Solved Windows firewall keeps turning off

Alextasy · Jul 11, 2010

Firstly Hello To Everyone Here...

Well... 2 days ago I went outside and letted my pc opened with utorrent and a webpage. (I use IE8, Avira AntiVir PE & Windows Firewall)
When I comed back on the browser was opened a new webpage "www.google.com"
of course not by me...and it's not my HomePage..my HomePage is www.google.ro not .com and I use Pop-Up blocker On with High settings.
Along with that the Security Center was announced that firewall is turned of... verry strange.
After I use some minutes the browser ..I see that it was taking the whole processor.
After that if I was started it..it was load extrely hard and again takeing the whole processor speed.
Did a full scand with Avira and:

Avira AntiVir Personal
Report file date: 9 iulie 2010 23:02

Scanning for 2329261 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : VECTRA

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 19.04.2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 20.04.2010 09:58:15
AVSCAN.DLL : 10.0.3.0 46440 Bytes 20.04.2010 09:58:14
LUKE.DLL : 10.0.2.3 104296 Bytes 07.03.2010 16:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 10.02.2010 21:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06.11.2009 16:54:49
VBASE001.VDF : 7.10.1.0 1372672 Bytes 19.11.2009 20:55:03
VBASE002.VDF : 7.10.3.1 3143680 Bytes 20.01.2010 00:08:49
VBASE003.VDF : 7.10.3.75 996864 Bytes 26.01.2010 23:04:09
VBASE004.VDF : 7.10.4.203 1579008 Bytes 05.03.2010 15:42:06
VBASE005.VDF : 7.10.6.82 2494464 Bytes 15.04.2010 20:28:31
VBASE006.VDF : 7.10.7.218 2294784 Bytes 02.06.2010 17:02:24
VBASE007.VDF : 7.10.7.219 2048 Bytes 02.06.2010 17:02:24
VBASE008.VDF : 7.10.7.220 2048 Bytes 02.06.2010 17:02:24
VBASE009.VDF : 7.10.7.221 2048 Bytes 02.06.2010 17:02:24
VBASE010.VDF : 7.10.7.222 2048 Bytes 02.06.2010 17:02:24
VBASE011.VDF : 7.10.7.223 2048 Bytes 02.06.2010 17:02:24
VBASE012.VDF : 7.10.7.224 2048 Bytes 02.06.2010 17:02:24
VBASE013.VDF : 7.10.8.37 270336 Bytes 10.06.2010 15:08:55
VBASE014.VDF : 7.10.8.69 138752 Bytes 14.06.2010 16:56:28
VBASE015.VDF : 7.10.8.102 130560 Bytes 16.06.2010 10:23:36
VBASE016.VDF : 7.10.8.135 152064 Bytes 21.06.2010 12:39:54
VBASE017.VDF : 7.10.8.163 432128 Bytes 23.06.2010 17:55:49
VBASE018.VDF : 7.10.8.194 133632 Bytes 27.06.2010 19:15:41
VBASE019.VDF : 7.10.8.220 134656 Bytes 29.06.2010 21:41:33
VBASE020.VDF : 7.10.8.252 171520 Bytes 04.07.2010 16:13:53
VBASE021.VDF : 7.10.9.19 131072 Bytes 06.07.2010 16:26:10
VBASE022.VDF : 7.10.9.36 297472 Bytes 07.07.2010 20:29:47
VBASE023.VDF : 7.10.9.37 2048 Bytes 07.07.2010 20:29:47
VBASE024.VDF : 7.10.9.38 2048 Bytes 07.07.2010 20:29:47
VBASE025.VDF : 7.10.9.39 2048 Bytes 07.07.2010 20:29:47
VBASE026.VDF : 7.10.9.40 2048 Bytes 07.07.2010 20:29:47
VBASE027.VDF : 7.10.9.41 2048 Bytes 07.07.2010 20:29:47
VBASE028.VDF : 7.10.9.42 2048 Bytes 07.07.2010 20:29:47
VBASE029.VDF : 7.10.9.43 2048 Bytes 07.07.2010 20:29:47
VBASE030.VDF : 7.10.9.44 2048 Bytes 07.07.2010 20:29:47
VBASE031.VDF : 7.10.9.56 112640 Bytes 09.07.2010 18:13:56
Engineversion : 8.2.4.10
AEVDF.DLL : 8.1.2.0 106868 Bytes 23.04.2010 20:32:35
AESCRIPT.DLL : 8.1.3.39 1335674 Bytes 07.07.2010 16:26:12
AESCN.DLL : 8.1.6.1 127347 Bytes 13.05.2010 00:54:45
AESBX.DLL : 8.1.3.1 254324 Bytes 23.04.2010 20:32:35
AERDL.DLL : 8.1.4.6 541043 Bytes 17.04.2010 20:28:37
AEPACK.DLL : 8.2.2.5 430453 Bytes 23.06.2010 17:56:36
AEOFFICE.DLL : 8.1.1.6 201081 Bytes 07.07.2010 16:26:11
AEHEUR.DLL : 8.1.1.38 2724214 Bytes 23.06.2010 17:56:28
AEHELP.DLL : 8.1.11.6 242038 Bytes 23.06.2010 17:55:59
AEGEN.DLL : 8.1.3.13 381300 Bytes 07.07.2010 16:26:11
AEEMU.DLL : 8.1.2.0 393588 Bytes 23.04.2010 20:32:34
AECORE.DLL : 8.1.15.3 192886 Bytes 13.05.2010 00:54:45
AEBB.DLL : 8.1.1.0 53618 Bytes 23.04.2010 20:32:33
AVWINLL.DLL : 10.0.0.0 19304 Bytes 14.01.2010 10:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 14.01.2010 10:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 18.02.2010 14:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 20.04.2010 09:58:15
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 20.04.2010 09:58:15
AVARKT.DLL : 10.0.0.14 227176 Bytes 20.04.2010 09:58:14
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 26.01.2010 07:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 28.01.2010 10:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 16.03.2010 13:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 19.02.2010 12:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28.01.2010 11:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 20.04.2010 09:58:14

