yeka Posted January 21, 2009 ID:49743 Share Posted January 21, 2009 my computer catched something called Nimda, it appeard like an own administration account where i log in with my own account, so i scanned the computer adn your program found infections and told me to restart so it could remove the infections. Then when i was going to log in again my account had disappeared and there was only nimda. then i found a way to log in with my own account, i pressed ctrl+alt+del and could log in the other way. however, then i did a new scan and this time the scanner couldn't find any infections. But the nimda is obviously still in my computer.. i'm sending you anti malware and hijackthis logthis is the latest log from Malwarebytes' Anti-Malware:Malwarebytes' Anti-Malware 1.33Databasversion: 1674Windows 5.1.2600 Service Pack 32009-01-21 19:37:14mbam-log-2009-01-21 (19-37-14).txtSkanningstyp: Snabb skanningAntal skannade objekt: 60342F Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 22, 2009 Root Admin ID:49976 Share Posted January 22, 2009 Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.Please download Lop S&DDouble-click on Lop S&D.exeChoose the language, then choose Option 1 (Search)Wait till the end of the scanPost the log which is created: (%SystemDrive%\lopR.txt), typcially C:\lopR.txt Link to post Share on other sites More sharing options...
yeka Posted January 22, 2009 Author ID:50065 Share Posted January 22, 2009 i'm going to send 3 logs to you, one is the log where MBAM found infections (after that time no infections been found), and i'm also posting the logs you asked for, the one from combofix and Lop s&d. I've been getting help from a swedish forum also, i'll post the link to the thread so you can see what i've done so far if you like. http://eforum.idg.se/viewmsg.asp?EntriesId=1116881Malwarebytes' Anti-Malware 1.33Databasversion: 1674Windows 5.1.2600 Service Pack 32009-01-21 16:58:27mbam-log-2009-01-21 (16-58-27).txtSkanningstyp: Snabb skanningAntal skannade objekt: 60797F Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 23, 2009 Root Admin ID:50136 Share Posted January 23, 2009 Hi Yeka,We're sorry but since you have evidence of cracked or pirated software you're using on the system we have to close this thread now.If you feel this is inaccurate information please send any Moderator a private message explaining in detail and they will review your information in private.HiJack This! Forum PolicyWe will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.This file is from a Torrernt download of a pirated gameC:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\ddd pool\crackC:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\ddd pool\crack\DDDPool.exeFor future reference you should also only post and seek assistance form one forum at a time as it wastes the helpers time and causes issues by duplicating work Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 23, 2009 Root Admin ID:50259 Share Posted January 23, 2009 I have opened this post again at the request of a Helper at another forum to assist you.You must delete this folder and any and all other similar illegal files C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\If ANY other illegal files are found during this scanning and cleaning then the post will be permanently closed.You must also remove ALL Peer 2 Peer sharing software while I'm assisting you with cleaning the system.Thank you. Link to post Share on other sites More sharing options...
yeka Posted January 23, 2009 Author ID:50343 Share Posted January 23, 2009 Thak you for giving me another try. I think the log should be ok now, i hope so.. i did my best, i'm not an expert in this area .. --------------------\\ Lop S&D 4.2.5-0 XP/Vista Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3 X86-based PC ( Multiprocessor Free : AMD Turion 64 Mobile Technology MK-36 ) BIOS : PhoenixBIOS 4.0 Release 6.1 USER : Administrator ( Administrator ) BOOT : Normal boot Antivirus : Norman Security Suite ver. 7.00 7.00 (Activated) C:\ (Local Disk) - NTFS - Total:101 Go (Free:9 Go) D:\ (Local Disk) - FAT32 - Total:9 Go (Free:1 Go) E:\ (CD or DVD) F:\ (CD or DVD) - UDF - Total:0 Go (Free:0 Go) "C:\Lop SD" ( MAJ : 19-12-2008|23:40 ) Option : [1] ( 2009-01-23|19:50 ) --------------------\\ Listing folders in APPLIC~1 [2008-01-28|02:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe [2006-12-03|15:04] C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM [2007-05-13|20:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer [2007-08-09|15:37] C:\DOCUME~1\ADMINI~1\APPLIC~1\ArcSoft [2009-01-11|17:53] C:\DOCUME~1\ADMINI~1\APPLIC~1\Canon [2007-08-09|15:06] C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative [2007-01-31|22:38] C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink [2008-12-14|04:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\dvdcss [2007-04-21|22:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Google [2006-12-07|16:40] C:\DOCUME~1\ADMINI~1\APPLIC~1\Help [2006-12-01|02:44] C:\DOCUME~1\ADMINI~1\APPLIC~1\HP [2006-12-01|08:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\Identities [2007-01-18|21:33] C:\DOCUME~1\ADMINI~1\APPLIC~1\Leadertech [2006-12-01|08:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\Macromedia [2008-09-18|13:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Malwarebytes [2008-03-23|17:24] C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic [2008-11-21|23:02] C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft [2008-05-24|19:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\Mozilla [2007-02-05|17:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\ScanSoft [2007-01-18|21:34] C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic [2006-12-01|00:15] C:\DOCUME~1\ADMINI~1\APPLIC~1\Sun [2006-12-03|22:08] C:\DOCUME~1\ADMINI~1\APPLIC~1\vlc [0|fil(er)] C:\DOCUME~1\ADMINI~1\APPLIC~1\byte [24|katalog(er)] C:\DOCUME~1\ADMINI~1\APPLIC~1\byte ledigt [2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe [2007-03-07|22:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer [2007-02-05|17:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CanonBJ [2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink [2009-01-22|19:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google [2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP [2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield [2008-09-18|13:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes [2008-09-28|12:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft [2009-01-23|12:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help [2009-01-22|00:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NortonInstaller [2008-11-07|08:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NOS [2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles [2007-02-05|17:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft [2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic [2008-10-21|11:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP [2007-10-25|09:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Winamp Toolbar [2007-10-24|10:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage [2007-11-20|20:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller [0|fil(er)] C:\DOCUME~1\ALLUSE~1\APPLIC~1\byte [21|katalog(er)] C:\DOCUME~1\ALLUSE~1\APPLIC~1\byte ledigt [2006-12-01|08:16] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft [0|fil(er)] C:\DOCUME~1\DEFAUL~1\APPLIC~1\byte [3|katalog(er)] C:\DOCUME~1\DEFAUL~1\APPLIC~1\byte ledigt [2008-02-01|14:56] C:\DOCUME~1\Guest\APPLIC~1\Adobe [2008-02-01|14:34] C:\DOCUME~1\Guest\APPLIC~1\Google [2008-02-01|14:29] C:\DOCUME~1\Guest\APPLIC~1\Identities [2008-02-01|14:35] C:\DOCUME~1\Guest\APPLIC~1\Macromedia [2008-02-01|14:34] C:\DOCUME~1\Guest\APPLIC~1\Microsoft [0|fil(er)] C:\DOCUME~1\Guest\APPLIC~1\byte [7|katalog(er)] C:\DOCUME~1\Guest\APPLIC~1\byte ledigt [2008-08-22|08:26] C:\DOCUME~1\LOCALS~1\APPLIC~1\Adobe [2008-08-21|07:38] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft [0|fil(er)] C:\DOCUME~1\LOCALS~1\APPLIC~1\byte [4|katalog(er)] C:\DOCUME~1\LOCALS~1\APPLIC~1\byte ledigt [2006-12-01|08:16] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft [0|fil(er)] C:\DOCUME~1\NETWOR~1\APPLIC~1\byte [3|katalog(er)] C:\DOCUME~1\NETWOR~1\APPLIC~1\byte ledigt --------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks [2009-01-18 17:48][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2009-01-23 13:15][--ah-----] C:\WINDOWS\tasks\SA.DAT [2006-03-16 