TechSpot

Windows firewall keeps turning off

By Alextasy
Jul 11, 2010
  1. Firstly Hello To Everyone Here...

    Well... 2 days ago I went outside and letted my pc opened with utorrent and a webpage. (I use IE8, Avira AntiVir PE & Windows Firewall)
    When I comed back on the browser was opened a new webpage "www.google.com"
    of course not by me...and it's not my HomePage..my HomePage is www.google.ro not .com and I use Pop-Up blocker On with High settings.
    Along with that the Security Center was announced that firewall is turned of... verry strange.
    After I use some minutes the browser ..I see that it was taking the whole processor.
    After that if I was started it..it was load extrely hard and again takeing the whole processor speed.
    Did a full scand with Avira and:

    Avira AntiVir Personal
    Report file date: 9 iulie 2010 23:02

    Scanning for 2329261 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 3) [5.1.2600]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : VECTRA

    Version information:
    BUILD.DAT : 10.0.0.567 32097 Bytes 19.04.2010 15:07:00
    AVSCAN.EXE : 10.0.3.0 433832 Bytes 20.04.2010 09:58:15
    AVSCAN.DLL : 10.0.3.0 46440 Bytes 20.04.2010 09:58:14
    LUKE.DLL : 10.0.2.3 104296 Bytes 07.03.2010 16:33:04
    LUKERES.DLL : 10.0.0.1 12648 Bytes 10.02.2010 21:40:49
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 06.11.2009 16:54:49
    VBASE001.VDF : 7.10.1.0 1372672 Bytes 19.11.2009 20:55:03
    VBASE002.VDF : 7.10.3.1 3143680 Bytes 20.01.2010 00:08:49
    VBASE003.VDF : 7.10.3.75 996864 Bytes 26.01.2010 23:04:09
    VBASE004.VDF : 7.10.4.203 1579008 Bytes 05.03.2010 15:42:06
    VBASE005.VDF : 7.10.6.82 2494464 Bytes 15.04.2010 20:28:31
    VBASE006.VDF : 7.10.7.218 2294784 Bytes 02.06.2010 17:02:24
    VBASE007.VDF : 7.10.7.219 2048 Bytes 02.06.2010 17:02:24
    VBASE008.VDF : 7.10.7.220 2048 Bytes 02.06.2010 17:02:24
    VBASE009.VDF : 7.10.7.221 2048 Bytes 02.06.2010 17:02:24
    VBASE010.VDF : 7.10.7.222 2048 Bytes 02.06.2010 17:02:24
    VBASE011.VDF : 7.10.7.223 2048 Bytes 02.06.2010 17:02:24
    VBASE012.VDF : 7.10.7.224 2048 Bytes 02.06.2010 17:02:24
    VBASE013.VDF : 7.10.8.37 270336 Bytes 10.06.2010 15:08:55
    VBASE014.VDF : 7.10.8.69 138752 Bytes 14.06.2010 16:56:28
    VBASE015.VDF : 7.10.8.102 130560 Bytes 16.06.2010 10:23:36
    VBASE016.VDF : 7.10.8.135 152064 Bytes 21.06.2010 12:39:54
    VBASE017.VDF : 7.10.8.163 432128 Bytes 23.06.2010 17:55:49
    VBASE018.VDF : 7.10.8.194 133632 Bytes 27.06.2010 19:15:41
    VBASE019.VDF : 7.10.8.220 134656 Bytes 29.06.2010 21:41:33
    VBASE020.VDF : 7.10.8.252 171520 Bytes 04.07.2010 16:13:53
    VBASE021.VDF : 7.10.9.19 131072 Bytes 06.07.2010 16:26:10
    VBASE022.VDF : 7.10.9.36 297472 Bytes 07.07.2010 20:29:47
    VBASE023.VDF : 7.10.9.37 2048 Bytes 07.07.2010 20:29:47
    VBASE024.VDF : 7.10.9.38 2048 Bytes 07.07.2010 20:29:47
    VBASE025.VDF : 7.10.9.39 2048 Bytes 07.07.2010 20:29:47
    VBASE026.VDF : 7.10.9.40 2048 Bytes 07.07.2010 20:29:47
    VBASE027.VDF : 7.10.9.41 2048 Bytes 07.07.2010 20:29:47
    VBASE028.VDF : 7.10.9.42 2048 Bytes 07.07.2010 20:29:47
    VBASE029.VDF : 7.10.9.43 2048 Bytes 07.07.2010 20:29:47
    VBASE030.VDF : 7.10.9.44 2048 Bytes 07.07.2010 20:29:47
    VBASE031.VDF : 7.10.9.56 112640 Bytes 09.07.2010 18:13:56
    Engineversion : 8.2.4.10
    AEVDF.DLL : 8.1.2.0 106868 Bytes 23.04.2010 20:32:35
    AESCRIPT.DLL : 8.1.3.39 1335674 Bytes 07.07.2010 16:26:12
    AESCN.DLL : 8.1.6.1 127347 Bytes 13.05.2010 00:54:45
    AESBX.DLL : 8.1.3.1 254324 Bytes 23.04.2010 20:32:35
    AERDL.DLL : 8.1.4.6 541043 Bytes 17.04.2010 20:28:37
    AEPACK.DLL : 8.2.2.5 430453 Bytes 23.06.2010 17:56:36
    AEOFFICE.DLL : 8.1.1.6 201081 Bytes 07.07.2010 16:26:11
    AEHEUR.DLL : 8.1.1.38 2724214 Bytes 23.06.2010 17:56:28
    AEHELP.DLL : 8.1.11.6 242038 Bytes 23.06.2010 17:55:59
    AEGEN.DLL : 8.1.3.13 381300 Bytes 07.07.2010 16:26:11
    AEEMU.DLL : 8.1.2.0 393588 Bytes 23.04.2010 20:32:34
    AECORE.DLL : 8.1.15.3 192886 Bytes 13.05.2010 00:54:45
    AEBB.DLL : 8.1.1.0 53618 Bytes 23.04.2010 20:32:33
    AVWINLL.DLL : 10.0.0.0 19304 Bytes 14.01.2010 10:03:38
    AVPREF.DLL : 10.0.0.0 44904 Bytes 14.01.2010 10:03:35
    AVREP.DLL : 10.0.0.8 62209 Bytes 18.02.2010 14:47:40
    AVREG.DLL : 10.0.3.0 53096 Bytes 20.04.2010 09:58:15
    AVSCPLR.DLL : 10.0.3.0 83816 Bytes 20.04.2010 09:58:15
    AVARKT.DLL : 10.0.0.14 227176 Bytes 20.04.2010 09:58:14
    AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 26.01.2010 07:53:30
    SQLITE3.DLL : 3.6.19.0 355688 Bytes 28.01.2010 10:57:58
    AVSMTP.DLL : 10.0.0.17 63848 Bytes 16.03.2010 13:38:56
    NETNT.DLL : 10.0.0.0 11624 Bytes 19.02.2010 12:41:00
    RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28.01.2010 11:10:20
    RCTEXT.DLL : 10.0.53.0 97128 Bytes 20.04.2010 09:58:14