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, E:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 9 iulie 2010 23:02

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'msdtc.exe' - '39' Module(s) have been scanned
Scan process 'dllhost.exe' - '60' Module(s) have been scanned
Scan process 'dllhost.exe' - '44' Module(s) have been scanned
Scan process 'vssvc.exe' - '47' Module(s) have been scanned
Scan process 'avscan.exe' - '67' Module(s) have been scanned
Scan process 'ymsgr_tray.exe' - '28' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '49' Module(s) have been scanned
Scan process 'avshadow.exe' - '25' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '23' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '24' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '10' Module(s) have been scanned
Scan process 'jqs.exe' - '53' Module(s) have been scanned
Scan process 'avguard.exe' - '54' Module(s) have been scanned
Scan process 'uTorrent.exe' - '51' Module(s) have been scanned
Scan process 'ctfmon.exe' - '23' Module(s) have been scanned
Scan process 'winampa.exe' - '16' Module(s) have been scanned
Scan process 'avgnt.exe' - '48' Module(s) have been scanned
Scan process 'Rundll32.exe' - '26' Module(s) have been scanned
Scan process 'sched.exe' - '44' Module(s) have been scanned
Scan process 'spoolsv.exe' - '57' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'Explorer.EXE' - '104' Module(s) have been scanned
Scan process 'svchost.exe' - '31' Module(s) have been scanned
Scan process 'svchost.exe' - '29' Module(s) have been scanned
Scan process 'svchost.exe' - '158' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '49' Module(s) have been scanned
Scan process 'lsass.exe' - '57' Module(s) have been scanned
Scan process 'services.exe' - '26' Module(s) have been scanned
Scan process 'winlogon.exe' - '62' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '474' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\Documents & Settings\Alex\Application Data\Sun\Java\Deployment\cache\6.0\57\1cca24f9-607aed3a
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the EXP/Java.CVE-2009-3867.8861 exploit
--> dev/s/AdgredY.class
[DETECTION] Contains recognition pattern of the EXP/Java.CVE-2009-3867.8861 exploit
--> dev/s/DyesyasZ.class
[DETECTION] Contains recognition pattern of the EXP/Java.2502 exploit
--> dev/s/LoaderX.class
[DETECTION] Contains recognition pattern of the EXP/Java.3243 exploit
Begin scan in 'D:\'
Begin scan in 'E:\'
E:\Programe\eMule v0.49c.exe
[WARNING] Insufficient memory. The file was not scanned.

