unknown device installed....

  • Thread starter Thread starter maya
  • Start date Start date
M

maya

hi,

I'm on Vista Ultimate.. all of a sudden I get this message on lower
right-hand corner of my computer saying something like "to protect
against malware install such-and-such.." I clicked cancel, closed all
apps, and restarted the machine..

then when it rebooted it looked like it was installing something.. I
managed to get a screenshot before it disappeared.. I have no idea what
this is or where it is installed...

http://www.mayacove.com/misc/ss_unknown.gif

does anybody know what this is and how to un-install it? (if I need to..)
I didn't find anything in CP -> remove programs that I didn't
recognize.. the icon in the system tray you see in the screenshot has
disappeared completely....


thank you very much..
 
maya said:
hi,

I'm on Vista Ultimate.. all of a sudden I get this message on lower
right-hand corner of my computer saying something like "to protect
against malware install such-and-such.." I clicked cancel, closed all
apps, and restarted the machine..

then when it rebooted it looked like it was installing something.. I
managed to get a screenshot before it disappeared.. I have no idea what
this is or where it is installed...

http://www.mayacove.com/misc/ss_unknown.gif

does anybody know what this is and how to un-install it? (if I need to..)
I didn't find anything in CP -> remove programs that I didn't
recognize.. the icon in the system tray you see in the screenshot has
disappeared completely....
Click to expand...

This is not enough information to get you focused help but the message
you got about installing "such-and-such" (and it would have been most
helpful to tell us the name of "such-and-such") is classic malware
behavior. Without knowing the name of the culprit, I can't give you a
link to its removal but follow these general malware removal steps:

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to
do all scans in Safe Mode. Please see the special Notes regarding using
Multi_AV in Vista.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html
- download site

The site is in German but David's tool is in English so don't let that
worry you. Scroll all the way down to almost the bottom of the page and
you'll see a box titled "Infos Zum Download - Multi-AV Scanning Tool".
You'll see "Download von www pctipp.ch" and the live link to download
Multi_AV.

You can also check to see if there are targeted removal steps for your
malware here:
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Not all tools used will work in Vista and you will need to run them
elevated. Since Vista is so new, it will be a while before removal
techniques and tools are developed. If you are unable to remove the
infection by following the general steps, register at one of the
HijackThis forums as suggested.

Standard caveat: If the procedures look too complex - and there is no
shame in admitting this isn't your cup of tea - take the machine to a
professional computer repair shop (not your local version of
BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may
be so infested that Windows will need to be clean-installed. Have all
your data backed up before you take the machine into a shop.


Malke
 
Andre said:
Have you checked to see if there are any changes to Device Manager?
Click to expand...

yes I looked in device manager but have no idea what is new there and
what isn't... (it's devided into many subsections (computer, keyborads,
dvd/cd-rom drives, port, processors, portable devices, etc.. lots
more... wouldn't know where to look and wouldn't recognize anything new..)

thank you ....
 
Andre said:
Have you checked to see if there are any changes to Device Manager?
Click to expand...

I just found a 'drivers' folder in C drive, all the dirs inside show
they were last modified last July... I hope this is a good sign....;)

HOWEVER: I just saw something unexpected in my machine that may have to
do with this and maybe it's not malware.. I just opened Windows Media
Center, which I hadn't used in about two or three weeks, and there's a
whole new section in the menu, "internet TV" -- with movies, and other
stuff, this is totally new... I have no idea if this is related to this
thing.. but asking just in case..

thanks again....
 
Media Center regularly downloads new content, so thats normal. The Drivers
folder is also normal, I would follow the advice provided by Malke posted
earlier.
 
Hello,
If it's a device driver it will more than likely use setupapi to install.
you can look in the c:\windows\inf\setupapi.dev.log for entries recorded at
or close to that time.
Some applications can use setupapi as well.
So you may want to check c:\windows\inf\setupapi.app.log for entries
recorded at or close to that time

If there was an OS update installed, most of those should be recorded in
one of the following logs
First look at c:\windows\windowsupdate.log to see if any updates were
pushed down, their install may have been pended awaiting the reboot.
More detailed and quite noisy however but most OS updates are recorded in
here.
C:\windows\logs\cbs\cbs.log

If it's not an OS update or a driver update then the OS may not log the
installation.

Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
|> From: maya <[email protected]>
|> Newsgroups: microsoft.public.windows.vista.general
|> Subject: Re: unknown device installed....
|> Date: Sat, 10 Nov 2007 21:15:28 -0500
|> Organization: Aioe.org NNTP Server
|> Lines: 18
|> Message-ID: <[email protected]>
|> References: <[email protected]>
<[email protected]>
|> NNTP-Posting-Host: 2zTrUBLpxpqICCdRtd3zvQ.user.aioe.org
|> Mime-Version: 1.0
|> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
|> Content-Transfer-Encoding: 7bit
|> X-Complaints-To: (e-mail address removed)
|> In-Reply-To:
|> User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
|> Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!TK2MSFTFE
EDS02.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!news.karotte.org!news2.
arglkargh.de!news.mixmin.net!aioe.org!not-for-mail
|> Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.general:203081
|> X-Tomcat-NG: microsoft.public.windows.vista.general
|>
|> Andre Da Costa[ActiveWin] wrote:
|> > Have you checked to see if there are any changes to Device Manager?
|>
|> I just found a 'drivers' folder in C drive, all the dirs inside show
|> they were last modified last July... I hope this is a good sign....;)
|>
|> HOWEVER: I just saw something unexpected in my machine that may have to
|> do with this and maybe it's not malware.. I just opened Windows Media
|> Center, which I hadn't used in about two or three weeks, and there's a
|> whole new section in the menu, "internet TV" -- with movies, and other
|> stuff, this is totally new... I have no idea if this is related to this
|> thing.. but asking just in case..
|>
|> thanks again....
|>
|>
|>
|>
|>
 
thank you all very much for your responses.. will try advice given here
tomorrow, when have a clearer head...;) it's about midnight in my neck
of the woods now... (did look a bit at one of the urls provided
(http://www.elephantboycomputers.com/page2.html#Removing_Malware))

thank you ..... maya...


Hello,
If it's a device driver it will more than likely use setupapi to install.
you can look in the c:\windows\inf\setupapi.dev.log for entries recorded at
or close to that time.
Some applications can use setupapi as well.
So you may want to check c:\windows\inf\setupapi.app.log for entries
recorded at or close to that time

If there was an OS update installed, most of those should be recorded in
one of the following logs
First look at c:\windows\windowsupdate.log to see if any updates were
pushed down, their install may have been pended awaiting the reboot.
More detailed and quite noisy however but most OS updates are recorded in
here.
C:\windows\logs\cbs\cbs.log

If it's not an OS update or a driver update then the OS may not log the
installation.

Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
|> From: maya <[email protected]>
|> Newsgroups: microsoft.public.windows.vista.general
|> Subject: Re: unknown device installed....
|> Date: Sat, 10 Nov 2007 21:15:28 -0500
|> Organization: Aioe.org NNTP Server
|> Lines: 18
|> Message-ID: <[email protected]>
|> References: <[email protected]>
<[email protected]>
|> NNTP-Posting-Host: 2zTrUBLpxpqICCdRtd3zvQ.user.aioe.org
|> Mime-Version: 1.0
|> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
|> Content-Transfer-Encoding: 7bit
|> X-Complaints-To: (e-mail address removed)
|> In-Reply-To:
|> User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
|> Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!TK2MSFTFE
EDS02.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!news.karotte.org!news2.
arglkargh.de!news.mixmin.net!aioe.org!not-for-mail
|> Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.general:203081
|> X-Tomcat-NG: microsoft.public.windows.vista.general
|>
|> Andre Da Costa[ActiveWin] wrote:
|> > Have you checked to see if there are any changes to Device Manager?
|>
|> I just found a 'drivers' folder in C drive, all the dirs inside show
|> they were last modified last July... I hope this is a good sign....;)
|>
|> HOWEVER: I just saw something unexpected in my machine that may have to
|> do with this and maybe it's not malware.. I just opened Windows Media
|> Center, which I hadn't used in about two or three weeks, and there's a
|> whole new section in the menu, "internet TV" -- with movies, and other
|> stuff, this is totally new... I have no idea if this is related to this
|> thing.. but asking just in case..
|>
|> thanks again....
|>
|>
|>
|>
|>
Click to expand...
 
Hi maya,

Unfortunately, you have unwittingly installed malware on your machine.
Whenever yo get popups like this, do not click anywhere on them. Instead,
close them down by using the Task Manager. I suggest that you run a full
system scan with your anti-virus software and Windows Defender and also do a
check using an on-line virus check such as provided by Kaspersky. Allow these
to fix any problems they find.
Dwarf

http://www.kaspersky.co.uk/virusscanner
 
Hi maya,

Further to my previous post, you would be advised to disconnect from the
internet and boot up into SAFE mode to run the first 2 scans that I
suggested. You can then boot up into normal mode, reconnect your Internet,
and then carry out the on-line check.
Dwarf
 
Back
Top