipw_mdm.sys C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys 269696 bytes Created: 12/9/2009 4:51 PM Modified: 2/12/2003 6:21 PM Company: MCCI ---------- Key: sptd ImagePath: System32\Drivers\sptd.sys - this file is globally excluded ---------- Key: SwPrv ImagePath: C:\WINDOWS\system32\dllhost.exe /Processid:{17F82220-0999-4311-B9DA-EECE2EC7B0DC} C:\WINDOWS\system32\dllhost.exe 5120 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- Key: YahooAUService ImagePath: "C:\Program Files\ Yahoo! \SoftwareUpdate\YahooAUService.exe" C:\Program Files\ Yahoo! \SoftwareUpdate\YahooAUService.exe 602392 bytes Created: 11/10/2008 9:48 AM Modified: 11/10/2008 9:48 AM Company: Yahoo! Inc. ---------- ************************************************** ********** 5:40:14 AM: Scanning -----VXD ENTRIES----- ************************************************** ********** 5:40:14 AM: Scanning ----- WINLOGON\NOTIFY DLLS ----- ************************************************** ********** 5:40:14 AM: Scanning ----- CONTEXTMENUHANDLERS ----- Key: avast CLSID: {472083B0-C522-11CF-8763-00608CC02F24} Path: C:\Program Files\Alwil Software\Avast4\ashShell.dll C:\Program Files\Alwil Software\Avast4\ashShell.dll 76880 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:47 PM Company: ALWIL Software ---------- ************************************************** ********** 5:40:15 AM: Scanning ----- FOLDER\COLUMNHANDLERS ----- ************************************************** ********** 5:40:15 AM: Scanning ----- BROWSER HELPER OBJECTS ----- Key: {02478D38-C3F9-4efb-9B51-7695ECA05670} BHO: C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll 1172280 bytes Created: 9/20/2009 2:26 PM Modified: 9/20/2009 2:26 PM Company: Yahoo! Inc. ---------- Key: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} BHO: C:\Program Files\ Yahoo! \Companion\Installs\cpn0\YTSingleInsta nce.dll C:\Program Files\ Yahoo! \Companion\Installs\cpn0\YTSingleInsta nce.dll 158008 bytes Created: 9/20/2009 2:26 PM Modified: 9/20/2009 2:26 PM Company: Yahoo! Inc ---------- ************************************************** ********** 5:40:16 AM: Scanning ----- SHELLSERVICEOBJECTS ----- ************************************************** ********** 5:40:16 AM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES ----- ************************************************** ********** 5:40:16 AM: Scanning ----- IMAGEFILE DEBUGGERS ----- No "Debugger" entries found. ************************************************** ********** 5:40:16 AM: Scanning ----- APPINIT_DLLS ----- The AppInit_DLLs value is blank or does not exist ************************************************** ********** 5:40:17 AM: Scanning ----- SECURITY PROVIDER DLLS ----- ************************************************** ********** 5:40:17 AM: Scanning ------ COMMON STARTUP GROUP ------ [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] The Common Startup Group attempts to load the following file(s) at boot time: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini -HS- 84 bytes Created: 11/11/2009 4:02 PM Modified: 11/11/2009 3:37 AM Company: [no info] -------------------- ************************************************** ********** 5:40:17 AM: Scanning ------ USER STARTUP GROUPS ------ -------------------- Checking Startup Group for: gza [C:\Documents and Settings\gza\START MENU\PROGRAMS\STARTUP] The Startup Group for gza attempts to load the following file(s): C:\Documents and Settings\gza\START MENU\PROGRAMS\STARTUP\desktop.ini -HS- 84 bytes Created: 11/11/2009 3:46 AM Modified: 11/11/2009 3:37 AM Company: [no info] ---------- Seagate Product Registration.lnk - links to C:\DOCUME~1\gza\APPLIC~1\LEADER~1\POWERR~1\SEAGAT~ 1.EXE C:\DOCUME~1\gza\APPLIC~1\LEADER~1\POWERR~1\SEAGAT~ 1.EXE 1731736 bytes Created: 11/16/2009 12:14 PM Modified: 1/16/2009 8:19 PM Company: Leader Technologies/Seagate ---------- ************************************************** ********** 5:40:19 AM: Scanning ----- SCHEDULED TASKS ----- Taskname: GoogleUpdateTaskMachineCore File: C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Google\Update\GoogleUpdate.exe 133104 bytes Created: 12/10/2009 3:30 AM Modified: 12/10/2009 3:30 AM Company: Google Inc. Parameters: /c Schedule: Multiple schedule times Next Run Time: 12/11/2009 3:41:00 AM Status: Ready Status: gza Comments: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it. ---------- Taskname: GoogleUpdateTaskMachineUA File: C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Google\Update\GoogleUpdate.exe 133104 bytes Created: 12/10/2009 3:30 AM Modified: 12/10/2009 3:30 AM Company: Google Inc. Parameters: /ua /installsource scheduler Schedule: Every 1 hour(s) from 3:41 AM for 24 hour(s) every day, starting 12/10/2009 Next Run Time: 12/10/2009 5:41:00 AM Status: Ready Status: gza Comments: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it. ---------- ************************************************** ********** 5:40:20 AM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS ----- ************************************************** ********** 5:40:20 AM: Scanning ----- DEVICE DRIVER ENTRIES ----- ************************************************** ********** 5:40:21 AM: ----- ADDITIONAL CHECKS ----- PE386 rootkit checks completed ---------- Winlogon registry rootkit checks completed ---------- Heuristic checks for hidden files/drivers completed ---------- Layered Service Provider entries checks completed ---------- Windows Explorer Policies checks completed ---------- Checking autorun.inf in C:\ C:\autorun.inf -RHS- 57 bytes Created: 11/22/2009 8:55 AM Modified: 12/10/2009 3:34 AM Company: [no info] C:\autorun.inf open entry: [nds0q.exe] C:\nds0q.exe - file is excluded from scanning ---------- -------------------- Desktop Wallpaper: C:\WINDOWS\web\wallpaper\Bliss.bmp C:\WINDOWS\web\wallpaper\Bliss.bmp 1440054 bytes Created: 11/11/2009 3:33 AM Modified: 11/11/2009 3:33 AM Company: [no info] ---------- Web Desktop Wallpaper: %SystemRoot%\web\wallpaper\Bliss.bmp C:\WINDOWS\web\wallpaper\Bliss.bmp 1440054 bytes Created: 11/11/2009 3:33 AM Modified: 11/11/2009 3:33 AM Company: [no info] ---------- DNS Server information: Interface: NameServers: 202.74.207.253 202.74.207.254 Checks for rogue DNS NameServers completed ---------- Additional checks completed ************************************************** ********** 5:40:24 AM: Scanning ----- RUNNING PROCESSES ----- C:\WINDOWS\System32\smss.exe 50688 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\csrss.exe 6144 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\winlogon.exe 502272 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\services.exe 108032 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\lsass.exe 13312 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\svchost.exe 14336 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\svchost.exe - file already scanned -------------------- C:\WINDOWS\System32\svchost.exe - file already scanned -------------------- C:\WINDOWS\system32\svchost.exe - file already scanned -------------------- C:\WINDOWS\system32\svchost.exe - file already scanned -------------------- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe - file already scanned -------------------- C:\Program Files\Alwil Software\Avast4\ashServ.exe - file already scanned -------------------- C:\WINDOWS\system32\spoolsv.exe 57856 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\Program Files\ Yahoo! \SoftwareUpdate\YahooAUService.exe - file already scanned -------------------- C:\WINDOWS\System32\alg.exe 44544 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\Explorer.EXE - file already scanned -------------------- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe - file already scanned -------------------- C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe - file already scanned -------------------- C:\PROGRA~1\ Yahoo! \Messenger\YahooMessenger.exe - file already scanned -------------------- C:\WINDOWS\system32\wbem\wmiprvse.exe 218112 bytes Created: 11/11/2009 3:19 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\Program Files\IPWireless Inc\IPWireless PC Software\UEStatus.exe 2486272 bytes Created: 12/9/2009 4:51 PM Modified: 4/15/2004 6:29 PM Company: IPWireless Inc. -------------------- C:\WINDOWS\system32\wuauclt.exe 111104 bytes Created: 11/11/2009 3:28 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\Program Files\Mozilla Firefox\firefox.exe 908248 bytes Created: 12/10/2009 4:12 AM Modified: 11/3/2009 4:23 PM Company: Mozilla Corporation -------------------- C:\Program Files\Alwil Software\Avast4\ashLogV.exe 50184 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:45 PM Company: ALWIL Software -------------------- C:\Program Files\Internet Explorer\iexplore.exe 93184 bytes Created: 11/11/2009 3:27 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\Documents and Settings\gza\Application Data\Simply Super Software\Trojan Remover\ddp1B.exe FileSize: 3101560 [This is a Trojan Remover component] -------------------- C:\WINDOWS\system32\wscntfy.exe 13824 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- ************************************************** ********** 5:40:40 AM: Checking HOSTS file No malicious entries were found in the HOSTS file ************************************************** ********** ------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------ HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page": http://www.yahoo.com HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page": %SystemRoot%\system32\blank.htm HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page": www.microsoft.com HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL": http://www.yahoo.com HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL": www.microsoft.com HKLM\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch": ie.search.msn.com HKLM\Software\Microsoft\Internet Explorer\Search\"SearchAssistant": ie.search.msn.com HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page": http://www.yahoo.com HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page": C:\WINDOWS\system32\blank.htm HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page": us.rd.yahoo.com ************************************************** ********** === NO CHANGES HAVE BEEN MADE TO YOUR SYSTEM FILES === Scan completed at: 5:40:40 AM 10 Dec 2009 Total Scan time: 00:00:49 ************************************************** ********** ***** DRIVE/DIRECTORY SCAN ***** Trojan Remover Ver 6.8.1.2592. For information, email support@simplysup.com [Unregistered version] Scan started at: 5:07:02 AM 10 Dec 2009 Using Database v7435 Operating System: Windows XP Professional (SP2) [Build: 5.1.2600] File System: NTFS UserData directory: C:\Documents and Settings\gza\Application Data\Simply Super Software\Trojan Remover\ Database directory: C:\Program Files\Trojan Remover\ Logfile directory: C:\Documents and Settings\gza\My Documents\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Program Files\Trojan Remover\ Running with Administrator privileges ************************************************** ********** The following Anti-Malware program(s) are loaded: Avast! Antivirus ************************************************** ********** Carrying out scan on E:\ (including subdirectories) Archive files will be EXCLUDED. ------------------------------ ------------------------------ 9333 files scanned Directory scan complete - no Malware files detected Scan completed at: 5:17:36 AM 10 Dec 2009 Total Scan time: 00:10:33 ************************************************** ********** ***** NORMAL SCAN FOR ACTIVE MALWARE ***** Trojan Remover Ver 6.8.1.2592. For information, email support@simplysup.com [Unregistered version] Scan started at: 4:49:15 AM 10 Dec 2009 Using Database v7435 Operating System: Windows XP Professional (SP2) [Build: 5.1.2600] File System: NTFS UserData directory: C:\Documents and Settings\gza\Application Data\Simply Super Software\Trojan Remover\ Database directory: C:\Program Files\Trojan Remover\ Logfile directory: C:\Documents and Settings\gza\My Documents\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Program Files\Trojan Remover\ Running with Administrator privileges ************************************************** ********** The following Anti-Malware program(s) are loaded: Avast! Antivirus ************************************************** ********** ************************************************** ********** 4:49:16 AM: ----- SCANNING FOR ROOTKIT SERVICES ----- No hidden Services were detected. ************************************************** ********** 4:49:16 AM: Scanning -----WINDOWS REGISTRY----- -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon This key's "Shell" value calls the following program(s): Key value: [Explorer.exe] File: Explorer.exe C:\WINDOWS\Explorer.exe 1032192 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- This key's "Userinit" value calls the following program(s): Key value: [C:\WINDOWS\system32\userinit.exe,] File: C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\userinit.exe 24576 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- This key's "System" value appears to be blank ---------- This key's "UIHost" value calls the following program: Key value: [logonui.exe] File: logonui.exe C:\WINDOWS\system32\logonui.exe 514560 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Value Name: load -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value Name: TrojanScanner Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot C:\Program Files\Trojan Remover\Trjscan.exe 1070984 bytes Created: 11/13/2009 8:54 PM Modified: 12/10/2009 4:43 AM Company: Simply Super Software -------------------- Value Name: avast! Value Data: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe 81000 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:51 PM Company: ALWIL Software -------------------- Value Name: YSearchProtection Value Data: "C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe" C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe 111856 bytes Created: 2/24/2009 2:05 AM Modified: 2/24/2009 2:05 AM Company: Yahoo! Inc -------------------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Value Name: Messenger ( Yahoo! ) Value Data: "C:\PROGRA~1\ Yahoo! \Messenger\YahooMessenger.exe" -quiet C:\PROGRA~1\ Yahoo! \Messenger\YahooMessenger.exe 5244216 bytes Created: 12/10/2009 4:19 AM Modified: 11/10/2009 3:39 PM Company: Yahoo! Inc. -------------------- Value Name: Search Protection Value Data: C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe 111856 bytes Created: 2/24/2009 2:05 AM Modified: 2/24/2009 2:05 AM Company: Yahoo! Inc -------------------- -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty ************************************************** ********** 4:49:19 AM: Scanning -----SHELLEXECUTEHOOKS----- ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972} File: shell32.dll - this file is expected and has been left in place ---------- ************************************************** ********** 4:49:19 AM: Scanning -----HIDDEN REGISTRY ENTRIES----- Taskdir check completed ---------- No Hidden File-loading Registry Entries found ---------- ************************************************** ********** 4:49:19 AM: Scanning -----ACTIVE SCREENSAVER----- ScreenSaver: