Root Admin AdvancedSetup Posted February 9, 2009 Root Admin ID:54921 Share Posted February 9, 2009 Please download Avenger 2.0 from hereOpen and copy the program file avenger.exe to your Desktop then double click to start it.Copy and paste the following text from the code box below into the main window of Avenger.Files to delete:c:\documents and settings\Administrator\Application Data\nonesono.comc:\program files\Common Files\sytivyp.batc:\program files\Common Files\byquciqo.vbsc:\program files\Common Files\dylikiwo.comc:\documents and settings\Administrator\Application Data\vebaxe.datc:\program files\Common Files\melonyp.infDo not check any other boxes, uncheck Scan for Rootkits if it's checkedClose all other running applicationsAfter pasting the text into the main window, click on ExecuteOnce Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.Fix anything found and reboot the computer. Then run a new HJT log and post back all logs.Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.Since the Avira did not work out well, plesae try this one.Download to the desktop: Dr.Web CureItDoubleclick the drweb-cureit.exe file and Allow to run the express scanThis will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.Once the short scan has finished, Click Options > Change settingsChoose the "Scan"-tab, remove the mark at "Heuristic analysis".Back at the main window, mark the drives that you want to scan.Select all drives. A red dot shows which drives have been chosen.Click the green arrow at the right, and the scan will start.Click 'Yes to all' if it asks if you want to cure/move the file.When the scan has finished, look if you can click next icon next to the files found:If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)After selecting, in the Dr.Web CureIt menu on top, click file and choose save report listSave the report to your desktop. The report will be called DrWeb.csvClose Dr.Web Cureit.Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log. Link to post Share on other sites More sharing options...
yeka Posted February 9, 2009 Author ID:54959 Share Posted February 9, 2009 avenger + MBAMLogfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:File "c:\documents and settings\Administrator\Application Data\nonesono.com" deleted successfully.File "c:\program files\Common Files\sytivyp.bat" deleted successfully.File "c:\program files\Common Files\byquciqo.vbs" deleted successfully.File "c:\program files\Common Files\dylikiwo.com" deleted successfully.File "c:\documents and settings\Administrator\Application Data\vebaxe.dat" deleted successfully.File "c:\program files\Common Files\melonyp.inf" deleted successfully.Completed script processing.*******************Finished! Terminate.Malwarebytes' Anti-Malware 1.33Databasversion: 1740Windows 5.1.2600 Service Pack 32009-02-09 14:25:38mbam-log-2009-02-09 (14-25-38).txtSkanningstyp: Snabb skanningAntal skannade objekt: 55030F Link to post Share on other sites More sharing options...
yeka Posted February 9, 2009 Author ID:54961 Share Posted February 9, 2009 HijackThisLogfile of Trend Micro HijackThis v2.0.2Scan saved at 14:32:05, on 2009-02-09Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Norman\Npm\bin\ELOGSVC.EXEC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Norman\Npm\Bin\Zanda.exeC:\Norman\npm\bin\nvoy.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\msdtc.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\system32\mqsvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\mcrdsvc.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\Norman\Npm\Bin\ZLH.EXEC:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Live\Messenger\MsnMsgr.ExeC:\Program Files\DAEMON Tools\daemon.exeC:\WINDOWS\system32\mqtgsvc.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\Norman\Npm\Bin\Nvcsched.exeC:\Norman\Npm\Bin\Njeeves.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\Norman\nse\bin\NSESVC.EXEC:\WINDOWS\System32\alg.exeC:\WINDOWS\System32\svchost.exeC:\Norman\Nvc\bin\nvcoas.exeC:\Norman\Nvc\Bin\Nip.exeC:\Norman\Nvc\Bin\cclaw.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wuauclt.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dllO2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dllO3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetectO4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dllO4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exeO4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASHO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostartO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptopO16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cabO23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exeO23 - Service: Automatisk LiveUpdate-schemal Link to post Share on other sites More sharing options...
