|
|
|
Continual popups - Malware?
|
|
|
furneaux
Newbie
|
21. January 2008 @ 23:54 |
Link to this message
|
I get continual popups. AdAware, Spybot and Vet antivirus show nothing. I think it may be called Storage Protector. The main popups are four:
Important - Potential Errors found in system
During a scan of files at system startup, potential errors in the system registry were found.
p-07-0100 irql: 1f SYVER 0xff00024
NT_Kernel error 1256
KMODE_EXCEPTION-NOT_HANDLED
-----------------
Your system could become unstable
A potential problem has been detected and Windows has been [sic] shutdown buggy application to prevent damage to computer. ****WXYZ.SYS -Address F73120AE base at C00000, DateStamp 36b 072A3 Kernel Debugger Using: COM2 (Port 0x28f, Baud rate 192000)
------------------
The application failed to initialize because the window station is shutting down
-----------------------
A Critical error could occur
***STOP: 0x000007B (0xF20184(0x F20184, 0x00000, 0xCC0034***
Inaccessible handler or device
Click this balloon to fix the problem
-------------------------
Any thoughts on what I should do, please. Here is my hijackthis.log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:09 PM, on 22/01/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Arthur\Desktop\HiJackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dc7b1ac7] rundll32.exe "C:\WINDOWS\System32\weasfvxp.dll",b
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: iinet.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{311D141F-99BA-40BF-A95F-578D1D13582A}: NameServer = 203.0.178.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{D19F3C97-2978-44D9-A160-E522F386940E}: NameServer = 192.168.3.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
|
|
Advertisement
|
|
|
|
Member
|
22. January 2008 @ 17:24 |
Link to this message
|
hi,
Download combofix from one of these links and save it to Desktop:
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
as a precaution, before using combofix:
Close any open windows
Close/disable anti virus and any antimalware programs that might have real time protection running.Usually this can be done by clicking on the icons by the clock and selecting exit etc. This is done to prevent any possible interference while Combofix is running. After combofix is done you can restart them.
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
|
|
furneaux
Newbie
|
22. January 2008 @ 23:28 |
Link to this message
|
Very many thanks for that. All now seems better. Here's hoping. I have been trying to send you all 550 pages of the report that combofix produced but I have twice been unsuccessful. I have therefore cut out over 540 pages of .tmp file references in the middle of it and am sending just the beginning and ending parts of the report. Here they are:
ComboFix 08-01-23.1 - Arthur 2008-01-23 9:55:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.454 [GMT 11:00]
Running from: C:\Documents and Settings\Arthur\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\storageprotector
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\ac
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\em
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\oid
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\user
C:\Documents and Settings\Arthur\Application Data\storageprotector
C:\Documents and Settings\Arthur\Application Data\storageprotector\Logs\update.log
C:\Documents and Settings\Arthur\My Documents\pos1000.tmp
C:\Documents and Settings\Arthur\My Documents\pos1001.tmp
C:\Documents and Settings\Arthur\My Documents\pos1002.tmp
[over 540 pages of .tmp file references follow]
--------------------------
((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.