    Configuration settings for the scan:
    Jobname.............................: Complete system scan
    Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:, D:, E:,
    Process scan........................: on
    Extended process scan...............: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium

    Start of the scan: 9 iulie 2010 23:02

    Starting search for hidden objects.
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist
    [NOTE] The registry entry is invisible.

    The scan of running processes will be started
    Scan process 'msdtc.exe' - '39' Module(s) have been scanned
    Scan process 'dllhost.exe' - '60' Module(s) have been scanned
    Scan process 'dllhost.exe' - '44' Module(s) have been scanned
    Scan process 'vssvc.exe' - '47' Module(s) have been scanned
    Scan process 'avscan.exe' - '67' Module(s) have been scanned
    Scan process 'ymsgr_tray.exe' - '28' Module(s) have been scanned
    Scan process 'svchost.exe' - '38' Module(s) have been scanned
    Scan process 'svchost.exe' - '49' Module(s) have been scanned
    Scan process 'avshadow.exe' - '25' Module(s) have been scanned
    Scan process 'PnkBstrA.exe' - '23' Module(s) have been scanned
    Scan process 'nvsvc32.exe' - '24' Module(s) have been scanned
    Scan process 'LSSrvc.exe' - '10' Module(s) have been scanned
    Scan process 'jqs.exe' - '53' Module(s) have been scanned
    Scan process 'avguard.exe' - '54' Module(s) have been scanned
    Scan process 'uTorrent.exe' - '51' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '23' Module(s) have been scanned
    Scan process 'winampa.exe' - '16' Module(s) have been scanned
    Scan process 'avgnt.exe' - '48' Module(s) have been scanned
    Scan process 'Rundll32.exe' - '26' Module(s) have been scanned
    Scan process 'sched.exe' - '44' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '57' Module(s) have been scanned
    Scan process 'svchost.exe' - '42' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '104' Module(s) have been scanned
    Scan process 'svchost.exe' - '31' Module(s) have been scanned
    Scan process 'svchost.exe' - '29' Module(s) have been scanned
    Scan process 'svchost.exe' - '158' Module(s) have been scanned
    Scan process 'svchost.exe' - '38' Module(s) have been scanned
    Scan process 'svchost.exe' - '49' Module(s) have been scanned
    Scan process 'lsass.exe' - '57' Module(s) have been scanned
    Scan process 'services.exe' - '26' Module(s) have been scanned
    Scan process 'winlogon.exe' - '62' Module(s) have been scanned
    Scan process 'csrss.exe' - '12' Module(s) have been scanned
    Scan process 'smss.exe' - '2' Module(s) have been scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!
    Master boot sector HD1
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!
    Boot sector 'D:\'
    [INFO] No virus was found!
    Boot sector 'E:\'
    [INFO] No virus was found!