yeka Posted February 9, 2009 Author ID:54999 Share Posted February 9, 2009 everything is still the same. Another thing i noticed is that the little icons (that are shown where you type the www-address) for specific pages is not correct, e.g. YouTube - sometimes there is no icon and sometimes there is another icon that belongs to another site instead of its own logo. I don't know if i managed to explain it, ask again if u didn't understand and if it is relevant. DrWeb+HijackthisA0000001.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{15CB993F-554A-4EB6-86A2-9337A03CDEC3}\RP1\A0000001.exe/data002;Program.PsExec.171;;data002;C:\System Volume Information\_restore{15CB993F-554A-4EB6-86A2-9337A03CDEC3}\RP1;Archive contains infected objects;;A0000001.exe;C:\System Volume Information\_restore{15CB993F-554A-4EB6-86A2-9337A03CDEC3}\RP1;Container contains infected objects;Moved.;ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Administrator\Skrivbord\ComboFix.exe/data002;Program.PsExec.171;;data002;C:\Documents and Settings\Administrator\Skrivbord;Archive contains infected objects;;ComboFix.exe;C:\Documents and Settings\Administrator\Skrivbord;Container contains infected objects;Moved.;Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:21:56, on 2009-02-09Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Norman\Npm\bin\ELOGSVC.EXEC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Norman\Npm\Bin\Zanda.exeC:\Norman\npm\bin\nvoy.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\msdtc.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\WINDOWS\system32\mqsvc.exeC:\WINDOWS\system32\mqtgsvc.exeC:\Norman\Npm\Bin\Nvcsched.exeC:\Norman\Npm\Bin\Njeeves.exeC:\WINDOWS\system32\dllhost.exeC:\Norman\nse\bin\NSESVC.EXEC:\WINDOWS\System32\alg.exeC:\Norman\Nvc\bin\nvcoas.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Norman\Npm\Bin\ZLH.EXEC:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exeC:\Program Files\QuickTime\qttask.exeC:\Norman\Nvc\Bin\Nip.exeC:\Norman\Nvc\Bin\cclaw.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Live\Messenger\MsnMsgr.ExeC:\Program Files\DAEMON Tools\daemon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dllO2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dllO3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetectO4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dllO4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exeO4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASHO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostartO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptopO16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cabO23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exeO23 - Service: Automatisk LiveUpdate-schemal Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 10, 2009 Root Admin ID:55086 Share Posted February 10, 2009 Please explain in more detail the current issues you're seeing or having.In general now you have MBAM and Dr Web both saying that nothing was found that should be an issue.As a side note this entry RecGuard.exe indicates that you probably have a Recovery Partition on another drive, probably D: So a recovery back to the way the box was when you got it might be quite simple. You would want to backup all of your data first (as you should have done by now already) before running it, but that should be a good option and easy if you have to. So please let me know with more detail the current issues you see.RecGuard.exeOn HP computers, Recguard prevents the deletion or corruption of the WinXP Recovery Partition Link to post Share on other sites More sharing options...
yeka Posted February 10, 2009 Author ID:55228 Share Posted February 10, 2009 i don't know how to explain it in another way.. i'm not so good at "computer-words" hehe.. but i'll try again.The main issue is that my own useraccount doesn't show up in the welcome-screen. when i start the computer and the welcome-screen comes up there is only nimda as the user account and it wants a password. I tried to log in once with my own password to nimda to see if it works, but it didn't. Then the swedish forum said that the password is probably "nimda" but i never tried it since i found another way to log in with my own account and because i don't feel comfortable to log in with the nimda account. When i'm on the welcome screen and press ctrl+alt+delete twice, a "classic" log in version shows up and there is my own useraccont aldready typed so i just have to type my password and log in.And the other issue is the one i told yesterday, i've been having this issue for a couple of days now as far as i have noticed it, the little icons that is the websites own logos that is shown beside the www-address is not right.e.g. Instead of googles logotype my schools logotype takes place, instead of youtube there is a logotype that im not familiar with, same thing is for this site MBAM and so on... And sometimes there's no logo at all, when i know it should be.another issue that i had after this nimda thing (but it seems to be gone now) is that when i didn't touch the computer for a couple of minutes the account logged out and the welcome-screen appeared. This time both nimda and my own account was there, so i could log in with my own account directly from the welcome-screen. There was two strange things about this, one was that usually it takes longer time for the account to log out itself and the other thing was that when the account logs out usually Msn also log out, but when the account logs out in this way everything is like i never had logged out, the msn is still on when it should have logged out for example.I was thinking of maybe try to log in in the nimda account and try to remove it myself but i don't now if i dare and if it is safe to do it? or if it even is an actual account...? Maybe it is better to just restore or something.. As i said before, if i'm going to do some re-installing actions i wolud like to return to the swedish forum and get the guidence in swedish if it is ok. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 11, 2009 Root Admin ID:55354 Share Posted February 11, 2009 Yes you certainly may go back to a Swedish forum for that, but from what you describe I don't think you need to re-install.Let me research some fixes for this first and I'll get back to you on it. For the most part unless it's something really hidden or deeply rooted I don't think you're currently infected with Malware anymore. Now we just need to see if we can restore some of the broken functionality of Windows for you. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 11, 2009 Root Admin ID:55358 Share Posted February 11, 2009 Try this. Click on START - RUN and type in control userpasswords2 and change your password, or lookon the Advanced tab and make sure that "Require users to press CTRL+ALT+Delete is not checked.Try creating a new account and giving it a password.Take a look here and see if one of these fixes apply to your issue.http://www.kellys-korner-xp.com/xp_wel_screen.htmThe Default Windows Logon Interface May Not Appear After Installing Third-Party Programhttp://support.microsoft.com/kb/302346/EN-US/A discussion about the availability of the Fast User Switching featurehttp://support.microsoft.com/kb/294739How to recover the damaged user profile in Windows XPhttp://support.microsoft.com/kb/555473 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 11, 2009 Root Admin ID:55360 Share Posted February 11, 2009 You can also try this program. I would select ALL check boxes and run it by clicking on the GO button.Please download and run this program: Dial-a-fix Link to post Share on other sites More sharing options...