C:\WINDOWS\System32\logon.scr C:\WINDOWS\System32\logon.scr 220672 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- ************************************************** ********** 4:49:19 AM: Scanning ----- REGISTRY ACTIVE SETUP KEYS ----- ************************************************** ********** 4:49:20 AM: Scanning ----- SERVICEDLL REGISTRY KEYS ----- Key: HidServ %SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found) -------------------- ************************************************** ********** 4:49:22 AM: Scanning ----- SERVICES REGISTRY KEYS ----- Key: aswFsBlk ImagePath: system32\DRIVERS\aswFsBlk.sys C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys 20560 bytes Created: 12/10/2009 3:30 AM Modified: 11/25/2009 12:50 PM Company: ALWIL Software ---------- Key: aswUpdSv ImagePath: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 18752 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:43 PM Company: ALWIL Software ---------- Key: avast! Antivirus ImagePath: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" C:\Program Files\Alwil Software\Avast4\ashServ.exe 138680 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:51 PM Company: ALWIL Software ---------- Key: avast! Mail Scanner ImagePath: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe 254040 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:51 PM Company: ALWIL Software ---------- Key: avast! Web Scanner ImagePath: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service C:\Program Files\Alwil Software\Avast4\ashWebSv.exe 352920 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:48 PM Company: ALWIL Software ---------- Key: ipw_mdfl ImagePath: system32\DRIVERS\ipw_mdfl.sys C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys 15312 bytes Created: 12/9/2009 4:51 PM Modified: 2/12/2003 6:21 PM Company: MCCI ---------- Key: ipw_mdm ImagePath: system32\DRIVERS\ipw_mdm.sys C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys 269696 bytes Created: 12/9/2009 4:51 PM Modified: 2/12/2003 6:21 PM Company: MCCI ---------- Key: sptd ImagePath: System32\Drivers\sptd.sys - this file is globally excluded ---------- Key: SwPrv ImagePath: C:\WINDOWS\system32\dllhost.exe /Processid:{17F82220-0999-4311-B9DA-EECE2EC7B0DC} C:\WINDOWS\system32\dllhost.exe 5120 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- Key: YahooAUService ImagePath: "C:\Program Files\ Yahoo! \SoftwareUpdate\YahooAUService.exe" C:\Program Files\ Yahoo! \SoftwareUpdate\YahooAUService.exe 602392 bytes Created: 11/10/2008 9:48 AM Modified: 11/10/2008 9:48 AM Company: Yahoo! Inc. ---------- ************************************************** ********** 4:49:29 AM: Scanning -----VXD ENTRIES----- ************************************************** ********** 4:49:29 AM: Scanning ----- WINLOGON\NOTIFY DLLS ----- ************************************************** ********** 4:49:29 AM: Scanning ----- CONTEXTMENUHANDLERS ----- Key: avast CLSID: {472083B0-C522-11CF-8763-00608CC02F24} Path: C:\Program Files\Alwil Software\Avast4\ashShell.dll C:\Program Files\Alwil Software\Avast4\ashShell.dll 76880 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:47 PM Company: ALWIL Software ---------- ************************************************** ********** 4:49:29 AM: Scanning ----- FOLDER\COLUMNHANDLERS ----- ************************************************** ********** 4:49:29 AM: Scanning ----- BROWSER HELPER OBJECTS ----- Key: {02478D38-C3F9-4efb-9B51-7695ECA05670} BHO: C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll 1172280 bytes Created: 9/20/2009 2:26 PM Modified: 9/20/2009 2:26 PM Company: Yahoo! Inc. ---------- Key: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} BHO: C:\Program Files\ Yahoo! \Companion\Installs\cpn0\YTSingleInsta nce.dll C:\Program Files\ Yahoo! \Companion\Installs\cpn0\YTSingleInsta nce.dll 158008 bytes Created: 9/20/2009 2:26 PM Modified: 9/20/2009 2:26 PM Company: Yahoo! Inc ---------- ************************************************** ********** 4:49:31 AM: Scanning ----- SHELLSERVICEOBJECTS ----- ************************************************** ********** 4:49:31 AM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES ----- ************************************************** ********** 4:49:31 AM: Scanning ----- IMAGEFILE DEBUGGERS ----- No "Debugger" entries found. ************************************************** ********** 4:49:31 AM: Scanning ----- APPINIT_DLLS ----- The AppInit_DLLs value is blank or does not exist ************************************************** ********** 4:49:31 AM: Scanning ----- SECURITY PROVIDER DLLS ----- ************************************************** ********** 4:49:31 AM: Scanning ------ COMMON STARTUP GROUP ------ [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] The Common Startup Group attempts to load the following file(s) at boot time: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini -HS- 84 bytes Created: 11/11/2009 4:02 PM Modified: 11/11/2009 3:37 AM Company: [no info] -------------------- ************************************************** ********** 4:49:32 AM: Scanning ------ USER STARTUP GROUPS ------ -------------------- Checking Startup Group for: gza [C:\Documents and Settings\gza\START MENU\PROGRAMS\STARTUP] The Startup Group for gza attempts to load the following file(s): C:\Documents and Settings\gza\START MENU\PROGRAMS\STARTUP\desktop.ini -HS- 84 bytes Created: 11/11/2009 3:46 AM Modified: 11/11/2009 3:37 AM Company: [no info] ---------- Seagate Product Registration.lnk - links to C:\DOCUME~1\gza\APPLIC~1\LEADER~1\POWERR~1\SEAGAT~ 1.EXE C:\DOCUME~1\gza\APPLIC~1\LEADER~1\POWERR~1\SEAGAT~ 1.EXE 1731736 bytes Created: 11/16/2009 12:14 PM Modified: 1/16/2009 8:19 PM Company: Leader Technologies/Seagate ---------- ************************************************** ********** 4:49:32 AM: Scanning ----- SCHEDULED TASKS ----- Taskname: GoogleUpdateTaskMachineCore File: C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Google\Update\GoogleUpdate.exe 133104 bytes Created: 12/10/2009 3:30 AM Modified: 12/10/2009 3:30 AM Company: Google Inc. Parameters: /c Schedule: Multiple schedule times Next Run Time: 12/11/2009 3:41:00 AM Status: Ready Status: gza Comments: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it. ---------- Taskname: GoogleUpdateTaskMachineUA File: C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Google\Update\GoogleUpdate.exe 133104 bytes Created: 12/10/2009 3:30 AM Modified: 12/10/2009 3:30 AM Company: Google Inc. Parameters: /ua /installsource scheduler Schedule: Every 1 hour(s) from 3:41 AM for 24 hour(s) every day, starting 12/10/2009 Next Run Time: 12/10/2009 5:41:00 AM Status: Ready Status: gza Comments: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it. ---------- ************************************************** ********** 4:49:33 AM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS ----- ************************************************** ********** 4:49:33 AM: Scanning ----- DEVICE DRIVER ENTRIES ----- ************************************************** ********** 4:49:34 AM: ----- ADDITIONAL CHECKS ----- PE386 rootkit checks completed ---------- Winlogon registry rootkit checks completed ---------- Heuristic checks for hidden files/drivers completed ---------- Layered Service Provider entries checks completed ---------- ============================== Restrictive Windows Explorer Policies found in force on this computer: HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer Value: SHOWALL\"CheckedValue" All Policy Values listed have been removed or reset ============================== Windows Explorer Policies checks completed ---------- Checking autorun.inf in C:\ C:\autorun.inf -RHS- 57 bytes Created: 11/22/2009 8:55 AM Modified: 12/10/2009 3:34 AM Company: [no info] C:\autorun.inf open entry: [nds0q.exe] C:\nds0q.exe - file is excluded from scanning ---------- -------------------- Desktop Wallpaper: C:\WINDOWS\web\wallpaper\Bliss.bmp C:\WINDOWS\web\wallpaper\Bliss.bmp 1440054 bytes Created: 11/11/2009 3:33 AM Modified: 11/11/2009 3:33 AM Company: [no info] ---------- Web Desktop Wallpaper: %SystemRoot%\web\wallpaper\Bliss.bmp C:\WINDOWS\web\wallpaper\Bliss.bmp 1440054 bytes Created: 11/11/2009 3:33 AM Modified: 11/11/2009 3:33 AM Company: [no info] ---------- Checks for rogue DNS NameServers completed ---------- Additional checks completed ************************************************** ********** 4:49:41 AM: Scanning ----- RUNNING PROCESSES ----- C:\WINDOWS\System32\smss.exe 50688 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\csrss.exe 6144 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\winlogon.exe 502272 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\services.exe 108032 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\lsass.exe 13312 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\svchost.exe 14336 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\svchost.exe - file already scanned -------------------- C:\WINDOWS\System32\svchost.exe - file already scanned -------------------- C:\WINDOWS\system32\svchost.exe - file already scanned -------------------- C:\WINDOWS\system32\svchost.exe - file already scanned -------------------- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe - file already scanned -------------------- C:\Program Files\Alwil Software\Avast4\ashServ.exe - file already scanned -------------------- C:\WINDOWS\system32\spoolsv.exe 57856 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\Program Files\ Yahoo! \SoftwareUpdate\YahooAUService.exe - file already scanned -------------------- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe - file already scanned -------------------- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe - file already scanned -------------------- C:\WINDOWS\System32\alg.exe 44544 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\Explorer.EXE - file already scanned -------------------- C:\Program Files\Trojan Remover\Trjscan.exe - file already scanned -------------------- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe - file already scanned -------------------- C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe - file already scanned -------------------- C:\WINDOWS\system32\wbem\wmiprvse.exe 218112 bytes Created: 11/11/2009 3:19 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\wuauclt.exe 111104 bytes Created: 11/11/2009 3:28 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\Documents and Settings\gza\Application Data\Simply Super Software\Trojan Remover\hlm6.exe FileSize: 3101560 [This is a Trojan Remover component] -------------------- C:\PROGRA~1\ Yahoo! \Messenger\ymsgr_tray.exe 79160 bytes Created: 12/10/2009 4:19 AM Modified: 11/10/2009 3:39 PM Company: Yahoo! Inc. -------------------- ************************************************** ********** 4:49:46 AM: Checking HOSTS file No malicious entries were found in the HOSTS file ************************************************** ********** ------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------ HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page": http://www.yahoo.com HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page": %SystemRoot%\system32\blank.htm HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page": www.microsoft.com HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL": http://www.yahoo.com HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL": www.microsoft.com HKLM\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch": ie.search.msn.com HKLM\Software\Microsoft\Internet Explorer\Search\"SearchAssistant": ie.search.msn.com HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page": http://www.yahoo.com HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page": C:\WINDOWS\system32\blank.htm HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page": us.rd.yahoo.com ************************************************** ********** === CHANGES WERE MADE TO THE WINDOWS REGISTRY === Scan completed at: 4:49:46 AM 10 Dec 2009 Total Scan time: 00:00:30 ************************************************** ********** ***** NORMAL SCAN FOR ACTIVE MALWARE ***** Trojan Remover Ver 6.8.1.2592. For information, email support@simplysup.com [Unregistered version] Scan started at: 5:39:51 AM 10 Dec 2009 Using Database v7435 Operating System: Windows XP Professional (SP2) [Build: 5.1.2600] File System: NTFS UserData directory: C:\Documents and Settings\gza\Application Data\Simply Super Software\Trojan Remover\ Database directory: C:\Documents and Settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\ Logfile directory: C:\Documents and Settings\gza\My Documents\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Program Files\Trojan Remover\ Running with Administrator privileges ************************************************** ********** The following Anti-Malware program(s) are loaded: Avast! Antivirus ************************************************** ********** ************************************************** ********** 5:39:51 AM: ----- SCANNING FOR ROOTKIT SERVICES ----- No hidden Services were detected. ************************************************** ********** 5:39:52 AM: Scanning -----WINDOWS REGISTRY----- -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon This key's "Shell" value calls the following program(s): Key value: [Explorer.exe] File: Explorer.exe C:\WINDOWS\Explorer.exe 1032192 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- This key's "Userinit" value calls the following program(s): Key value: [C:\WINDOWS\system32\userinit.exe,] File: C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\userinit.exe 24576 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- This key's "System" value appears to be blank ---------- This key's "UIHost" value calls the following program: Key value: [logonui.exe] File: logonui.exe C:\WINDOWS\system32\logonui.exe 514560 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Value Name: load -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value Name: TrojanScanner Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot C:\Program Files\Trojan Remover\Trjscan.exe 1070984 bytes Created: 11/13/2009 8:54 PM Modified: 12/10/2009 4:43 AM Company: Simply Super Software -------------------- Value Name: avast! Value Data: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe 81000 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:51 PM Company: ALWIL Software -------------------- Value Name: YSearchProtection Value Data: "C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe" C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe 111856 bytes Created: 2/24/2009 2:05 AM Modified: 2/24/2009 2:05 AM Company: Yahoo! Inc -------------------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Value Name: Messenger ( Yahoo! ) Value Data: "C:\PROGRA~1\ Yahoo! \Messenger\YahooMessenger.exe" -quiet C:\PROGRA~1\ Yahoo! \Messenger\YahooMessenger.exe 5244216 bytes Created: 12/10/2009 4:19 AM Modified: 11/10/2009 3:39 PM Company: Yahoo! Inc. -------------------- Value Name: Search Protection Value Data: C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe 111856 bytes Created: 2/24/2009 2:05 AM Modified: 2/24/2009 2:05 AM Company: Yahoo! Inc -------------------- -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty ************************************************** ********** 5:40:00 AM: Scanning -----SHELLEXECUTEHOOKS----- ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972} File: shell32.dll - this file is expected and has been left in place ---------- ************************************************** ********** 5:40:00 AM: Scanning -----HIDDEN REGISTRY ENTRIES----- Taskdir check completed ---------- No Hidden File-loading Registry Entries found ---------- ************************************************** ********** 5:40:00 AM: Scanning -----ACTIVE SCREENSAVER----- ScreenSaver: C:\WINDOWS\System32\logon.scr C:\WINDOWS\System32\logon.scr 220672 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- ************************************************** ********** 5:40:00 AM: Scanning ----- REGISTRY ACTIVE SETUP KEYS ----- ************************************************** ********** 5:40:01 AM: Scanning ----- SERVICEDLL REGISTRY KEYS ----- Key: HidServ %SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found) -------------------- ************************************************** ********** 5:40:03 AM: Scanning ----- SERVICES REGISTRY KEYS ----- Key: aswFsBlk ImagePath: system32\DRIVERS\aswFsBlk.sys C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys 20560 bytes Created: 12/10/2009 3:30 AM Modified: 11/25/2009 12:50 PM Company: ALWIL Software ---------- Key: aswUpdSv ImagePath: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 18752 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:43 PM Company: ALWIL Software ---------- Key: avast! Antivirus ImagePath: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" C:\Program Files\Alwil Software\Avast4\ashServ.exe 138680 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:51 PM Company: ALWIL Software ---------- Key: avast! Mail Scanner ImagePath: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe 254040 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:51 PM Company: ALWIL Software ---------- Key: avast! Web Scanner ImagePath: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service C:\Program Files\Alwil Software\Avast4\ashWebSv.exe 352920 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:48 PM Company: ALWIL Software ---------- Key: ipw_mdfl ImagePath: system32\DRIVERS\ipw_mdfl.sys C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys 15312 bytes Created: 12/9/2009 4:51 PM Modified: 2/12/2003 6:21 PM Company: MCCI ---------- Key: ipw_mdm ImagePath: system32\DRIVERS\ipw_mdm.sys C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys 269696 bytes Created: 12/9/2009 4:51 PM Modified: 2/12/2003 6:21 PM Company: MCCI ---------- Key: sptd ImagePath: System32\Drivers\sptd.sys - this file is globally excluded ---------- Key: SwPrv ImagePath: C:\WINDOWS\system32\dllhost.exe /Processid:{17F82220-0999-4311-B9DA-EECE2EC7B0DC} C:\WINDOWS\system32\dllhost.exe 5120 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- Key: YahooAUService ImagePath: "C:\Program Files\ Yahoo! \SoftwareUpdate\YahooAUService.exe" C:\Program Files\ Yahoo! \SoftwareUpdate\YahooAUService.exe 602392 bytes Created: 11/10/2008 9:48 AM Modified: 11/10/2008 9:48 AM Company: Yahoo! Inc. ---------- ************************************************** ********** 5:40:14 AM: Scanning -----VXD ENTRIES----- ************************************************** ********** 5:40:14 AM: Scanning ----- WINLOGON\NOTIFY DLLS ----- ************************************************** ********** 5:40:14 AM: Scanning ----- CONTEXTMENUHANDLERS ----- Key: avast CLSID: {472083B0-C522-11CF-8763-00608CC02F24} Path: C:\Program Files\Alwil Software\Avast4\ashShell.dll C:\Program Files\Alwil Software\Avast4\ashShell.dll 76880 bytes Created: 12/10/2009 3:29 AM Modified: 11/25/2009 12:47 PM Company: ALWIL Software ---------- ************************************************** ********** 5:40:15 AM: Scanning ----- FOLDER\COLUMNHANDLERS ----- ************************************************** ********** 5:40:15 AM: Scanning ----- BROWSER HELPER OBJECTS ----- Key: {02478D38-C3F9-4efb-9B51-7695ECA05670} BHO: C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll 1172280 bytes Created: 9/20/2009 2:26 PM Modified: 9/20/2009 2:26 PM Company: Yahoo! Inc. ---------- Key: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} BHO: C:\Program Files\ Yahoo! \Companion\Installs\cpn0\YTSingleInsta nce.dll C:\Program Files\ Yahoo! \Companion\Installs\cpn0\YTSingleInsta nce.dll 158008 bytes Created: 9/20/2009 2:26 PM Modified: 9/20/2009 2:26 PM Company: Yahoo! Inc ---------- ************************************************** ********** 5:40:16 AM: Scanning ----- SHELLSERVICEOBJECTS ----- ************************************************** ********** 5:40:16 AM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES ----- ************************************************** ********** 5:40:16 AM: Scanning ----- IMAGEFILE DEBUGGERS ----- No "Debugger" entries found. ************************************************** ********** 5:40:16 AM: Scanning ----- APPINIT_DLLS ----- The AppInit_DLLs value is blank or does not exist ************************************************** ********** 5:40:17 AM: Scanning ----- SECURITY PROVIDER DLLS ----- ************************************************** ********** 5:40:17 AM: Scanning ------ COMMON STARTUP GROUP ------ [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] The Common Startup Group attempts to load the following file(s) at boot time: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini -HS- 84 bytes Created: 11/11/2009 4:02 PM Modified: 11/11/2009 3:37 AM Company: [no info] -------------------- ************************************************** ********** 5:40:17 AM: Scanning ------ USER STARTUP GROUPS ------ -------------------- Checking Startup Group for: gza [C:\Documents and Settings\gza\START MENU\PROGRAMS\STARTUP] The Startup Group for gza attempts to load the following file(s): C:\Documents and Settings\gza\START MENU\PROGRAMS\STARTUP\desktop.ini -HS- 84 bytes Created: 11/11/2009 3:46 AM Modified: 11/11/2009 3:37 AM Company: [no info] ---------- Seagate Product Registration.lnk - links to C:\DOCUME~1\gza\APPLIC~1\LEADER~1\POWERR~1\SEAGAT~ 1.EXE C:\DOCUME~1\gza\APPLIC~1\LEADER~1\POWERR~1\SEAGAT~ 1.EXE 1731736 bytes Created: 11/16/2009 12:14 PM Modified: 1/16/2009 8:19 PM Company: Leader Technologies/Seagate ---------- ************************************************** ********** 5:40:19 AM: Scanning ----- SCHEDULED TASKS ----- Taskname: GoogleUpdateTaskMachineCore File: C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Google\Update\GoogleUpdate.exe 133104 bytes Created: 12/10/2009 3:30 AM Modified: 12/10/2009 3:30 AM Company: Google Inc. Parameters: /c Schedule: Multiple schedule times Next Run Time: 12/11/2009 3:41:00 AM Status: Ready Status: gza Comments: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it. ---------- Taskname: GoogleUpdateTaskMachineUA File: C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Google\Update\GoogleUpdate.exe 133104 bytes Created: 12/10/2009 3:30 AM Modified: 12/10/2009 3:30 AM Company: Google Inc. Parameters: /ua /installsource scheduler Schedule: Every 1 hour(s) from 3:41 AM for 24 hour(s) every day, starting 12/10/2009 Next Run Time: 12/10/2009 5:41:00 AM Status: Ready Status: gza Comments: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it. ---------- ************************************************** ********** 5:40:20 AM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS ----- ************************************************** ********** 5:40:20 AM: Scanning ----- DEVICE DRIVER ENTRIES ----- ************************************************** ********** 