    Starting to scan executable files (registry).
    The registry was scanned ( '474' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    C:\Documents & Settings\Alex\Application Data\Sun\Java\Deployment\cache\6.0\57\1cca24f9-607aed3a
    [0] Archive type: ZIP
    [DETECTION] Contains recognition pattern of the EXP/Java.CVE-2009-3867.8861 exploit
    --> dev/s/AdgredY.class
    [DETECTION] Contains recognition pattern of the EXP/Java.CVE-2009-3867.8861 exploit
    --> dev/s/DyesyasZ.class
    [DETECTION] Contains recognition pattern of the EXP/Java.2502 exploit
    --> dev/s/LoaderX.class
    [DETECTION] Contains recognition pattern of the EXP/Java.3243 exploit
    Begin scan in 'D:\'
    Begin scan in 'E:\'
    E:\Programe\eMule v0.49c.exe
    [WARNING] Insufficient memory. The file was not scanned.

    Beginning disinfection:
    C:\Documents & Settings\Alex\Application Data\Sun\Java\Deployment\cache\6.0\57\1cca24f9-607aed3a
    [DETECTION] Contains recognition pattern of the EXP/Java.3243 exploit
    [NOTE] The file was moved to the quarantine directory under the name '462d11b5.qua'.


    End of the scan: 10 iulie 2010 02:46
    Used time: 1:56:33 Hour(s)

    The scan has been done completely.

    7928 Scanned directories
    433840 Files were scanned
    3 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    1 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    433837 Files not concerned
    2604 Archives were scanned
    1 Warnings
    1 Notes
    457204 Objects were scanned with rootkit scan
    1 Hidden objects were found

    However nothing has changed...
    Till now I have fixed the browser problem.
    Inside the Internet Explorer directory it was a setupapi.dll wich was the problem.
    Seems that Firefox was haveing that file too but was not visibly affected (slowed or something).This one was detected by Malware. Find It In Log.
    So the remaining problem is that if I restart my PC the Firewall is getting off almost everytime & also with that the Security Center Alerts, all of them go off along with firewall.
    I tested some things to see the simptoms:
    So i start the computer and alerts and firewall is off.
    I turned them on.
    1. If i turn the PC off and then on or restart they are back to off.
    2. If i switch off (user) and then log on, or standby or hibernate is logically they will remain on so this tell me is something on startup that closed them.
    3. but strangely if I logoff and then I logon (Windows Started Again) the Firewall and Alerts remain On...so what I should understand from 2 and 3 if they are completly opposite eachother.
    4. And also something that is opposite to 3 is that sometimes i restart and enter in Security Center I see the green light on Firewall but one second later it's get red and the popup on systemtray appears telling me that is off.

    Hope everybody understand my english.
    Thank You.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    First of all, please don't zip the logs. It makes extra steps for me. We ask that you paste the logs rather than attach because it enhances our search ability.

    As for putting the attach.txt log on a separate thread, I am going to ask the moderator to move it to this thread, then delete the other (http://www.techspot.com/vb/topic149630.html#post902951)

    While I review your problem, please do the following:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.
    ====================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. Alextasy

    Alextasy TS Rookie Topic Starter

    seems that ComboFix did the job

    combo:

    ComboFix 10-07-11.03 - Alex 12.07.2010 2:14.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1250.40.1033.18.511.297 [GMT 3:00]
    Running from: c:\documents & settings\Alex\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents & settings\Alex\Application Data\SystemProc
    c:\documents & settings\Alex\Application Data\SystemProc\lsass.exe
    c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
    c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
    c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
    c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
    c:\windows.0\NOTEPAD.EXE
    c:\windows.0\settings.reg
    c:\windows.0\system32\3402956424.dat
    c:\windows.0\system32\amstreamu.exe
    c:\windows.0\system32\Data
    c:\windows.0\system32\Ijl11.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_RPCSSUPS
    -------\Legacy_SFC
    -------\Service_RpcSsUPS


    ((((((((((((((((((((((((( Files Created from 2010-06-11 to 2010-07-11 )))))))))))))))))))))))))))))))
    .