05:00][-rah-----] C:\WINDOWS\tasks\desktop.ini --------------------\\ Listing Folders in C:\Program Files [2006-12-01|08:16] C:\Program Files\Adobe [2007-03-07|22:06] C:\Program Files\Apple Software Update [2007-08-09|14:58] C:\Program Files\ArcSoft [2007-02-05|17:48] C:\Program Files\Canon [2007-02-05|17:37] C:\Program Files\CanonBJ [2009-01-22|20:38] C:\Program Files\Common Files [2006-12-01|08:16] C:\Program Files\ComPlus Applications [2006-12-01|08:16] C:\Program Files\CONEXANT [2007-08-09|15:01] C:\Program Files\Creative [2007-01-18|21:39] C:\Program Files\DAEMON Tools [2009-01-22|20:35] C:\Program Files\Google [2006-12-01|08:16] C:\Program Files\Hewlett-Packard [2006-12-01|08:16] C:\Program Files\HP [2006-11-30|23:42] C:\Program Files\HPQ [2008-03-10|22:12] C:\Program Files\InstallShield Installation Information [2008-12-12|15:56] C:\Program Files\Internet Explorer [2008-12-15|20:40] C:\Program Files\Java [2006-12-25|21:34] C:\Program Files\JoWood [2008-06-07|18:06] C:\Program Files\K-Lite Codec Pack [2009-01-21|16:48] C:\Program Files\Malwarebytes' Anti-Malware [2008-03-01|00:21] C:\Program Files\Maxis [2008-08-31|09:16] C:\Program Files\Messenger [2007-05-11|23:46] C:\Program Files\Microsoft CAPICOM 2.1.0.2 [2006-12-01|08:16] C:\Program Files\microsoft frontpage [2009-01-23|12:59] C:\Program Files\Microsoft Office [2009-01-23|12:59] C:\Program Files\Microsoft Works [2008-08-31|09:06] C:\Program Files\Movie Maker [2008-02-06|20:06] C:\Program Files\Mozilla Firefox [2006-12-01|08:16] C:\Program Files\MSN [2006-12-01|08:16] C:\Program Files\MSN Gaming Zone [2006-12-02|03:15] C:\Program Files\MSXML 4.0 [2008-08-31|08:59] C:\Program Files\NetMeeting [2006-12-01|08:16] C:\Program Files\NetWaiting [2008-10-31|10:48] C:\Program Files\Norton Security Scan [2008-11-07|08:38] C:\Program Files\NOS [2008-05-26|22:22] C:\Program Files\Octoshape Streaming Services [2006-12-01|08:16] C:\Program Files\Online Services [2008-08-31|08:59] C:\Program Files\Outlook Express [2007-03-08|10:54] C:\Program Files\QuickTime [2007-02-05|17:44] C:\Program Files\ScanSoft [2006-12-01|08:16] C:\Program Files\Sonic [2006-12-01|08:16] C:\Program Files\Synaptics [2009-01-21|18:59] C:\Program Files\Trend Micro [2006-12-01|08:16] C:\Program Files\Uninstall Information [2006-12-03|21:27] C:\Program Files\VideoLAN [2007-10-25|19:27] C:\Program Files\Winamp [2007-11-20|20:36] C:\Program Files\Windows Live [2006-12-01|08:16] C:\Program Files\Windows Media Connect 2 [2006-12-16|03:01] C:\Program Files\Windows Media Player [2008-08-31|08:59] C:\Program Files\Windows NT [2006-12-01|08:16] C:\Program Files\Windows Plus [2006-12-01|08:16] C:\Program Files\Windows XP MUI Pack [2006-12-01|08:16] C:\Program Files\WindowsUpdate [2006-12-01|08:16] C:\Program Files\xerox [0|fil(er)] C:\Program Files\byte [56|katalog(er)] C:\Program Files\byte ledigt --------------------\\ Listing Folders in C:\Program Files\Common Files [2006-12-01|08:16] C:\Program Files\Common Files\Adobe [2006-12-01|08:16] C:\Program Files\Common Files\HP [2006-12-01|08:16] C:\Program Files\Common Files\InstallShield [2006-12-01|08:16] C:\Program Files\Common Files\Java [2006-12-01|08:16] C:\Program Files\Common Files\LightScribe [2009-01-23|12:59] C:\Program Files\Common Files\Microsoft Shared [2006-12-01|08:16] C:\Program Files\Common Files\MSSoap [2006-12-01|08:16] C:\Program Files\Common Files\ODBC [2007-02-05|17:45] C:\Program Files\Common Files\ScanSoft Shared [2006-12-01|08:16] C:\Program Files\Common Files\Services [2006-12-01|08:16] C:\Program Files\Common Files\Sonic Shared [2006-12-01|08:16] C:\Program Files\Common Files\SpeechEngines [2006-12-01|08:16] C:\Program Files\Common Files\SureThing Shared [2009-01-22|00:38] C:\Program Files\Common Files\Symantec Shared [2009-01-23|12:55] C:\Program Files\Common Files\System [2006-12-01|08:16] C:\Program Files\Common Files\TiVo Shared [2007-11-20|20:36] C:\Program Files\Common Files\WindowsLiveInstaller [0|fil(er)] C:\Program Files\Common Files\byte [19|katalog(er)] C:\Program Files\Common Files\byte ledigt --------------------\\ Process ( 62 Processes ) iexplore.exe ~ [PID:860] --------------------\\ Searching with S_Lop No Lop folder found ! --------------------\\ Searching for Lop Files - Folders