Jump to content

Nimda


yeka
 Share

Recommended Posts

my computer catched something called Nimda, it appeard like an own administration account where i log in with my own account, so i scanned the computer adn your program found infections and told me to restart so it could remove the infections. Then when i was going to log in again my account had disappeared and there was only nimda. then i found a way to log in with my own account, i pressed ctrl+alt+del and could log in the other way. however, then i did a new scan and this time the scanner couldn't find any infections. But the nimda is obviously still in my computer.. i'm sending you anti malware and hijackthis log

this is the latest log from Malwarebytes' Anti-Malware:

Malwarebytes' Anti-Malware 1.33

Databasversion: 1674

Windows 5.1.2600 Service Pack 3

2009-01-21 19:37:14

mbam-log-2009-01-21 (19-37-14).txt

Skanningstyp: Snabb skanning

Antal skannade objekt: 60342

F

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Please download Lop S&D

Double-click on Lop S&D.exe

Choose the language, then choose Option 1 (Search)

Wait till the end of the scan

Post the log which is created: (%SystemDrive%\lopR.txt), typcially C:\lopR.txt

Link to post
Share on other sites

i'm going to send 3 logs to you, one is the log where MBAM found infections (after that time no infections been found), and i'm also posting the logs you asked for, the one from combofix and Lop s&d. I've been getting help from a swedish forum also, i'll post the link to the thread so you can see what i've done so far if you like. http://eforum.idg.se/viewmsg.asp?EntriesId=1116881

Malwarebytes' Anti-Malware 1.33

Databasversion: 1674

Windows 5.1.2600 Service Pack 3

2009-01-21 16:58:27

mbam-log-2009-01-21 (16-58-27).txt

Skanningstyp: Snabb skanning

Antal skannade objekt: 60797

F

Link to post
Share on other sites

  • Root Admin

Hi Yeka,

We're sorry but since you have evidence of cracked or pirated software you're using on the system we have to close this thread now.

If you feel this is inaccurate information please send any Moderator a private message explaining in detail and they will review your information in private.

HiJack This! Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

This file is from a Torrernt download of a pirated game

C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\ddd pool\crack

C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\ddd pool\crack\DDDPool.exe

For future reference you should also only post and seek assistance form one forum at a time as it wastes the helpers time and causes issues by duplicating work

Link to post
Share on other sites

  • Root Admin

I have opened this post again at the request of a Helper at another forum to assist you.

You must delete this folder and any and all other similar illegal files C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\

If ANY other illegal files are found during this scanning and cleaning then the post will be permanently closed.

You must also remove ALL Peer 2 Peer sharing software while I'm assisting you with cleaning the system.

Thank you.

Link to post
Share on other sites

Thak you for giving me another try. I think the log should be ok now, i hope so.. i did my best, i'm not an expert in this area :) ..

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3

X86-based PC ( Multiprocessor Free : AMD Turion 64 Mobile Technology MK-36 )

BIOS : PhoenixBIOS 4.0 Release 6.1

USER : Administrator ( Administrator )

BOOT : Normal boot

Antivirus : Norman Security Suite ver. 7.00 7.00 (Activated)

C:\ (Local Disk) - NTFS - Total:101 Go (Free:9 Go)

D:\ (Local Disk) - FAT32 - Total:9 Go (Free:1 Go)

E:\ (CD or DVD)

F:\ (CD or DVD) - UDF - Total:0 Go (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )

Option : [1] ( 2009-01-23|19:50 )

--------------------\\ Listing folders in APPLIC~1

[2008-01-28|02:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe

[2006-12-03|15:04] C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM

[2007-05-13|20:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer

[2007-08-09|15:37] C:\DOCUME~1\ADMINI~1\APPLIC~1\ArcSoft

[2009-01-11|17:53] C:\DOCUME~1\ADMINI~1\APPLIC~1\Canon

[2007-08-09|15:06] C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative

[2007-01-31|22:38] C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink

[2008-12-14|04:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\dvdcss

[2007-04-21|22:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Google

[2006-12-07|16:40] C:\DOCUME~1\ADMINI~1\APPLIC~1\Help

[2006-12-01|02:44] C:\DOCUME~1\ADMINI~1\APPLIC~1\HP

[2006-12-01|08:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\Identities

[2007-01-18|21:33] C:\DOCUME~1\ADMINI~1\APPLIC~1\Leadertech

[2006-12-01|08:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\Macromedia

[2008-09-18|13:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Malwarebytes

[2008-03-23|17:24] C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic

[2008-11-21|23:02] C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft

[2008-05-24|19:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\Mozilla

[2007-02-05|17:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\ScanSoft

[2007-01-18|21:34] C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic

[2006-12-01|00:15] C:\DOCUME~1\ADMINI~1\APPLIC~1\Sun

[2006-12-03|22:08] C:\DOCUME~1\ADMINI~1\APPLIC~1\vlc

[0|fil(er)] C:\DOCUME~1\ADMINI~1\APPLIC~1\byte

[24|katalog(er)] C:\DOCUME~1\ADMINI~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe

[2007-03-07|22:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer

[2007-02-05|17:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CanonBJ

[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink

[2009-01-22|19:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google

[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP

[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield

[2008-09-18|13:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes

[2008-09-28|12:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft

[2009-01-23|12:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help

[2009-01-22|00:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NortonInstaller

[2008-11-07|08:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NOS

[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles

[2007-02-05|17:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft

[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic

[2008-10-21|11:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

[2007-10-25|09:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Winamp Toolbar

[2007-10-24|10:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage

[2007-11-20|20:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller

[0|fil(er)] C:\DOCUME~1\ALLUSE~1\APPLIC~1\byte

[21|katalog(er)] C:\DOCUME~1\ALLUSE~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft

[0|fil(er)] C:\DOCUME~1\DEFAUL~1\APPLIC~1\byte

[3|katalog(er)] C:\DOCUME~1\DEFAUL~1\APPLIC~1\byte ledigt

[2008-02-01|14:56] C:\DOCUME~1\Guest\APPLIC~1\Adobe

[2008-02-01|14:34] C:\DOCUME~1\Guest\APPLIC~1\Google

[2008-02-01|14:29] C:\DOCUME~1\Guest\APPLIC~1\Identities

[2008-02-01|14:35] C:\DOCUME~1\Guest\APPLIC~1\Macromedia

[2008-02-01|14:34] C:\DOCUME~1\Guest\APPLIC~1\Microsoft

[0|fil(er)] C:\DOCUME~1\Guest\APPLIC~1\byte

[7|katalog(er)] C:\DOCUME~1\Guest\APPLIC~1\byte ledigt

[2008-08-22|08:26] C:\DOCUME~1\LOCALS~1\APPLIC~1\Adobe

[2008-08-21|07:38] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft

[0|fil(er)] C:\DOCUME~1\LOCALS~1\APPLIC~1\byte

[4|katalog(er)] C:\DOCUME~1\LOCALS~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft

[0|fil(er)] C:\DOCUME~1\NETWOR~1\APPLIC~1\byte

[3|katalog(er)] C:\DOCUME~1\NETWOR~1\APPLIC~1\byte ledigt

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[2009-01-18 17:48][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2009-01-23 13:15][--ah-----] C:\WINDOWS\tasks\SA.DAT

[2006-03-16 05:00][-rah-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[2006-12-01|08:16] C:\Program Files\Adobe