    2010-07-10 19:41 . 2010-07-10 19:41 -------- d-----w- c:\documents & settings\Alex\Application Data\Malwarebytes
    2010-07-10 19:41 . 2010-04-29 12:39 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys
    2010-07-10 19:41 . 2010-07-10 19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-10 19:41 . 2010-07-10 19:41 -------- d-----w- c:\documents & settings\All Users\Application Data\Malwarebytes
    2010-07-10 19:41 . 2010-04-29 12:39 20952 ----a-w- c:\windows.0\system32\drivers\mbam.sys
    2010-07-10 13:00 . 2010-07-10 13:01 -------- dc-h--w- c:\windows.0\ie8
    2010-07-09 19:53 . 2010-07-10 13:24 664 ----a-w- c:\windows.0\system32\d3d9caps.dat
    2010-07-08 11:13 . 2010-07-08 12:33 371776 ----a-w- c:\documents & settings\Alex\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
    2010-07-08 11:13 . 2010-07-08 12:32 465984 ----a-w- c:\documents & settings\Alex\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
    2010-07-08 11:13 . 2010-07-08 11:13 -------- d-----w- c:\documents & settings\Alex\Local Settings\Application Data\PunkBuster
    2010-07-08 11:13 . 2010-07-08 12:33 187456 ----a-w- c:\documents & settings\Alex\Application Data\id Software\quakelive\home\baseq3\uix86.dll
    2010-07-08 11:13 . 2010-07-08 12:32 887448 ----a-w- c:\documents & settings\Alex\Application Data\id Software\quakelive\home\pb\pbcl.dll
    2010-07-08 11:13 . 2010-07-08 12:32 57344 ----a-w- c:\documents & settings\Alex\Application Data\id Software\quakelive\home\pb\pbag.dll
    2010-07-08 11:13 . 2010-07-08 12:32 2436160 ----a-w- c:\documents & settings\Alex\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
    2010-07-08 10:59 . 2010-07-08 10:59 111928 ----a-w- c:\windows.0\system32\PnkBstrB.exe
    2010-07-08 10:59 . 2010-07-08 10:59 75064 ----a-w- c:\windows.0\system32\PnkBstrA.exe
    2010-07-08 10:59 . 2010-07-08 10:59 2373712 ----a-w- c:\windows.0\system32\pbsvc.exe
    2010-07-08 10:59 . 2010-07-08 10:59 -------- d-----w- c:\documents & settings\All Users\Application Data\id Software
    2010-07-05 12:51 . 2010-07-05 12:51 -------- d-----w- c:\documents & settings\All Users\Application Data\Trymedia
    2010-06-28 08:43 . 2010-06-28 08:43 -------- d-----w- c:\program files\PC Connectivity Solution
    2010-06-28 08:43 . 2010-02-26 11:21 8320 ----a-w- c:\windows.0\system32\drivers\nmwcdnsuc.sys
    2010-06-28 08:43 . 2010-02-26 11:21 137344 ----a-w- c:\windows.0\system32\drivers\nmwcdnsu.sys
    2010-06-28 08:43 . 2010-02-26 11:32 8192 ----a-w- c:\windows.0\system32\drivers\usbser_lowerfltj.sys
    2010-06-28 08:43 . 2010-02-26 11:32 8192 ----a-w- c:\windows.0\system32\drivers\usbser_lowerflt.sys
    2010-06-28 08:42 . 2010-02-26 11:32 22528 ----a-w- c:\windows.0\system32\drivers\ccdcmbo.sys
    2010-06-28 08:42 . 2010-02-26 11:32 662016 ----a-w- c:\windows.0\system32\nmwcdcocls.dll
    2010-06-28 08:42 . 2010-02-26 11:32 18176 ----a-w- c:\windows.0\system32\drivers\ccdcmb.sys
    2010-06-28 08:42 . 2010-02-26 11:19 1461992 ----a-w- c:\windows.0\system32\wdfcoinstaller01009.dll
    2010-06-28 08:41 . 2010-06-28 08:40 35618008 ----a-w- c:\documents & settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\NokiaSoftwareUpdaterSetup_en_us[1].exe
    2010-06-28 08:41 . 2010-06-28 08:41 3351812 ----a-w- c:\documents & settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\msxml6Exec.exe
    2010-06-28 08:41 . 2010-06-28 08:41 36864 ----a-w- c:\documents & settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\Sleep.exe
    2010-06-28 08:41 . 2010-06-28 08:41 3203453 ----a-w- c:\documents & settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\vcredistExec.exe
    2010-06-22 13:12 . 2010-06-22 13:12 -------- d-sh--w- c:\documents & settings\LocalService\PrivacIE
    2010-06-22 13:12 . 2010-06-22 13:12 -------- d-sh--w- c:\documents & settings\LocalService\IECompatCache
    2010-06-22 13:08 . 2010-06-22 13:08 -------- d-----w- c:\documents & settings\Alex\Application Data\InstallShield
    2010-06-17 15:53 . 2010-07-03 15:14 -------- d-----w- C:\mp4
    2010-06-14 21:29 . 2010-07-05 21:08 -------- d-----w- C:\Promo
    2010-06-14 16:58 . 2010-06-14 16:58 -------- d-----w- c:\documents & settings\Alex\Application Data\Thinstall