Beginning disinfection:
C:\Documents & Settings\Alex\Application Data\Sun\Java\Deployment\cache\6.0\57\1cca24f9-607aed3a
[DETECTION] Contains recognition pattern of the EXP/Java.3243 exploit
[NOTE] The file was moved to the quarantine directory under the name '462d11b5.qua'.

End of the scan: 10 iulie 2010 02:46
Used time: 1:56:33 Hour(s)

The scan has been done completely.

7928 Scanned directories
433840 Files were scanned
3 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
433837 Files not concerned
2604 Archives were scanned
1 Warnings
1 Notes
457204 Objects were scanned with rootkit scan
1 Hidden objects were found

However nothing has changed...
Till now I have fixed the browser problem.
Inside the Internet Explorer directory it was a setupapi.dll wich was the problem.
Seems that Firefox was haveing that file too but was not visibly affected (slowed or something).This one was detected by Malware. Find It In Log.
So the remaining problem is that if I restart my PC the Firewall is getting off almost everytime & also with that the Security Center Alerts, all of them go off along with firewall.
I tested some things to see the simptoms:
So i start the computer and alerts and firewall is off.
I turned them on.
1. If i turn the PC off and then on or restart they are back to off.
2. If i switch off (user) and then log on, or standby or hibernate is logically they will remain on so this tell me is something on startup that closed them.
3. but strangely if I logoff and then I logon (Windows Started Again) the Firewall and Alerts remain On...so what I should understand from 2 and 3 if they are completly opposite eachother.
4. And also something that is opposite to 3 is that sometimes i restart and enter in Security Center I see the green light on Firewall but one second later it's get red and the popup on systemtray appears telling me that is off.

Hope everybody understand my english.
Thank You.

Bobbye · Jul 11, 2010

First of all, please don't zip the logs. It makes extra steps for me. We ask that you paste the logs rather than attach because it enhances our search ability.

As for putting the attach.txt log on a separate thread, I am going to ask the moderator to move it to this thread, then delete the other (https://www.techspot.com/vb/topic149630.html#post902951)

While I review your problem, please do the following:

Please download ComboFix from Here and save to your Desktop.

[1]. Do NOT rename Combofix unless instructed.
[2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3].Close any open browsers.
[4]. Double click combofix.exe & follow the prompts to run.
NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
[5]. If Combofix asks you to install Recovery Console, please allow it.
[6]. If Combofix asks you to update the program, always allow.
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
====================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the Active X control to install
Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
Click Scan
Wait for the scan to finish
Re-enable your Antivirus software.
A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

Alextasy · Jul 12, 2010

seems that ComboFix did the job

combo:

ComboFix 10-07-11.03 - Alex 12.07.2010 2:14.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.40.1033.18.511.297 [GMT 3:00]
Running from: c:\documents & settings\Alex\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents & settings\Alex\Application Data\SystemProc
c:\documents & settings\Alex\Application Data\SystemProc\lsass.exe
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\windows.0\NOTEPAD.EXE
c:\windows.0\settings.reg
c:\windows.0\system32\3402956424.dat
c:\windows.0\system32\amstreamu.exe
c:\windows.0\system32\Data
c:\windows.0\system32\Ijl11.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RPCSSUPS
-------\Legacy_SFC
-------\Service_RpcSsUPS

((((((((((((((((((((((((( Files Created from 2010-06-11 to 2010-07-11 )))))))))))))))))))))))))))))))
.