[2007-03-07|22:06] C:\Program Files\Apple Software Update

[2007-08-09|14:58] C:\Program Files\ArcSoft

[2007-02-05|17:48] C:\Program Files\Canon

[2007-02-05|17:37] C:\Program Files\CanonBJ

[2009-01-22|20:38] C:\Program Files\Common Files

[2006-12-01|08:16] C:\Program Files\ComPlus Applications

[2006-12-01|08:16] C:\Program Files\CONEXANT

[2007-08-09|15:01] C:\Program Files\Creative

[2007-01-18|21:39] C:\Program Files\DAEMON Tools

[2009-01-22|20:35] C:\Program Files\Google

[2006-12-01|08:16] C:\Program Files\Hewlett-Packard

[2006-12-01|08:16] C:\Program Files\HP

[2006-11-30|23:42] C:\Program Files\HPQ

[2008-03-10|22:12] C:\Program Files\InstallShield Installation Information

[2008-12-12|15:56] C:\Program Files\Internet Explorer

[2008-12-15|20:40] C:\Program Files\Java

[2006-12-25|21:34] C:\Program Files\JoWood

[2008-06-07|18:06] C:\Program Files\K-Lite Codec Pack

[2009-01-21|16:48] C:\Program Files\Malwarebytes' Anti-Malware

[2008-03-01|00:21] C:\Program Files\Maxis

[2008-08-31|09:16] C:\Program Files\Messenger

[2007-05-11|23:46] C:\Program Files\Microsoft CAPICOM 2.1.0.2

[2006-12-01|08:16] C:\Program Files\microsoft frontpage

[2009-01-23|12:59] C:\Program Files\Microsoft Office

[2009-01-23|12:59] C:\Program Files\Microsoft Works

[2008-08-31|09:06] C:\Program Files\Movie Maker

[2008-02-06|20:06] C:\Program Files\Mozilla Firefox

[2006-12-01|08:16] C:\Program Files\MSN

[2006-12-01|08:16] C:\Program Files\MSN Gaming Zone

[2006-12-02|03:15] C:\Program Files\MSXML 4.0

[2008-08-31|08:59] C:\Program Files\NetMeeting

[2006-12-01|08:16] C:\Program Files\NetWaiting

[2008-10-31|10:48] C:\Program Files\Norton Security Scan

[2008-11-07|08:38] C:\Program Files\NOS

[2008-05-26|22:22] C:\Program Files\Octoshape Streaming Services

[2006-12-01|08:16] C:\Program Files\Online Services

[2008-08-31|08:59] C:\Program Files\Outlook Express

[2007-03-08|10:54] C:\Program Files\QuickTime

[2007-02-05|17:44] C:\Program Files\ScanSoft

[2006-12-01|08:16] C:\Program Files\Sonic

[2006-12-01|08:16] C:\Program Files\Synaptics

[2009-01-21|18:59] C:\Program Files\Trend Micro

[2006-12-01|08:16] C:\Program Files\Uninstall Information

[2006-12-03|21:27] C:\Program Files\VideoLAN

[2007-10-25|19:27] C:\Program Files\Winamp

[2007-11-20|20:36] C:\Program Files\Windows Live

[2006-12-01|08:16] C:\Program Files\Windows Media Connect 2

[2006-12-16|03:01] C:\Program Files\Windows Media Player

[2008-08-31|08:59] C:\Program Files\Windows NT

[2006-12-01|08:16] C:\Program Files\Windows Plus

[2006-12-01|08:16] C:\Program Files\Windows XP MUI Pack

[2006-12-01|08:16] C:\Program Files\WindowsUpdate

[2006-12-01|08:16] C:\Program Files\xerox

[0|fil(er)] C:\Program Files\byte

[56|katalog(er)] C:\Program Files\byte ledigt

--------------------\\ Listing Folders in C:\Program Files\Common Files

[2006-12-01|08:16] C:\Program Files\Common Files\Adobe

[2006-12-01|08:16] C:\Program Files\Common Files\HP

[2006-12-01|08:16] C:\Program Files\Common Files\InstallShield

[2006-12-01|08:16] C:\Program Files\Common Files\Java

[2006-12-01|08:16] C:\Program Files\Common Files\LightScribe

[2009-01-23|12:59] C:\Program Files\Common Files\Microsoft Shared

[2006-12-01|08:16] C:\Program Files\Common Files\MSSoap

[2006-12-01|08:16] C:\Program Files\Common Files\ODBC

[2007-02-05|17:45] C:\Program Files\Common Files\ScanSoft Shared

[2006-12-01|08:16] C:\Program Files\Common Files\Services

[2006-12-01|08:16] C:\Program Files\Common Files\Sonic Shared

[2006-12-01|08:16] C:\Program Files\Common Files\SpeechEngines

[2006-12-01|08:16] C:\Program Files\Common Files\SureThing Shared

[2009-01-22|00:38] C:\Program Files\Common Files\Symantec Shared

[2009-01-23|12:55] C:\Program Files\Common Files\System

[2006-12-01|08:16] C:\Program Files\Common Files\TiVo Shared

[2007-11-20|20:36] C:\Program Files\Common Files\WindowsLiveInstaller

[0|fil(er)] C:\Program Files\Common Files\byte

[19|katalog(er)] C:\Program Files\Common Files\byte ledigt

--------------------\\ Process

( 62 Processes )

iexplore.exe ~ [PID:860]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\ADMINI~1\Cookies\administrator@advertising[2].txt

C:\DOCUME~1\ADMINI~1\Cookies\administrator@adopt.euroclick[1].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-23 19:52:12

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden files: 0

--------------------\\ Searching for other infections

No other infections found !