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-11 23:05 . 2009-10-18 00:35 -------- d-----w- c:\documents & settings\Alex\Application Data\uTorrent
    2010-07-10 22:28 . 2009-11-07 21:55 -------- d-----w- c:\documents & settings\Alex\Application Data\vlc
    2010-07-10 13:42 . 2010-03-10 01:01 -------- d-----w- c:\documents & settings\Alex\Application Data\ApexDC++
    2010-07-05 21:01 . 2009-07-25 10:24 -------- d-----w- c:\program files\ApexDC++
    2010-07-05 13:08 . 2010-03-09 11:51 -------- d-----w- c:\documents & settings\All Users\Application Data\MumboJumbo
    2010-07-02 18:48 . 2009-08-14 12:29 -------- d-----w- c:\program files\Garena
    2010-06-28 12:28 . 2010-01-15 20:59 -------- d-----w- c:\program files\Common Files\Nokia
    2010-06-28 08:51 . 2010-06-28 08:51 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
    2010-06-28 08:51 . 2010-06-28 08:51 0 ---ha-w- c:\windows.0\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
    2010-06-28 08:42 . 2009-10-20 11:34 -------- d-----w- c:\program files\Nokia
    2010-06-28 08:40 . 2009-10-20 11:32 -------- d-----w- c:\documents & settings\All Users\Application Data\Installations
    2010-06-22 13:14 . 2009-07-24 21:19 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-22 12:53 . 2009-07-24 21:07 -------- d-----w- c:\program files\CrystalMark 2004R3
    2010-05-31 18:32 . 2010-05-31 18:32 -------- d-----w- c:\program files\StreamingStar
    2010-05-25 17:22 . 2010-04-28 20:29 -------- d-----w- c:\documents & settings\Alex\Application Data\dvdcss
    2010-05-25 16:42 . 2008-04-14 12:00 361344 ----a-w- c:\windows.0\system32\drivers\tcpip.sys
    2010-05-16 02:26 . 2009-10-18 00:16 -------- d---a-w- c:\documents & settings\All Users\Application Data\TEMP
    2010-05-15 16:51 . 2010-03-09 11:47 -------- d-----w- c:\program files\uTorrent
    2010-05-12 23:36 . 2009-07-25 09:57 -------- d-----w- c:\program files\oDC
    2010-05-08 00:09 . 2010-05-08 00:06 1024 ----a-w- c:\windows.0\dspnop32.bin
    2010-04-20 22:41 . 2010-04-20 12:18 617 -c--a-w- c:\windows.0\eReg.dat
    2010-04-13 10:03 . 2010-04-13 10:03 2373712 ----a-w- c:\documents & settings\All Users\Application Data\id Software\QuakeLive\pbsvc.exe
    .

    ------- Sigcheck -------

    [-] 2010-05-25 . 8E036EEC565910417EA020CE0962AA24 . 361344 . . [5.1.2600.5512] . . c:\windows.0\system32\drivers\tcpip.sys


    c:\windows.0\System32\sfcfiles.dll ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2003-11-17 3022848]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
    "P17Helper"="P17.dll" [2005-05-03 64512]
    "nwiz"="nwiz.exe" [2003-11-17 753664]
    "NeroFilterCheck"="c:\windows.0\system32\NeroCheck.exe" [2006-01-12 155648]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows.0\system32\ctfmon.exe" [2010-03-10 15360]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/25/2009 1:43 PM 135336]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows.0\system32\drivers\npf.sys [10/20/2009 9:19 PM 50704]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
    S3 cpuz130;cpuz130;\??\c:\docume~2\Alex\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~2\Alex\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
    S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~2\Alex\LOCALS~1\Temp\QZKF.tmp --> c:\docume~2\Alex\LOCALS~1\Temp\QZKF.tmp [?]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows.0\system32\drivers\nmwcdnsu.sys [6/28/2010 11:43 AM 137344]
    S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows.0\system32\drivers\nmwcdnsuc.sys [6/28/2010 11:43 AM 8320]
    S3 p17filt;p17filt;c:\windows.0\system32\drivers\p17filt.sys [3/20/2006 6:34 PM 1452032]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ro/
    uInternet Settings,ProxyServer = 81.180.120.30:3128
    uInternet Settings,ProxyOverride = *.local
    TCP: {9F1AD49F-4AFC-4BEA-8E38-0A7E26D00C9A} = 213.157.173.130,213.154.124.1
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    DPF: {1FE5F6CD-7490-4428-9E79-830E8CC55B8B} - hxxp://82.78.214.29/control/VCViewAtl.cab
    DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} - hxxp://82.78.216.195/ActiveView.cab
    DPF: {82BD8D58-D696-42C3-B3EB-3FD725CE738C} - hxxp://82.78.200.197/OcxMgr.ocx
    DPF: {9E265649-6E0E-4EEA-9F49-DAE0801440CF} - hxxp://82.78.200.166/WebDiginet.CAB
    DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
    DPF: {EFC162AD-F8AC-11D6-BD6F-0020EDBAC1E7} - hxxp://82.78.216.172/IERemote.cab
    FF - ProfilePath - c:\documents & settings\Alex\Application Data\Mozilla\Firefox\Profiles\lwad3xq0.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro/
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    AddRemove-Half-Life Dedicated Server Update Tool - d:\hlds\UNWISE.EXE
    AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-12 02:26
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
    "ImagePath"="\??\c:\docume~2\Alex\LOCALS~1\Temp\QZKF.tmp"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2248)
    c:\windows.0\system32\ieframe.dll
    c:\windows.0\system32\msi.dll
    c:\windows.0\system32\webcheck.dll
    c:\windows.0\system32\OneX.DLL
    c:\windows.0\system32\eappprxy.dll
    c:\windows.0\system32\WPDShServiceObj.dll
    c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
    c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
    c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
    c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
    c:\windows.0\system32\PortableDeviceTypes.dll
    c:\windows.0\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows.0\system32\nvsvc32.exe
    c:\windows.0\system32\PnkBstrA.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows.0\system32\Rundll32.exe
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    c:\windows.0\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-07-12 02:31:31 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-07-11 23:31