5:40:21 AM: ----- ADDITIONAL CHECKS ----- PE386 rootkit checks completed ---------- Winlogon registry rootkit checks completed ---------- Heuristic checks for hidden files/drivers completed ---------- Layered Service Provider entries checks completed ---------- Windows Explorer Policies checks completed ---------- Checking autorun.inf in C:\ C:\autorun.inf -RHS- 57 bytes Created: 11/22/2009 8:55 AM Modified: 12/10/2009 3:34 AM Company: [no info] C:\autorun.inf open entry: [nds0q.exe] C:\nds0q.exe - file is excluded from scanning ---------- -------------------- Desktop Wallpaper: C:\WINDOWS\web\wallpaper\Bliss.bmp C:\WINDOWS\web\wallpaper\Bliss.bmp 1440054 bytes Created: 11/11/2009 3:33 AM Modified: 11/11/2009 3:33 AM Company: [no info] ---------- Web Desktop Wallpaper: %SystemRoot%\web\wallpaper\Bliss.bmp C:\WINDOWS\web\wallpaper\Bliss.bmp 1440054 bytes Created: 11/11/2009 3:33 AM Modified: 11/11/2009 3:33 AM Company: [no info] ---------- DNS Server information: Interface: NameServers: 202.74.207.253 202.74.207.254 Checks for rogue DNS NameServers completed ---------- Additional checks completed ************************************************** ********** 5:40:24 AM: Scanning ----- RUNNING PROCESSES ----- C:\WINDOWS\System32\smss.exe 50688 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\csrss.exe 6144 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\winlogon.exe 502272 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\services.exe 108032 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\lsass.exe 13312 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\svchost.exe 14336 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\svchost.exe - file already scanned -------------------- C:\WINDOWS\System32\svchost.exe - file already scanned -------------------- C:\WINDOWS\system32\svchost.exe - file already scanned -------------------- C:\WINDOWS\system32\svchost.exe - file already scanned -------------------- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe - file already scanned -------------------- C:\Program Files\Alwil Software\Avast4\ashServ.exe - file already scanned -------------------- C:\WINDOWS\system32\spoolsv.exe 57856 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\Program Files\ Yahoo! \SoftwareUpdate\YahooAUService.exe - file already scanned -------------------- C:\WINDOWS\System32\alg.exe 44544 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\Explorer.EXE - file already scanned -------------------- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe - file already scanned -------------------- C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe - file already scanned -------------------- C:\PROGRA~1\ Yahoo! \Messenger\YahooMessenger.exe - file already scanned -------------------- C:\WINDOWS\system32\wbem\wmiprvse.exe 218112 bytes Created: 11/11/2009 3:19 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\Program Files\IPWireless Inc\IPWireless PC Software\UEStatus.exe 2486272 bytes Created: 12/9/2009 4:51 PM Modified: 4/15/2004 6:29 PM Company: IPWireless Inc. -------------------- C:\WINDOWS\system32\wuauclt.exe 111104 bytes Created: 11/11/2009 3:28 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\Program Files\Mozilla Firefox\firefox.exe 908248 bytes Created: 12/10/2009 4:12 AM Modified: 11/3/2009 4:23 PM Comp	gza (13233)
828740	2009-12-09 19:49:00	If autorun.inf is still on C (if this is the hdd), delete it. I dont know why its excluded from scanning. Empty the chest. Is system restore still disabled?? If it isnt disable it	Speedy Gonzales (78)
828741	2009-12-10 10:11:00	Hi. I think that the autorun.inf entries were excluded from scanning is because they had been stopped from running and had been renamed to autorun.inf.vir. The same had been done with the nds0q.exe files, renamed to nds0q.exe.vir. Even though they had been renamed and prevented from running they were still there on the 4GB HDD. TR now runs without finding any reference to them because they have now been deleted. System Restore is now turned off ( did that 5 minutes ago after reading your reply). Also, I have installed NOD32 2.7, fully updated it and run a full scan with it. I thought I would do this because I noticed when I had it installed before that it unearthed viruses and other malware that were tucked away in System Restore. NOD 32 deleted these infected files. It also named them differently to nds0q.exe and Win32 Amvo, but I will include the NOD 32 Scan Log for your consideration, please. ***** NORMAL SCAN FOR ACTIVE MALWARE ***** Trojan Remover Ver 6.8.1.2587. For information, email support@simplysup.com [Registered to: gza] Scan started at: 10:37:11 PM 10 Dec 2009 Using Database v7435 Operating System: Windows XP Professional (SP2) [Build: 5.1.2600] File System: NTFS UserData directory: C:\Documents and Settings\gza\Application Data\Simply Super Software\Trojan Remover\ Database directory: C:\Documents and Settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\ Logfile directory: C:\Documents and Settings\gza\My Documents\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Program Files\Trojan Remover\ Running with Administrator privileges ************************************************** ********** ************************************************** ********** 10:37:11 PM: ----- SCANNING FOR ROOTKIT SERVICES ----- No hidden Services were detected. ************************************************** ********** 10:37:11 PM: Scanning -----WINDOWS REGISTRY----- -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon This key's "Shell" value calls the following program(s): Key value: [Explorer.exe] File: Explorer.exe C:\WINDOWS\Explorer.exe 1032192 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- This key's "Userinit" value calls the following program(s): Key value: [C:\WINDOWS\system32\userinit.exe,] File: C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\userinit.exe 24576 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- This key's "System" value appears to be blank ---------- This key's "UIHost" value calls the following program: Key value: [logonui.exe] File: logonui.exe C:\WINDOWS\system32\logonui.exe 514560 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Value Name: load -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value Name: YSearchProtection Value Data: "C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe" C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe 111856 bytes Created: 2/24/2009 2:05 AM Modified: 2/24/2009 2:05 AM Company: Yahoo! Inc -------------------- Value Name: mouseElf Value Data: C:\PROGRA~1\ERGOMO~1\MouseElf.EXE C:\PROGRA~1\ERGOMO~1\MouseElf.EXE 208896 bytes Created: 12/10/2009 3:47 PM Modified: 7/15/2005 8:25 AM Company: -------------------- Value Name: TrojanScanner Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot C:\Program Files\Trojan Remover\Trjscan.exe 1068424 bytes Created: 11/13/2009 8:54 PM Modified: 8/4/2009 4:49 PM Company: Simply Super Software -------------------- Value Name: nod32kui Value Data: "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE C:\Program Files\Eset\nod32kui.exe 949376 bytes Created: 12/10/2009 9:09 PM Modified: 12/10/2009 9:06 PM Company: Eset -------------------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Value Name: Search Protection Value Data: C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe 111856 bytes Created: 2/24/2009 2:05 AM Modified: 2/24/2009 2:05 AM Company: Yahoo! Inc -------------------- Value Name: uTorrent Value Data: "C:\Program Files\uTorrent\uTorrent.exe" C:\Program Files\uTorrent\uTorrent.exe 289584 bytes Created: 12/10/2009 8:26 AM Modified: 12/10/2009 8:26 AM Company: BitTorrent, Inc. -------------------- -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty ************************************************** ********** 10:37:13 PM: Scanning -----SHELLEXECUTEHOOKS----- ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972} File: shell32.dll - this file is expected and has been left in place ---------- ************************************************** ********** 10:37:13 PM: Scanning -----HIDDEN REGISTRY ENTRIES----- Taskdir check completed ---------- No Hidden File-loading Registry Entries found ---------- ************************************************** ********** 10:37:13 PM: Scanning -----ACTIVE SCREENSAVER----- ScreenSaver: C:\WINDOWS\System32\logon.scr C:\WINDOWS\System32\logon.scr 220672 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- ************************************************** ********** 10:37:13 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS ----- ************************************************** ********** 10:37:13 PM: Scanning ----- SERVICEDLL REGISTRY KEYS ----- Key: HidServ %SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found) -------------------- ************************************************** ********** 10:37:13 PM: Scanning ----- SERVICES REGISTRY KEYS ----- Key: AMON ImagePath: \SystemRoot\system32\drivers\amon.sys C:\WINDOWS\system32\drivers\amon.sys 512096 bytes Created: 12/10/2009 9:09 PM Modified: 12/10/2009 9:06 PM Company: Eset ---------- Key: genmcmnUSB ImagePath: system32\DRIVERS\gflmouhid.sys C:\WINDOWS\system32\DRIVERS\gflmouhid.sys 7808 bytes Created: 12/10/2009 3:47 PM Modified: 7/12/2005 10:53 AM Company: ---------- Key: ipw_mdfl ImagePath: system32\DRIVERS\ipw_mdfl.sys C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys 15312 bytes Created: 12/9/2009 4:51 PM Modified: 2/12/2003 6:21 PM Company: MCCI ---------- Key: ipw_mdm ImagePath: system32\DRIVERS\ipw_mdm.sys C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys 269696 bytes Created: 12/9/2009 4:51 PM Modified: 2/12/2003 6:21 PM Company: MCCI ---------- Key: nod32drv ImagePath: \SystemRoot\system32\drivers\nod32drv.sys C:\WINDOWS\system32\drivers\nod32drv.sys 15424 bytes Created: 12/10/2009 9:09 PM Modified: 12/10/2009 9:06 PM Company: [no info] ---------- Key: NOD32krn ImagePath: "C:\Program Files\Eset\nod32krn.exe" C:\Program Files\Eset\nod32krn.exe 552064 bytes Created: 12/10/2009 9:09 PM Modified: 12/10/2009 9:06 PM Company: Eset ---------- Key: sptd ImagePath: System32\Drivers\sptd.sys - this file is globally excluded ---------- Key: sr ImagePath: \SystemRoot\system32\DRIVERS\sr.sys C:\WINDOWS\system32\DRIVERS\sr.sys 73472 bytes Created: 11/11/2009 3:27 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- Key: SwPrv ImagePath: C:\WINDOWS\system32\dllhost.exe /Processid:{17F82220-0999-4311-B9DA-EECE2EC7B0DC} C:\WINDOWS\system32\dllhost.exe 5120 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation ---------- Key: viaagp1 ImagePath: system32\DRIVERS\viaagp1.sys C:\WINDOWS\system32\DRIVERS\viaagp1.sys 27904 bytes Created: 7/2/2003 4:42 AM Modified: 7/2/2003 4:42 AM Company: VIA Technologies, Inc. ---------- Key: YahooAUService ImagePath: "C:\Program Files\ Yahoo! \SoftwareUpdate\YahooAUService.exe" C:\Program Files\ Yahoo! \SoftwareUpdate\YahooAUService.exe 602392 bytes Created: 11/10/2008 9:48 AM Modified: 11/10/2008 9:48 AM Company: Yahoo! Inc. ---------- ************************************************** ********** 10:37:18 PM: Scanning -----VXD ENTRIES----- ************************************************** ********** 10:37:18 PM: Scanning ----- WINLOGON\NOTIFY DLLS ----- ************************************************** ********** 10:37:18 PM: Scanning ----- CONTEXTMENUHANDLERS ----- Key: NOD32 Context Menu Shell Extension CLSID: {B089FE88-FB52-11D3-BDF1-0050DA34150D} Path: C:\Program Files\Eset\nodshex.dll C:\Program Files\Eset\nodshex.dll 60544 bytes Created: 12/10/2009 9:09 PM Modified: 12/10/2009 9:06 PM Company: [no info] ---------- ************************************************** ********** 10:37:18 PM: Scanning ----- FOLDER\COLUMNHANDLERS ----- ************************************************** ********** 10:37:18 PM: Scanning ----- BROWSER HELPER OBJECTS ----- Key: {02478D38-C3F9-4efb-9B51-7695ECA05670} BHO: C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll 1172280 bytes Created: 9/20/2009 2:26 PM Modified: 9/20/2009 2:26 PM Company: Yahoo! Inc. ---------- Key: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} BHO: C:\Program Files\ Yahoo! \Companion\Installs\cpn0\YTSingleInsta nce.dll C:\Program Files\ Yahoo! \Companion\Installs\cpn0\YTSingleInsta nce.dll 158008 bytes Created: 9/20/2009 2:26 PM Modified: 9/20/2009 2:26 PM Company: Yahoo! Inc ---------- ************************************************** ********** 10:37:18 PM: Scanning ----- SHELLSERVICEOBJECTS ----- ************************************************** ********** 10:37:18 PM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES ----- ************************************************** ********** 10:37:18 PM: Scanning ----- IMAGEFILE DEBUGGERS ----- No "Debugger" entries found. ************************************************** ********** 10:37:18 PM: Scanning ----- APPINIT_DLLS ----- The AppInit_DLLs value is blank or does not exist ************************************************** ********** 10:37:19 PM: Scanning ----- SECURITY PROVIDER DLLS ----- ************************************************** ********** 10:37:19 PM: Scanning ------ COMMON STARTUP GROUP ------ [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] The Common Startup Group attempts to load the following file(s) at boot time: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini -HS- 84 bytes Created: 11/11/2009 4:02 PM Modified: 11/11/2009 3:37 AM Company: [no info] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini - no action taken on this file -------------------- ************************************************** ********** 10:37:19 PM: Scanning ------ USER STARTUP GROUPS ------ -------------------- Checking Startup Group for: gza [C:\Documents and Settings\gza\START MENU\PROGRAMS\STARTUP] The Startup Group for gza attempts to load the following file(s): C:\Documents and Settings\gza\START MENU\PROGRAMS\STARTUP\desktop.ini -HS- 84 bytes Created: 11/11/2009 3:46 AM Modified: 11/11/2009 3:37 AM Company: [no info] C:\Documents and Settings\gza\START MENU\PROGRAMS\STARTUP\desktop.ini - no action taken on this file ---------- ************************************************** ********** 10:37:19 PM: Scanning ----- SCHEDULED TASKS ----- Taskname: GoogleUpdateTaskMachineCore File: C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Google\Update\GoogleUpdate.exe 133104 bytes Created: 12/10/2009 3:30 AM Modified: 12/10/2009 3:30 AM Company: Google Inc. Parameters: /c Schedule: Multiple schedule times Next Run Time: 12/11/2009 3:41:00 AM Status: Ready Status: gza Comments: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it. ---------- Taskname: GoogleUpdateTaskMachineUA File: C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Google\Update\GoogleUpdate.exe 133104 bytes Created: 12/10/2009 3:30 AM Modified: 12/10/2009 3:30 AM Company: Google Inc. Parameters: /ua /installsource scheduler Schedule: Every 1 hour(s) from 3:41 AM for 24 hour(s) every day, starting 12/10/2009 Next Run Time: 12/10/2009 10:41:00 PM Status: Ready Status: gza Comments: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it. ---------- ************************************************** ********** 10:37:19 PM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS ----- ************************************************** ********** 