2010-07-10 19:41 . 2010-07-10 19:41 -------- d-----w- c:\documents & settings\Alex\Application Data\Malwarebytes
2010-07-10 19:41 . 2010-04-29 12:39 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys
2010-07-10 19:41 . 2010-07-10 19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 19:41 . 2010-07-10 19:41 -------- d-----w- c:\documents & settings\All Users\Application Data\Malwarebytes
2010-07-10 19:41 . 2010-04-29 12:39 20952 ----a-w- c:\windows.0\system32\drivers\mbam.sys
2010-07-10 13:00 . 2010-07-10 13:01 -------- dc-h--w- c:\windows.0\ie8
2010-07-09 19:53 . 2010-07-10 13:24 664 ----a-w- c:\windows.0\system32\d3d9caps.dat
2010-07-08 11:13 . 2010-07-08 12:33 371776 ----a-w- c:\documents & settings\Alex\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2010-07-08 11:13 . 2010-07-08 12:32 465984 ----a-w- c:\documents & settings\Alex\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2010-07-08 11:13 . 2010-07-08 11:13 -------- d-----w- c:\documents & settings\Alex\Local Settings\Application Data\PunkBuster
2010-07-08 11:13 . 2010-07-08 12:33 187456 ----a-w- c:\documents & settings\Alex\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2010-07-08 11:13 . 2010-07-08 12:32 887448 ----a-w- c:\documents & settings\Alex\Application Data\id Software\quakelive\home\pb\pbcl.dll
2010-07-08 11:13 . 2010-07-08 12:32 57344 ----a-w- c:\documents & settings\Alex\Application Data\id Software\quakelive\home\pb\pbag.dll
2010-07-08 11:13 . 2010-07-08 12:32 2436160 ----a-w- c:\documents & settings\Alex\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2010-07-08 10:59 . 2010-07-08 10:59 111928 ----a-w- c:\windows.0\system32\PnkBstrB.exe
2010-07-08 10:59 . 2010-07-08 10:59 75064 ----a-w- c:\windows.0\system32\PnkBstrA.exe
2010-07-08 10:59 . 2010-07-08 10:59 2373712 ----a-w- c:\windows.0\system32\pbsvc.exe
2010-07-08 10:59 . 2010-07-08 10:59 -------- d-----w- c:\documents & settings\All Users\Application Data\id Software
2010-07-05 12:51 . 2010-07-05 12:51 -------- d-----w- c:\documents & settings\All Users\Application Data\Trymedia
2010-06-28 08:43 . 2010-06-28 08:43 -------- d-----w- c:\program files\PC Connectivity Solution
2010-06-28 08:43 . 2010-02-26 11:21 8320 ----a-w- c:\windows.0\system32\drivers\nmwcdnsuc.sys
2010-06-28 08:43 . 2010-02-26 11:21 137344 ----a-w- c:\windows.0\system32\drivers\nmwcdnsu.sys
2010-06-28 08:43 . 2010-02-26 11:32 8192 ----a-w- c:\windows.0\system32\drivers\usbser_lowerfltj.sys
2010-06-28 08:43 . 2010-02-26 11:32 8192 ----a-w- c:\windows.0\system32\drivers\usbser_lowerflt.sys
2010-06-28 08:42 . 2010-02-26 11:32 22528 ----a-w- c:\windows.0\system32\drivers\ccdcmbo.sys
2010-06-28 08:42 . 2010-02-26 11:32 662016 ----a-w- c:\windows.0\system32\nmwcdcocls.dll
2010-06-28 08:42 . 2010-02-26 11:32 18176 ----a-w- c:\windows.0\system32\drivers\ccdcmb.sys
2010-06-28 08:42 . 2010-02-26 11:19 1461992 ----a-w- c:\windows.0\system32\wdfcoinstaller01009.dll
2010-06-28 08:41 . 2010-06-28 08:40 35618008 ----a-w- c:\documents & settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\NokiaSoftwareUpdaterSetup_en_us[1].exe
2010-06-28 08:41 . 2010-06-28 08:41 3351812 ----a-w- c:\documents & settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\msxml6Exec.exe
2010-06-28 08:41 . 2010-06-28 08:41 36864 ----a-w- c:\documents & settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\Sleep.exe
2010-06-28 08:41 . 2010-06-28 08:41 3203453 ----a-w- c:\documents & settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\vcredistExec.exe
2010-06-22 13:12 . 2010-06-22 13:12 -------- d-sh--w- c:\documents & settings\LocalService\PrivacIE
2010-06-22 13:12 . 2010-06-22 13:12 -------- d-sh--w- c:\documents & settings\LocalService\IECompatCache
2010-06-22 13:08 . 2010-06-22 13:08 -------- d-----w- c:\documents & settings\Alex\Application Data\InstallShield
2010-06-17 15:53 . 2010-07-03 15:14 -------- d-----w- C:\mp4
2010-06-14 21:29 . 2010-07-05 21:08 -------- d-----w- C:\Promo
2010-06-14 16:58 . 2010-06-14 16:58 -------- d-----w- c:\documents & settings\Alex\Application Data\Thinstall