    Pre-Run: 2.381.889.536 bytes free
    Post-Run: 2.314.047.488 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 8D9D7F917C42FA695CD9F91AC731455F


    eset:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=2d32d89583aff24f85d85e6de91bc81f
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-07-12 12:52:13
    # local_time=2010-07-12 03:52:13 (+0200, E. Europe Daylight Time)
    # country="Romania"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16775141 100 100 346367 53791684 0 0
    # compatibility_mode=8192 67108863 100 0 136 136 0 0
    # scanned=113587
    # found=3
    # cleaned=0
    # scan_time=4423
    C:\Qoobox\Quarantine\C\Documents & Settings\Alex\Application Data\SystemProc\lsass.exe.vir a variant of Win32/Injector.CGU trojan 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul.vir Win32/Dursg.A trojan 00000000000000000000000000000000 I
    E:\Programe\Nero Burning ROM v6.6.1.15d.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I

    Hope I didn't do something wrong putting all logs here.
    Sorry if I did but that I understanded from you.
    Like this reply title say... After the ComboFix it restarted and after te firewall was on. I was thinking that ComboFix did that (turning back on). However it was too late to restart again. Today when I started the computer everything was just fine, and after another restart too.
    So thank you so much for helping me.
    However I'll apreciate if you could tell me what was the "thing" that turns firewall and alerts off every boot?
     

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, checking the logs:

    Regarding setupapi.dll> that is a legitimate file for Microsoft Windows Setup API

    2 questions:
    1. Have you ever had a Vundo malware infection that you know of?
    2. Have you ever reinstalled the operating system.

    There are multiple files that are either corrupt or another copy of Windows in the wrong directory:

    This Directory, c:\windows\system32\. has become this c:\windows.0\system32\ This means that functions that need a file or folder in windows\System32 aren't going to be able to find the files because they are now in windows.0\system32.

    Regarding the Security Center:
    Are you absolutely sure this is the 'real Windows Security Center' and that you are getting legitimate Alerts?

    I'd like you to run this program please:
    Please download VundoFix.exe HERE and save to your desktop:
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the ‘Fix Vundo’ button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    Please attach the C:\vundofix.txt log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    There are some drivers I will remove from Combofix after you run this.
     
  5. Alextasy

    Alextasy TS Rookie Topic Starter

    No. 3

    A: setupapi.dll is usually loaded from system32 (this file is not infectet)
    Any application check firstly in it's own directory...then in system32
    So in the browsers folders was an infected setupapi.dll (pure and simple)
    1: It's the first time I heard about this word... "vundo"
    2: As you can see there is WINDOWS.0... so Logically I did..
    My PC's current Windows installation dir is WINDOWS.0
    there never was WINDOWS from the current Installed Windows.
    So nothing became nothing.
    I am absolutely sure that was legitimate Security Center Alerts...
    I am not another noob that say he know to handle a PC.
    For example I even not alow any instalation of any kind of toolbar...I always keep my browsers clean...or any kind of Ad-Aware that could even be Spyware or just slowing down the PC. I update almost everyday my Antivirus... but however seems that is not so good compared to NOD32 but is better than nothing, and it has the minimum resource needed. I don't install/use modiffied windows.
    About the Windows Update... I used to update some while ago but ..last time (about 1 year ago) I was just updating to last thing as ussually and after restart every type of boot (even Safe mode) resulted in BSOD...It might be a verry big coincidence...I trust Microsoft..I wouldn't happen that. Even If I reinstall the windows the system BSOD`ed on the first boot...so I did a Clean Install on other directory. Etc. (Like you might noticed NOW i have "Documents & Settings" not Documenst and Settings. [If you might asking... I know Formatting but I have my personal reasons not to format partition C...I actually know lots...software hardware thnigs but this problem wich I was made to come here was beyond my skills (I don't ussualy get infected... but now it's 2010...who the hell is absolutely untoched by these things wich are growing extremly fast in number)].

    I may think you reffered at sfcfiles.dll (corrupt files you talked about) wich is ussually needed by Backup program. (wich I don't use it).
    This was happening 09.07.2010 a day before the actual infection.