[F:10][D:2]-> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

[F:67][D:0]-> C:\DOCUME~1\ADMINI~1\Cookies

[F:1479][D:6]-> C:\DOCUME~1\ADMINI~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 2009-01-22|21:02 - Option : [1]

2 - "C:\Lop SD\LopR_2.txt" - 2009-01-23|13:46 - Option : [1]

3 - "C:\Lop SD\LopR_3.txt" - 2009-01-23|19:53 - Option : [1]

--------------------\\ Scan completed at 19:53:25

Link to post
Share on other sites

  • Root Admin

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. As soon as it's done and the
    COPY
    button is available click on the
    COPY
    button.

  • DO NOT
    Click on the
    SCAN
    button.

  • This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.

  • Click OK and quit the GMER program.

Link to post
Share on other sites

I'm not sure how to send the logs, do you want me to put them in a codebox or something else..?

MBAM didn't find anything..

Malwarebytes' Anti-Malware 1.33

Databasversion: 1688

Windows 5.1.2600 Service Pack 3

2009-01-24 13:38:51

mbam-log-2009-01-24 (13-38-51).txt

Skanningstyp: Snabb skanning

Antal skannade objekt: 53795

F

Link to post
Share on other sites

  • Root Admin

Sorry for the delay but I've been quite busy at work.

Please delete your current copy of Combofix and download a new version and run it. You still show something on the box.

Also, remove ALL versions of JAVA from Control Panel, Add/Remove until we're done cleaning the system.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

  • Root Admin

You need to uninstall Adobe Acrobat Reader 7 and upgrade to version 9 if you want the Reader.

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

Link to post
Share on other sites

  • Root Admin

Okay that looks okay. That hidden driver appears to be from the copy of Daemon Tools you have running on the system.

Please run the following one more time.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Then let me know if you're still having any signs of an infection or not.

Link to post
Share on other sites

The problem is still there, there's only "nimda" as a user account on the welcome-screen.. And about a day ago Norman catched A0066131.sys W32/Agent.HHSF and put it in quarantine, but i think MBAM couldn't see it. Here is the logs:

Malwarebytes' Anti-Malware 1.33

Databasversion: 1705

Windows 5.1.2600 Service Pack 3

2009-01-29 15:57:00

mbam-log-2009-01-29 (15-57-00).txt

Skanningstyp: Snabb skanning

Antal skannade objekt: 54592

F

Link to post
Share on other sites

  • Root Admin

Please do not use the Quote or CODE tags when posting. Just post directly, thank you.

Please try the following. Download it, double-click on it with a blank CD-R in the CD Burner and it will automatically burn a bootable CD for you to boot with and run and scan.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

    Avira AntiVir Rescue System
    Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:


  • repair a damaged system,
  • rescue data,

  • scan the system for virus infections.


    Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
    The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

Link to post
Share on other sites

Hi, i did burn a cd and i started the scan with avira but in the middle of the scanning process the computer shut down, is it suppose to happen? i don't understand if i did anything wrong, if the process is fullfilled or not, or what to du after the scanning? When the computer shut down i started it with the scan again and the same thing happend, then i took out the cd and started without it and everything is the same as before as far as i can see..

The situation is still the same, the nimda account is still there.. i did a MBAM but it couldn't find anything. I'm sending you a Hijackthis log..

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:59:16, on 2009-02-06

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Norman\Npm\bin\ELOGSVC.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Norman\Npm\Bin\Zanda.exe

C:\Norman\npm\bin\nvoy.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Norman\Npm\Bin\ZLH.EXE

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\msdtc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\Norman\Npm\Bin\Nvcsched.exe

C:\Norman\Npm\Bin\Njeeves.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Norman\nse\bin\NSESVC.EXE

C:\WINDOWS\System32\alg.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\System32\svchost.exe

C:\Norman\Nvc\bin\nvcoas.exe

C:\Norman\Nvc\Bin\Nip.exe

C:\Norman\Nvc\Bin\cclaw.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptop

O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe

O23 - Service: Automatisk LiveUpdate-schemal

Link to post
Share on other sites

  • Root Admin

Hi yeka,

Well that isn't too good. I really try to help users get back control of their system, but yours is not looking good.

Do you have the Windows XP CD that came with the system? We might have to just backup the system and re-install Windows.

Do you have any other accessories attached to the computer like printers or cameras, etc.? You could try removing ALL external devices and try to run the CD again. I've never heard of anyone complaining of the computer shutting down before while using that CD.

Link to post
Share on other sites

Hi, i don't have any windows xp cd, i think i have to create recovery discs? If re-installing is the only solution left i would like to return to the swedish forum so i can be guided in swedish. I'll be waiting for an answer from you before i do anything else. Thank you for your help :D:D

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.