C:\DOCUME~1\ADMINI~1\Cookies\administrator@advertising[2].txt C:\DOCUME~1\ADMINI~1\Cookies\administrator@adopt.euroclick[1].txt --------------------\\ Searching within the Registry ..... OK ! --------------------\\ Checking the Hosts file Hosts file CLEAN --------------------\\ Searching for hidden files with Catchme catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-23 19:52:12 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden files: 0 --------------------\\ Searching for other infections No other infections found ! [F:10][D:2]-> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp [F:67][D:0]-> C:\DOCUME~1\ADMINI~1\Cookies [F:1479][D:6]-> C:\DOCUME~1\ADMINI~1\TEMPOR~1\content.IE5 1 - "C:\Lop SD\LopR_1.txt" - 2009-01-22|21:02 - Option : [1] 2 - "C:\Lop SD\LopR_2.txt" - 2009-01-23|13:46 - Option : [1] 3 - "C:\Lop SD\LopR_3.txt" - 2009-01-23|19:53 - Option : [1] --------------------\\ Scan completed at 19:53:25 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 24, 2009 Root Admin ID:50434 Share Posted January 24, 2009 Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please.Please download the following scanning tool. GMEROpen the zip file and copy the file gmer.exe to your Desktop.Double click on gmer.exe and run it.It may take a minute to load and become available.Do not make any changes. As soon as it's done and the COPY button is available click on the COPY button. DO NOT Click on the SCAN button.This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.Click OK and quit the GMER program. Link to post Share on other sites More sharing options...
yeka Posted January 24, 2009 Author ID:50517 Share Posted January 24, 2009 I'm not sure how to send the logs, do you want me to put them in a codebox or something else..?MBAM didn't find anything..Malwarebytes' Anti-Malware 1.33Databasversion: 1688Windows 5.1.2600 Service Pack 32009-01-24 13:38:51mbam-log-2009-01-24 (13-38-51).txtSkanningstyp: Snabb skanningAntal skannade objekt: 53795F Link to post Share on other sites More sharing options...
yeka Posted January 26, 2009 Author ID:50900 Share Posted January 26, 2009 any further help? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 27, 2009 Root Admin ID:51016 Share Posted January 27, 2009 Sorry for the delay but I've been quite busy at work.Please delete your current copy of Combofix and download a new version and run it. You still show something on the box.Also, remove ALL versions of JAVA from Control Panel, Add/Remove until we're done cleaning the system.Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
yeka Posted January 27, 2009 Author ID:51178 Share Posted January 27, 2009 ComboFix 09-01-21.04 - Administrator 2009-01-27 16:55:53.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.489 [GMT 1:00]K Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 28, 2009 Root Admin ID:51312 Share Posted January 28, 2009 I'll be out of town tonight and will look at this for you tomorrow.Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 28, 2009 Root Admin ID:51442 Share Posted January 28, 2009 You need to uninstall Adobe Acrobat Reader 7 and upgrade to version 9 if you want the Reader.Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and AcrobatPlease download the following scanning tool. GMEROpen the zip file and copy the file gmer.exe to your Desktop.Double click on gmer.exe and run it.It may take a minute to load and become available.Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOGZip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.Click OK and quit the GMER program.How To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in Vista Link to post Share on other sites More sharing options...
yeka Posted January 28, 2009 Author ID:51500 Share Posted January 28, 2009 i'm not sure what i'm doing.. hope it's right..gmerlog.zip.zipgmerlog.zip.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 29, 2009 Root Admin ID:51617 Share Posted January 29, 2009 Okay that looks okay. That hidden driver appears to be from the copy of Daemon Tools you have running on the system.Please run the following one more time. Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please.Then let me know if you're still having any signs of an infection or not. Link to post Share on other sites More sharing options...