    Avira AntiVir Personal
    Report file date: 9 iulie 2010 22:24

    Scanning for 2329261 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 3) [5.1.2600]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : VECTRA

    Version information:
    BUILD.DAT : 10.0.0.567 32097 Bytes 19.04.2010 15:07:00
    AVSCAN.EXE : 10.0.3.0 433832 Bytes 20.04.2010 09:58:15
    AVSCAN.DLL : 10.0.3.0 46440 Bytes 20.04.2010 09:58:14
    LUKE.DLL : 10.0.2.3 104296 Bytes 07.03.2010 16:33:04
    LUKERES.DLL : 10.0.0.1 12648 Bytes 10.02.2010 21:40:49
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 06.11.2009 16:54:49
    VBASE001.VDF : 7.10.1.0 1372672 Bytes 19.11.2009 20:55:03
    VBASE002.VDF : 7.10.3.1 3143680 Bytes 20.01.2010 00:08:49
    VBASE003.VDF : 7.10.3.75 996864 Bytes 26.01.2010 23:04:09
    VBASE004.VDF : 7.10.4.203 1579008 Bytes 05.03.2010 15:42:06
    VBASE005.VDF : 7.10.6.82 2494464 Bytes 15.04.2010 20:28:31
    VBASE006.VDF : 7.10.7.218 2294784 Bytes 02.06.2010 17:02:24
    VBASE007.VDF : 7.10.7.219 2048 Bytes 02.06.2010 17:02:24
    VBASE008.VDF : 7.10.7.220 2048 Bytes 02.06.2010 17:02:24
    VBASE009.VDF : 7.10.7.221 2048 Bytes 02.06.2010 17:02:24
    VBASE010.VDF : 7.10.7.222 2048 Bytes 02.06.2010 17:02:24
    VBASE011.VDF : 7.10.7.223 2048 Bytes 02.06.2010 17:02:24
    VBASE012.VDF : 7.10.7.224 2048 Bytes 02.06.2010 17:02:24
    VBASE013.VDF : 7.10.8.37 270336 Bytes 10.06.2010 15:08:55
    VBASE014.VDF : 7.10.8.69 138752 Bytes 14.06.2010 16:56:28
    VBASE015.VDF : 7.10.8.102 130560 Bytes 16.06.2010 10:23:36
    VBASE016.VDF : 7.10.8.135 152064 Bytes 21.06.2010 12:39:54
    VBASE017.VDF : 7.10.8.163 432128 Bytes 23.06.2010 17:55:49
    VBASE018.VDF : 7.10.8.194 133632 Bytes 27.06.2010 19:15:41
    VBASE019.VDF : 7.10.8.220 134656 Bytes 29.06.2010 21:41:33
    VBASE020.VDF : 7.10.8.252 171520 Bytes 04.07.2010 16:13:53
    VBASE021.VDF : 7.10.9.19 131072 Bytes 06.07.2010 16:26:10
    VBASE022.VDF : 7.10.9.36 297472 Bytes 07.07.2010 20:29:47
    VBASE023.VDF : 7.10.9.37 2048 Bytes 07.07.2010 20:29:47
    VBASE024.VDF : 7.10.9.38 2048 Bytes 07.07.2010 20:29:47
    VBASE025.VDF : 7.10.9.39 2048 Bytes 07.07.2010 20:29:47
    VBASE026.VDF : 7.10.9.40 2048 Bytes 07.07.2010 20:29:47
    VBASE027.VDF : 7.10.9.41 2048 Bytes 07.07.2010 20:29:47
    VBASE028.VDF : 7.10.9.42 2048 Bytes 07.07.2010 20:29:47
    VBASE029.VDF : 7.10.9.43 2048 Bytes 07.07.2010 20:29:47
    VBASE030.VDF : 7.10.9.44 2048 Bytes 07.07.2010 20:29:47
    VBASE031.VDF : 7.10.9.56 112640 Bytes 09.07.2010 18:13:56
    Engineversion : 8.2.4.10
    AEVDF.DLL : 8.1.2.0 106868 Bytes 23.04.2010 20:32:35
    AESCRIPT.DLL : 8.1.3.39 1335674 Bytes 07.07.2010 16:26:12
    AESCN.DLL : 8.1.6.1 127347 Bytes 13.05.2010 00:54:45
    AESBX.DLL : 8.1.3.1 254324 Bytes 23.04.2010 20:32:35
    AERDL.DLL : 8.1.4.6 541043 Bytes 17.04.2010 20:28:37
    AEPACK.DLL : 8.2.2.5 430453 Bytes 23.06.2010 17:56:36
    AEOFFICE.DLL : 8.1.1.6 201081 Bytes 07.07.2010 16:26:11
    AEHEUR.DLL : 8.1.1.38 2724214 Bytes 23.06.2010 17:56:28
    AEHELP.DLL : 8.1.11.6 242038 Bytes 23.06.2010 17:55:59
    AEGEN.DLL : 8.1.3.13 381300 Bytes 07.07.2010 16:26:11
    AEEMU.DLL : 8.1.2.0 393588 Bytes 23.04.2010 20:32:34
    AECORE.DLL : 8.1.15.3 192886 Bytes 13.05.2010 00:54:45
    AEBB.DLL : 8.1.1.0 53618 Bytes 23.04.2010 20:32:33
    AVWINLL.DLL : 10.0.0.0 19304 Bytes 14.01.2010 10:03:38
    AVPREF.DLL : 10.0.0.0 44904 Bytes 14.01.2010 10:03:35
    AVREP.DLL : 10.0.0.8 62209 Bytes 18.02.2010 14:47:40
    AVREG.DLL : 10.0.3.0 53096 Bytes 20.04.2010 09:58:15
    AVSCPLR.DLL : 10.0.3.0 83816 Bytes 20.04.2010 09:58:15
    AVARKT.DLL : 10.0.0.14 227176 Bytes 20.04.2010 09:58:14
    AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 26.01.2010 07:53:30
    SQLITE3.DLL : 3.6.19.0 355688 Bytes 28.01.2010 10:57:58
    AVSMTP.DLL : 10.0.0.17 63848 Bytes 16.03.2010 13:38:56
    NETNT.DLL : 10.0.0.0 11624 Bytes 19.02.2010 12:41:00
    RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28.01.2010 11:10:20
    RCTEXT.DLL : 10.0.53.0 97128 Bytes 20.04.2010 09:58:14