yeka Posted February 12, 2009 Author ID:55690 Share Posted February 12, 2009 i had no time to try these things today, i'll try tomorrow! thank you! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 12, 2009 Root Admin ID:55802 Share Posted February 12, 2009 Okay, let me know how it goes. Thanks. Link to post Share on other sites More sharing options...
yeka Posted February 12, 2009 Author ID:55994 Share Posted February 12, 2009 Hi, i didn't manage to do all the things you told me. I tried to give this a try: http://www.kellys-korner-xp.com/xp_wel_screen.htm "Show Administrator on the Welcome Screen" but i didn't understand how to do it.I also wanted to try this http://support.microsoft.com/kb/302346/, am i suppose to remove this --> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL ? i couldn't find this, maybe i searched wrong. And i also do not have any back up so i was afraid doing it wrong.What i did was the dial-a-fix thing. And this: "Try this. Click on START - RUN and type in control userpasswords2 and change your password, or lookon the Advanced tab and make sure that is not checked.Try creating a new account and giving it a password." I couldnt find where to change my password doing it your way so i did it through control panel --> user account (i dont know the english words..?) And the "Require users to press CTRL+ALT+Delete" was not checked. I did create a new account with password and then reboot. Now there is nimda and that new account but not my own account. WHile i was changing my password in my own accont i saw this: The administrator account is visible only on the welcome screen when no other user account is created (except the guest account), or when you start the computer in safe mode. (i translated this from swedish). Is this intresting? The nimda account is also a administrator account.. it says so anyway.. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 13, 2009 Root Admin ID:56120 Share Posted February 13, 2009 Hold on - you hit it right on the nail (so to speak)Is YOUR account name ADMINISTRATOR ?If so that is the issue. The Windows XP Welcome screen does not show that account sort of on purpose unless as you say it is the ONLY account on the box. (not a good thing, always better to have another account in case something happens to your account). Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 13, 2009 Root Admin ID:56121 Share Posted February 13, 2009 Just went and looked at one of your first posts with CF and it shows that ADMINISTRATOR is your account.c:\documents and settings\AdministratorSo, that is why it does not show (and as said, should not show now). Since you did not create the Nimda account yourself I would remove that account and profile and the NEW one you just created and you should now see the Administrator account on the screen. BUT I don't recommend that. You should have another account with Admin rights as well in case of trouble and where you might need that account. I would put a password on both accounts, even if they're simple its better than being blank. Link to post Share on other sites More sharing options...
yeka Posted February 13, 2009 Author ID:56222 Share Posted February 13, 2009 YES!!!!!! it's gone! Thank you for your help! everything is back to the way it was as far as i can see. thank you Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 13, 2009 Root Admin ID:56306 Share Posted February 13, 2009 If you need it: Download and Update Java RuntimeThe most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.Go to http://java.sun.com/javase/downloads/index.jspGo to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.In Platform box choose Windows.Check the box to Accept License Agreement and click Continue.Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.Uncheck the Toolbar button (unless you want the toolbar)Reboot your computerGreat, all looks good now.I'll close your post soon so that other don't post into it and leave you with this information and suggestions.So how did I get infected in the first place?At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.Here are some free programs I recommend that could help you improve your computer's security.Install SpyWare BlasterDownload it from hereFind here the tutorial on how to use Spyware Blaster here Install WinPatrolDownload it from hereHere you can find information about how WinPatrol works hereInstall FireTrust SiteHoundYou can find information and download it from hereInstall hpHosts Download it from herehpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites. This prevents your computer from connecting to these untrusted sites by redirecting them to 127.0.0.1 which is your own local computer.hpHosts Support ForumUpdate your Antivirus programs and other security products regularly to avoid new threats that could infect your system.You can use one of these sites to check if any updates are needed for your pc.Secunia Software InspectorF-secure Health CheckVisit Microsoft often to get the latest updates for your computer.http://www.update.microsoft.comNote 1: If you are running Windows XP SP2, you should upgrade to SP3.Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.The security suite can then be reinstalled afterwards.The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. I recommend Online Armor FreeA little outdated but good reading on how to prevent MalwareKeep safe online and happy surfing.Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post InstructionsAlso don't forget that we offer FREE assistance with General PC questions and repair here PC Help If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org Link to post Share on other sites More sharing options...
Recommended Posts