10:37:19 PM: Scanning ----- DEVICE DRIVER ENTRIES ----- ************************************************** ********** 10:37:20 PM: ----- ADDITIONAL CHECKS ----- PE386 rootkit checks completed ---------- Winlogon registry rootkit checks completed ---------- Heuristic checks for hidden files/drivers completed ---------- Layered Service Provider entries checks completed ---------- Windows Explorer Policies checks completed ---------- Desktop Wallpaper: C:\WINDOWS\web\wallpaper\Bliss.bmp C:\WINDOWS\web\wallpaper\Bliss.bmp 1440054 bytes Created: 11/11/2009 3:33 AM Modified: 11/11/2009 3:33 AM Company: [no info] ---------- Web Desktop Wallpaper: %SystemRoot%\web\wallpaper\Bliss.bmp C:\WINDOWS\web\wallpaper\Bliss.bmp 1440054 bytes Created: 11/11/2009 3:33 AM Modified: 11/11/2009 3:33 AM Company: [no info] ---------- Checks for rogue DNS NameServers completed ---------- Additional checks completed ************************************************** ********** 10:37:21 PM: Scanning ----- RUNNING PROCESSES ----- C:\WINDOWS\System32\smss.exe 50688 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\csrss.exe 6144 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\winlogon.exe 502272 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\services.exe 108032 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\lsass.exe 13312 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\Ati2evxx.exe 413696 bytes Created: 5/4/2006 5:43 AM Modified: 5/4/2006 5:43 AM Company: ATI Technologies Inc. -------------------- C:\WINDOWS\system32\svchost.exe 14336 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\svchost.exe - file already scanned -------------------- C:\WINDOWS\System32\svchost.exe - file already scanned -------------------- C:\WINDOWS\system32\svchost.exe - file already scanned -------------------- C:\WINDOWS\system32\svchost.exe - file already scanned -------------------- C:\WINDOWS\system32\spoolsv.exe 57856 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\Ati2evxx.exe - file already scanned -------------------- C:\WINDOWS\Explorer.EXE - file already scanned -------------------- C:\Program Files\ Yahoo! \Search Protection\SearchProtection.exe - file already scanned -------------------- C:\PROGRA~1\ERGOMO~1\MouseElf.EXE - file already scanned -------------------- C:\Program Files\Eset\nod32krn.exe - file already scanned -------------------- C:\Program Files\ Yahoo! \SoftwareUpdate\YahooAUService.exe - file already scanned -------------------- C:\WINDOWS\System32\alg.exe 44544 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\WINDOWS\system32\wscntfy.exe 13824 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\Program Files\Google\Chrome\Application\chrome.exe 921072 bytes Created: 12/10/2009 3:32 AM Modified: 11/12/2009 12:11 PM Company: Google Inc. -------------------- C:\Program Files\Google\Chrome\Application\chrome.exe - file already scanned -------------------- C:\Program Files\Google\Chrome\Application\chrome.exe - file already scanned -------------------- C:\Program Files\CCleaner\CCleaner.exe 1451248 bytes Created: 1/21/2009 5:00 AM Modified: 1/21/2009 5:00 AM Company: Piriform Ltd -------------------- C:\WINDOWS\system32\msiexec.exe 77312 bytes Created: 8/5/2004 1:00 AM Modified: 8/5/2004 1:00 AM Company: Microsoft Corporation -------------------- C:\Program Files\Trojan Remover\Rmvtrjan.exe FileSize: 3036024 [This is a Trojan Remover component] -------------------- ************************************************** ********** 10:37:27 PM: Checking HOSTS file No malicious entries were found in the HOSTS file ************************************************** ********** === NO CHANGES HAVE BEEN MADE TO YOUR SYSTEM FILES === Scan completed at: 10:37:27 PM 10 Dec 2009 Total Scan time: 00:00:16 ************************************************** ********** Scan performed at: 12/10/2009 21:21:50 PM Scanning Log NOD32 version 4674 (20091209) NT Operating memory - is OK Date: 10.12.2009 Time: 21:21:53 Anti-Stealth technology is enabled. Scanned disks, folders and files: C: C:\autorun.inf.vir - Win32/PSW.OnLineGames.NNU trojan - deleted C:\hiberfil.sys - error opening (File locked) [4] C:\pagefile.sys - error opening (File locked) [4] C:\Documents and Settings\gza\NTUSER.DAT - error opening (File locked) [4] C:\Documents and Settings\gza\ntuser.dat.LOG - error opening (File locked) [4] C:\Documents and Settings\gza\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4] C:\Documents and Settings\gza\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4] C:\Documents and Settings\gza\Local Settings\Temp\autorun.inf.trtmp - Win32/PSW.OnLineGames.NNU trojan - deleted C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4] C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4] C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4] C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4] C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4] C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4] C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4] C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4] C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4] C:\System Volume Information\_restore{0DDE563A-BB7B-4D34-871C-5839A36426CF}\RP1\A0000036.inf - Win32/PSW.OnLineGames.NNU trojan - deleted C:\WINDOWS\system32\config\default - error opening (File locked) [4] C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4] C:\WINDOWS\system32\config\SAM - error opening (File locked) [4] C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4] C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4] C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4] C:\WINDOWS\system32\config\software - error opening (File locked) [4] C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4] C:\WINDOWS\system32\config\system - error opening (File locked) [4] C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4] C:\WINDOWS\system32\drivers\sptd.sys - error opening (File locked) [4] Number of scanned files: 15705 Number of threats found: 3 Number of files cleaned: 3 Time of completion: 21:31:26 Total scanning time: 573 sec (00:09:33) Notes: [4] File cannot be opened. It may be in use by another application or operating system. Thats about it i guess. However i would like to read your views, thanks. gza	gza (13233)
828742	2009-12-10 10:21:00	So will / does the hdd open now by double clicking on it?? If you havent rebooted since that last TR log, reboot. I would get rid of utorrent, / any P2P programs, thats probably how you got infected in the first place. It looks OK now. Install SP3 and the rest of the updates (you may have to update to SP3 sooner or later, support for XP SP2 will run out July 13th next year). It should be safe to turn system restore back on	Speedy Gonzales (78)
828743	2009-12-10 10:52:00	Ok. will do. Yes the hdd does open as it should do. I will be going into town saturday and purchasing a new IDE HDD, probably 320GB, this 4GB is vacant of space, I can't get SP3 to fit on it let alone much else. I did have XP Pro SP3 running on the computer before the problems started, but in the course of running the OS Disc to do the repair to the XP installation, SP3 was lost and SP2 installed in place. I downloaded SP3 from MS and saved it to disc, will instal along with XP Pro to new hdd. I don't know how that Win32/PSW.OnLineGames.NNU trojan - got onto my computer when it was running the 80GB Hdd. I've never played a game online or downloaded a game from the net. Beats me that one. Thanks for your help Speedy, this one has been a real mixed bag of problems. Culminating in a dead HDD and my gaining a lot of experience. Cheers. gza	gza (13233)
1 2 3