    Configuration settings for the scan:
    Jobname.............................: avguard_async_scan
    Configuration file..................: C:\Documents & Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4c707f51\guard_slideup.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: quarantine
    Scan master boot sector.............: on
    Scan boot sector....................: off
    Process scan........................: on
    Scan registry.......................: off
    Search for rootkits.................: off
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: high

    Start of the scan: 9 iulie 2010 22:24

    The scan of running processes will be started
    Scan process 'iexplore.exe' - '1' Module(s) have been scanned
    Scan process 'iexplore.exe' - '1' Module(s) have been scanned
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'ymsgr_tray.exe' - '1' Module(s) have been scanned
    Scan process 'avshadow.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
    Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
    Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
    Scan process 'jqs.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'uTorrent.exe' - '1' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
    Scan process 'winampa.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'Rundll32.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned

    Starting the file scan:

    Begin scan in 'C:\WINDOWS.0\system32\sfcfiles.dll'
    C:\WINDOWS.0\system32\sfcfiles.dll
    [DETECTION] Is the TR/Dropper.Gen Trojan

    Beginning disinfection:
    C:\WINDOWS.0\system32\sfcfiles.dll
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '4e80dcf8.qua'.


    End of the scan: 9 iulie 2010 22:27
    Used time: 00:02 Minute(s)

    The scan has been done completely.

    0 Scanned directories
    33 Files were scanned
    1 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    1 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    32 Files not concerned
    0 Archives were scanned
    0 Warnings
    1 Notes


    The scan results will be transferred to the Guard.

    [I'll explain again my theory... if you put head by head all that checkings the only meaning is that the virus was turning of firewall on System Shut Down cause on Logoff the system is not turned of...and back on is everythig like it was (I DON'T mistake Logoff with Switch)... but everything that supress this is that thing that like 2 times I caught is when was turned off (I mean that I entered in Security Center before it was turned off by virus...but right after it was). Hope you'd understanded but it's no matter now...everything is fixed]

    I almost forgot... You didn't telled me wich of the infected files (deleted files) you thnik it was the "virus" the was doing that (firewall off). I checked out on google the viruses mentioned out by ESET Online Scaner but none of them seems to have these simptoms or maybe nobody noticed that or however I didn't noticed the simptoms mantioned on the sites I founded out. :haha:
    And again some of the files "deleted" (quarantined) by ComboFix are not viruses or infections...for exemple Settings.reg wich contains some registry keys to default the settings for the Creative Soundcard. However I agree it's method... I personally take that like a suspicious file. or that Notepad.exe from Windows directory wich originally is on system32...but is only a clean copy of it but I don't know how it getted there.

    LOG:

    VundoFix V7.0.6

    Scan started at 10:51:39 14.07.2010

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm sorry- I don't understand what you're try to say or do. It sounds like you are disputing all of the cleaning directions and results.

    Currently, you have system files and folders running as both windows and windows.0. Therefore the system will not be able to identify some of the files when they are needed. Since you say it's fixed, would you like me to close the thread?
     
  7. Alextasy

    Alextasy TS Rookie Topic Starter

    I did a Malwarebytes' Anti-Malware & ESET NOD32 Online Scanner both "full" scan (all partitions) and everything seems to be just fine.

    You may close the thread after we clear what didn't you understanded... answer above questions. :p

    What are you base on when you say I have system files and folders on both windows and windows.0?

    There is NO system files on "windows" Folder. What made you say it is functional?

    All I trying to say is that the currently functional windows is insalled on windows.0 ...so why you may think that have something to do with "windows" folder?

    On the other hand this might bring improved security because of some treats that are "installing" in folder named Windows and not in %WinDir% or %SystemRoot%.. etc.

    After the Vundo's Clean report you still removed some drivers from Combofix?

    And not the last.. Thank You Verry Much For The Best Help I Could Get Ever!
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Since you consider the matter resolved, Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...