Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: is the virus still there?  (Read 2833 times)

0 Members and 1 Guest are viewing this topic.

malmesjo

  • Guest
is the virus still there?
« on: May 14, 2009, 12:44:03 AM »
Hi,

I'm on an XP, SP3 machine which I use for work. Running ESET Nod 32 antivirus.

Symptoms -  Yesterday morning my network stopped working. I could get an ip address just fine, but could not get any routing. I could not even reach my default router 192.168.1.1. Same thing both on wireless and wired network.

In safe mode with networking, my network worked just fine. ESET reported a few viruses:
Code: [Select]
2009-05-13 09:33:26 Real-time file system protection file C:\System Volume Information\_restore{A84ED1A6-CF4C-4F28-AFCA-EFE889754B6D}\RP159\A0142371.dll Win32/TrojanDownloader.FakeAlert.AAX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
2009-05-12 23:36:06 Real-time file system protection file C:\WINDOWS\system32\msxml71.dll Win32/TrojanDownloader.FakeAlert.AAX trojan cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\msiexec.exe.
2009-05-12 22:18:18 Real-time file system protection file C:\WINDOWS\system32\10701.exe Win32/Agent.NXT trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
2009-05-12 17:22:42 Real-time file system protection file C:\DOCUME~1\stema\LOCALS~1\Temp\3681.exe Win32/TrojanDownloader.FakeAlert.ABV trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\DOCUME~1\stema\LOCALS~1\Temp\3681.exe.

Key file here is c:\windows\system32\10701.exe.

After this I tried disabling services via msconfig, and found out that if I disable a service called ipfw_helper, then my network starts working fine again. This service points to c:\windows\system32\10701.exe. Funny thing is that that file does not exist any more (I guess ESET removed it). However, if I enabled the service again in msconfig, then my network stopped working again.

Question is, is the virus still there somewhere? And how do I get rid of the service?

Log files are attached.

[attachment deleted by admin]