yeka Posted January 29, 2009 Author ID:51787 Share Posted January 29, 2009 The problem is still there, there's only "nimda" as a user account on the welcome-screen.. And about a day ago Norman catched A0066131.sys W32/Agent.HHSF and put it in quarantine, but i think MBAM couldn't see it. Here is the logs:Malwarebytes' Anti-Malware 1.33Databasversion: 1705Windows 5.1.2600 Service Pack 32009-01-29 15:57:00mbam-log-2009-01-29 (15-57-00).txtSkanningstyp: Snabb skanningAntal skannade objekt: 54592F Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 30, 2009 Root Admin ID:51910 Share Posted January 30, 2009 Please do not use the Quote or CODE tags when posting. Just post directly, thank you.Please try the following. Download it, double-click on it with a blank CD-R in the CD Burner and it will automatically burn a bootable CD for you to boot with and run and scan.Requires access to a working computer with a CD/DVD burner to create a bootable CD.Avira AntiVir Rescue System - downloadAvira AntiVir Rescue SystemAvira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to: repair a damaged system, rescue data, scan the system for virus infections.Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available. Link to post Share on other sites More sharing options...
yeka Posted February 2, 2009 Author ID:52657 Share Posted February 2, 2009 i have to get a cd-r, i'll be back when i have one. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 3, 2009 Root Admin ID:52911 Share Posted February 3, 2009 Okay, let me know when you're ready please. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 4, 2009 Root Admin ID:53374 Share Posted February 4, 2009 Please post a status update on this Link to post Share on other sites More sharing options...
yeka Posted February 6, 2009 Author ID:54159 Share Posted February 6, 2009 Hi, i did burn a cd and i started the scan with avira but in the middle of the scanning process the computer shut down, is it suppose to happen? i don't understand if i did anything wrong, if the process is fullfilled or not, or what to du after the scanning? When the computer shut down i started it with the scan again and the same thing happend, then i took out the cd and started without it and everything is the same as before as far as i can see..The situation is still the same, the nimda account is still there.. i did a MBAM but it couldn't find anything. I'm sending you a Hijackthis log..Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:59:16, on 2009-02-06Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Norman\Npm\bin\ELOGSVC.EXEC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Norman\Npm\Bin\Zanda.exeC:\Norman\npm\bin\nvoy.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Norman\Npm\Bin\ZLH.EXEC:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Live\Messenger\MsnMsgr.ExeC:\Program Files\DAEMON Tools\daemon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\WINDOWS\system32\msdtc.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\mqsvc.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\WINDOWS\system32\mqtgsvc.exeC:\Norman\Npm\Bin\Nvcsched.exeC:\Norman\Npm\Bin\Njeeves.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\Norman\nse\bin\NSESVC.EXEC:\WINDOWS\System32\alg.exeC:\Program Files\internet explorer\iexplore.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\System32\svchost.exeC:\Norman\Nvc\bin\nvcoas.exeC:\Norman\Nvc\Bin\Nip.exeC:\Norman\Nvc\Bin\cclaw.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dllO2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dllO3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetectO4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dllO4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exeO4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASHO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostartO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptopO16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cabO23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exeO23 - Service: Automatisk LiveUpdate-schemal Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 7, 2009 Root Admin ID:54272 Share Posted February 7, 2009 Hi yeka,Well that isn't too good. I really try to help users get back control of their system, but yours is not looking good.Do you have the Windows XP CD that came with the system? We might have to just backup the system and re-install Windows.Do you have any other accessories attached to the computer like printers or cameras, etc.? You could try removing ALL external devices and try to run the CD again. I've never heard of anyone complaining of the computer shutting down before while using that CD. Link to post Share on other sites More sharing options...
yeka Posted February 7, 2009 Author ID:54521 Share Posted February 7, 2009 Hi, i don't have any windows xp cd, i think i have to create recovery discs? If re-installing is the only solution left i would like to return to the swedish forum so i can be guided in swedish. I'll be waiting for an answer from you before i do anything else. Thank you for your help Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 8, 2009 Root Admin ID:54612 Share Posted February 8, 2009 Okay let's make one more try first with Combofix again.Please delete your current copy of Combofix.exe and download a NEW fresh copy and run that and post back that log.Additional links to download the tool:ComboFix.exeComboFix.exeComboFix.exe Link to post Share on other sites More sharing options...
yeka Posted February 8, 2009 Author ID:54759 Share Posted February 8, 2009 ComboFix 09-02-07.01 - Administrator 2009-02-08 20:52:25.3 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.519 [GMT 1:00]K Link to post Share on other sites More sharing options...
Recommended Posts