2008-01-23 09:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 09:36 . 2008-01-22 09:37 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-01-18 13:40 . 2008-01-19 22:45 1,076,294 --ahs---- C:\WINDOWS\system32\rfgjlqiq.ini
2008-01-17 13:39 . 2008-01-18 13:39 1,075,942 --ahs---- C:\WINDOWS\system32\qkesjsmf.ini
2008-01-15 21:02 . 2008-01-17 13:27 1,057,036 --ahs---- C:\WINDOWS\system32\hkchpacc.ini
2008-01-14 11:53 . 2008-01-14 11:53 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-01-14 11:49 . 2008-01-14 11:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 23:06 . 2008-01-21 10:27 477 --a------ C:\WINDOWS\wininit.ini
2008-01-12 22:22 . 2007-12-29 16:42 109,911 --------- C:\WINDOWS\hpoins08.dat.temp
2008-01-12 22:22 . 2006-01-25 10:23 7,577 --------- C:\WINDOWS\hpomdl08.dat.temp
2008-01-12 15:13 . 2008-01-12 15:13 524 --a------ C:\iinet.lnk
2008-01-02 21:20 . 2008-01-02 21:39 <DIR> d-------- C:\QUICKENW
2008-01-02 21:20 . 1996-07-18 13:06 297,472 --a------ C:\WINDOWS\uninst.exe
2008-01-02 21:19 . 1997-04-14 15:09 113 --a------ C:\WINDOWS\QFNAUST.INI
2008-01-02 21:19 . 2008-01-02 21:21 48 --a------ C:\WINDOWS\QFN.INI
2008-01-02 21:04 . 2008-01-02 21:04 <DIR> d-------- C:\WINDOWS\Intuit
2008-01-02 21:04 . 1999-12-12 19:59 40,448 --a------ C:\WINDOWS\Icg32.dll
2008-01-02 21:04 . 1999-12-12 19:59 5,776 --a------ C:\WINDOWS\Icoadb32.dat
2008-01-02 21:04 . 2008-01-02 21:11 12 --a------ C:\WINDOWS\QBWCD.INI
2007-12-29 16:41 . 2007-12-29 16:41 <DIR> d-------- C:\Program Files\Common Files\HP
2007-12-29 16:39 . 2007-12-29 16:39 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-29 16:37 . 2007-12-29 16:37 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-29 16:37 . 2005-10-28 11:24 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-12-29 16:37 . 2005-10-28 11:24 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-12-29 16:36 . 2005-03-14 12:03 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-12-29 16:36 . 2005-03-14 12:05 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-12-29 16:36 . 2005-03-08 11:55 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-12-29 16:36 . 2005-03-22 23:48 77,824 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-12-29 16:36 . 2005-03-14 12:05 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-12-29 16:36 . 2005-03-14 13:39 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-12-29 16:36 . 2005-03-08 11:55 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-12-29 16:36 . 2005-10-14 22:42 46,592 --a------ C:\WINDOWS\system32\hpzll43a.dll
2007-12-29 16:36 . 2001-08-17 13:53 13,824 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-29 16:36 . 2001-08-17 13:53 13,824 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-29 16:34 . 2007-12-29 16:41 <DIR> d-------- C:\Program Files\HP
2007-12-29 16:32 . 2008-01-12 22:23 108,580 --a------ C:\WINDOWS\hpoins08.dat
2007-12-29 16:32 . 2006-01-25 10:23 7,577 --------- C:\WINDOWS\hpomdl08.dat
2007-12-25 21:21 . 2007-12-25 21:21 60 --a------ C:\WINDOWS\system32\i
2007-12-22 19:44 . 2007-12-22 19:44 26,787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-12-22 17:58 . 2008-01-12 17:31 <DIR> d-------- C:\WINDOWS\nview
2007-12-22 17:58 . 2007-12-22 17:58 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-22 17:58 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-12-22 17:58 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-12-22 17:58 . 2008-01-23 10:32 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
2007-12-22 17:58 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2007-12-22 15:34 . 2007-12-22 15:34 <DIR> d-------- C:\Program Files\Nero
2007-12-22 15:34 . 2007-12-22 15:42 <DIR> d-------- C:\Program Files\Common Files\Ahead
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 22:44 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-15 03:39 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-14 00:55 --------- d-----w C:\Program Files\Lavasoft
2008-01-12 03:53 430,080 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-01-07 00:47 --------- d-----w C:\Program Files\Microsoft Works
2007-12-22 08:43 879,832 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-12-22 08:43 108,360 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-12-22 07:05 75,304 ----a-w C:\WINDOWS\system32\VetRedir.dll
2007-12-22 07:05 21,031 ----a-w C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-12-22 07:05 15,735 ----a-w C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-12-22 07:05 15,478 ----a-w C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-12-22 07:05 116,264 ----a-w C:\WINDOWS\UnVet32.exe
2007-12-22 07:05 112,168 ----a-w C:\WINDOWS\AVShlExt.dll
2007-12-21 07:20 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-20 23:52 879,832 ----a-w C:\WINDOWS\system32\drivers\VetEFile.1
2007-12-20 23:52 26,787 ----a-w C:\WINDOWS\system32\drivers\VetMonNT.1
2007-12-20 23:52 108,360 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.1
2007-12-20 23:51 21,031 ----a-w C:\WINDOWS\system32\drivers\Vet-Filt.1
2007-12-20 23:51 15,735 ----a-w C:\WINDOWS\system32\drivers\VetFDDNT.1
2007-12-20 23:51 15,478 ----a-w C:\WINDOWS\system32\drivers\Vet-Rec.1
2007-12-20 23:51 --------- d-----w C:\Program Files\CA
2007-12-20 10:44 --------- d-----w C:\Program Files\FreeRIP2
2007-12-20 08:08 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-20 07:59 --------- d--h--w C:\Program Files\Uninstall Information
2007-12-20 07:50 --------- d-----w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 23:00 13312]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22 7700480]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Arthur^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\Arthur\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\jkhfd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe
S2 SMSCGISVC;System Managment Controler;"C:\WINDOWS\system\smscg.exe" []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 10:33:14
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-23 10:37:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-22 23:37:17
|
Member
|
23. January 2008 @ 06:01 |
Link to this message
|
ok good. one more download to get and use:
download and run vundofix.exe:
http://www.atribune.org/ccount/click.php?id=4
* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
|
|
furneaux
Newbie
|
23. January 2008 @ 18:45 |
Link to this message
|
Vundofix said "No infected files were found" and "Vundo will now close". Here for the record is C:\vundofix.txt
---------------------------
VundoFix V6.7.7
Checking Java version...
