[blirger]

dear geeks, here is my sad tale. I most sincerely hope that you can make it so that my tale get a happy ending.

my computer had been running extraodinarly slow the last few days. I thought that I'd try to run ad-aware so I found the homepage and clicked download and...KAZAPP. the computer shut down...scaaaaary...the malicious malefactor almost seemed to know that I was going to do something about him.

after this event the computer was in a weird state of mind. it didnt start norman antivirus and when I tried to start spybot search and destroy it actually nearly started but didnt. I tried rebooting but the problem was still there.

suddenly I couldnt start xp anymore...I came to the point where there is some sort of black loading screen(before the welcome thingy) but then the computer resets. (the tempus is slowly a-changin). this is where I am now. I cannot start xp in safe mode. I have tried to go back to earlier configurations(or whatever it may be called in english...I'm sure you'll understand). when I start in "searching for error"-mode(freely translated) there is a bluescreen where it says something incomprehensible about bios's and something about the file sshdrv79.sys.

however the good news is that I can start windows ME. I tried to search for the file sshdrv79.sys in order to perhaps replace it in case that would work but I couldnt find it.

so...what can I do?

I cannot reach into windows xp so I cannot do anything through there...can I do anything from win ME?

[Advertisements]

Hi blirger,

You can scan all the files on the XP partition when you are logged into ME.

One thing I'd like to rule out is that ME is infected as well.
So can you post a HijackThis log for ME.
And go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• Make sure all your partitions are selected for the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Regards,

[Metallica]

Hi blirger,

You can scan all the files on the XP partition when you are logged into ME.

One thing I'd like to rule out is that ME is infected as well.
So can you post a HijackThis log for ME.
And go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• Make sure all your partitions are selected for the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Regards,

[blirger]

thank you for your kind help!

here's the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 08:34:34, on 2006-09-27
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

[blirger]

and here's the pandascan


Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\WINDOWS\Cookies\skit@zedo[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Cookies\skit@realmedia[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\WINDOWS\Cookies\skit@apmebf[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\WINDOWS\Cookies\skit@qksrv[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Cookies\skit@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Cookies\skit@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\WINDOWS\Cookies\skit@mediaplex[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\WINDOWS\Cookies\skit@statcounter[1].txt
Spyware:Cookie/FastClick Not disinfected C:\WINDOWS\Cookies\skit@fastclick[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\WINDOWS\Cookies\skit@bluestreak[1].txt
Spyware:Cookie/Research-int Not disinfected C:\WINDOWS\Cookies\skit@research-int[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Cookies\skit@247realmedia[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\WINDOWS\Cookies\skit@tradedoubler[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\WINDOWS\Cookies\skit@sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Cookies\skit@advertising[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Virus:Trj/Torpig.DK Disinfected C:\NFFJD.EXE
Virus:JS/Psyme.gen Renamed C:\System Volume Information\_restore{A2E1D37C-3373-4558-92AC-5760510469C2}\RP8\A0009356.VBS
Virus:Trj/Torpig.DK Disinfected C:\System Volume Information\_restore{A2E1D37C-3373-4558-92AC-5760510469C2}\RP8\A0010367.EXE
Virus:Trj/Torpig.DK Disinfected C:\System Volume Information\_restore{A2E1D37C-3373-4558-92AC-5760510469C2}\RP8\A0010400.EXE
Virus:Trj/Torpig.DK Disinfected C:\System Volume Information\_restore{A2E1D37C-3373-4558-92AC-5760510469C2}\RP8\A0011399.EXE
Potentially unwanted tool:Application/KillApp.A Not disinfected D:\Documents and Settings\Henrik Helén\Lokala inställningar\Temporary Internet Files\Content.IE5\QRATCDWF\djgzduldd[1].htm
Potentially unwanted tool:Application/KillApp.A Not disinfected D:\Documents and Settings\Henrik Helén\Lokala inställningar\Temporary Internet Files\Content.IE5\QRATCDWF\akdmeeiun[1].htm
Virus:Trj/Torpig.DK Disinfected D:\Documents and Settings\Henrik Helén\Lokala inställningar\Temporary Internet Files\Content.IE5\C8RJT3ME\wclvjwj[1].txt
Adware:Adware/Secure32 Not disinfected D:\Documents and Settings\Henrik Helén\Lokala inställningar\Temporary Internet Files\Content.IE5\C8RJT3ME\lexhlpg[1].txt
Potentially unwanted tool:Application/KillApp.A Not disinfected D:\Documents and Settings\Henrik Helén\Lokala inställningar\Temporary Internet Files\Content.IE5\C8RJT3ME\jspvmdvmdq[1].htm
Virus:Trj/Clicker.TC Disinfected D:\Documents and Settings\Henrik Helén\Lokala inställningar\Temporary Internet Files\Content.IE5\C8RJT3ME\saquymqhly[1].txt
Virus:Trj/Jupillites.G Disinfected D:\Documents and Settings\Henrik Helén\Lokala inställningar\Temporary Internet Files\Content.IE5\OLQ3CDUJ\nkqnrvmq[1].htm

[Metallica]

OK.
A few things that need attention.

Please check if this file is really gone:
C:\NFFJD.EXE

Follow the instructions here: http://service1.syma...000092513515106
for Windows ME. You can skip step 2

Clear your internet cache:

• Click Tools > Internet Options.
• Click the General tab.
• Click Delete Files.
• Click OK in the Delete Files dialog box.
• Click OK.
• Restart Internet Explorer.

Then let me know if you can boot into safe mode for XP

Regards,

[blirger]

okay, the C:\NFFJD.EXE seems to be gone, I tried to search for it without results and then I explored c: with te option "show hidden and system files" (not sure this is rhe english name but I guess you'll understand).

then I inactivated the system restore thing. after the restart I cleared the internet cache. then I reactivated the system restore.

I tried to log into xp using safe mode, however I couldnt do that(sad but true). it went black(it didnt fade to black though) and something about partitions were flashing.

there is a possible factor that I have failed to mention, there is two partitions(if partitions are ~parts of the harddrive) that I cannot reach from ME, and thus they were not scanned by the panda activescan. however these partitions are just full of games, mpegs and mp3:s. the system files etc are on the two partitions I CAN reach.

Thank you for you kind help!

[Metallica]

Good job sofar.

We will probably have to unload the missing driver from the Recovery Console.

Do you have a Windows XP CD you can use to boot from?

Regards.

[blirger]

well actually I dont, my version of xp isnt the kind you buy for money...it was installed by a friend but I dont have the cd. however I can probably borrow an xp cd from someone...but if I do that and use it, will there be any problem with microsoft disabling the cd-key or something like that? basicly my question is: if two computers uses the same xp will there be any problem with updating xp later?

another q, if I have xp pro, will a xp home do?

btw. will be away for the rest of the day.

[Metallica]

While we understand that you may not have been aware, your copy of Windows is not legitimate. Unfortunately, we are unable to help you any further on this site, as we have a strict policy we adhere to in only helping people who have legitmate copies of Windows. Thank you for understanding.