Sun Java not detected
Scan started at 10:07:54 AM 24/01/2008
Listing files found while scanning....
No infected files were found.
Beginning removal...
----------------------------
As Vundofix has not had to take any action I assume you don't now need me to send a new HiJackThis log? What is the significance of the warning that I received?: WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! Do I need to take any action or was that just part of the Combofix process?
There have been no further popups and the computer is running a lot faster. How do you know these things? I'm very impressed. And I can now show my son that, even though I'm 74, I can nevertheless manage to do things on computers beyond mere word processing and sending e-mails.
|
Member
|
23. January 2008 @ 19:58 |
Link to this message
|
hi,
ok good.
Quote:
I assume you don't now need me to send a new HiJackThis log?
one more hjt log would be great
Quote:
What is the significance of the warning that I received?: WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !
its just a warning, in case the recovery console would have to be used for some reason.
Quote:
computer is running a lot faster. How do you know these things? I'm very impressed.
i've been looking at hjt logs for at least 4 years.
Quote:
And I can now show my son that, even though I'm 74, I can nevertheless manage to do things on computers beyond mere word processing and sending e-mails.
yes you can, show him this thread.
echoreply
|
|
furneaux
Newbie
|
23. January 2008 @ 22:57 |
Link to this message
|
I will. Thank you again VERY much. And here's the new hijackthis.log. I hope it shows that all is now well.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:04 PM, on 24/01/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Arthur\Desktop\HiJackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: iinet.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{311D141F-99BA-40BF-A95F-578D1D13582A}: NameServer = 203.0.178.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{D19F3C97-2978-44D9-A160-E522F386940E}: NameServer = 192.168.3.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
--
End of file - 2925 bytes
|
Member
|
24. January 2008 @ 06:09 |
Link to this message
|
your welcome, log looks ok. you can remove combofix like this:
go to start>run and type in combofix /u click ok
note: there is a space after the x in combofix and before the u
you can delete the vundofix icon
new restore point, the why and how:
One of the features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
looks like you are way behind on windows updates. you need to pay a visit to the website and get caught up.
happy safe surfing
|
|
furneaux
Newbie
|
24. January 2008 @ 06:38 |
Link to this message
|
|
All done - successfully, I hope. Yes, I'm behind on windows updates. I re-loaded windows in December and straightaway got the malware so there seemed little point in updating until the problem was removed. That's done now, so I'll update straight away. I'm amazed and delighted. Once again, very many thanks. Keep doing good works.
|
|
krobin8
Newbie
|
7. February 2008 @ 07:20 |
Link to this message
|
|
hey,
im having the same problems!! can you help me too please?
thanks
keith
|
|
metaller
Newbie
|
8. February 2008 @ 11:40 |
Link to this message
|
|
hi,
i'm with the same trouble as the above
i'll try this same process, is there any problem?
thank for your attention!
|
|
Advertisement
|
|
|
|
metaller
Newbie
|
8. February 2008 @ 19:03 |
Link to this message
|
|
thanks man!
it worked for me
|
|