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-11 23:05 . 2009-10-18 00:35 -------- d-----w- c:\documents & settings\Alex\Application Data\uTorrent
2010-07-10 22:28 . 2009-11-07 21:55 -------- d-----w- c:\documents & settings\Alex\Application Data\vlc
2010-07-10 13:42 . 2010-03-10 01:01 -------- d-----w- c:\documents & settings\Alex\Application Data\ApexDC++
2010-07-05 21:01 . 2009-07-25 10:24 -------- d-----w- c:\program files\ApexDC++
2010-07-05 13:08 . 2010-03-09 11:51 -------- d-----w- c:\documents & settings\All Users\Application Data\MumboJumbo
2010-07-02 18:48 . 2009-08-14 12:29 -------- d-----w- c:\program files\Garena
2010-06-28 12:28 . 2010-01-15 20:59 -------- d-----w- c:\program files\Common Files\Nokia
2010-06-28 08:51 . 2010-06-28 08:51 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
2010-06-28 08:51 . 2010-06-28 08:51 0 ---ha-w- c:\windows.0\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-06-28 08:42 . 2009-10-20 11:34 -------- d-----w- c:\program files\Nokia
2010-06-28 08:40 . 2009-10-20 11:32 -------- d-----w- c:\documents & settings\All Users\Application Data\Installations
2010-06-22 13:14 . 2009-07-24 21:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-22 12:53 . 2009-07-24 21:07 -------- d-----w- c:\program files\CrystalMark 2004R3
2010-05-31 18:32 . 2010-05-31 18:32 -------- d-----w- c:\program files\StreamingStar
2010-05-25 17:22 . 2010-04-28 20:29 -------- d-----w- c:\documents & settings\Alex\Application Data\dvdcss
2010-05-25 16:42 . 2008-04-14 12:00 361344 ----a-w- c:\windows.0\system32\drivers\tcpip.sys
2010-05-16 02:26 . 2009-10-18 00:16 -------- d---a-w- c:\documents & settings\All Users\Application Data\TEMP
2010-05-15 16:51 . 2010-03-09 11:47 -------- d-----w- c:\program files\uTorrent
2010-05-12 23:36 . 2009-07-25 09:57 -------- d-----w- c:\program files\oDC
2010-05-08 00:09 . 2010-05-08 00:06 1024 ----a-w- c:\windows.0\dspnop32.bin
2010-04-20 22:41 . 2010-04-20 12:18 617 -c--a-w- c:\windows.0\eReg.dat
2010-04-13 10:03 . 2010-04-13 10:03 2373712 ----a-w- c:\documents & settings\All Users\Application Data\id Software\QuakeLive\pbsvc.exe
.

------- Sigcheck -------

[-] 2010-05-25 . 8E036EEC565910417EA020CE0962AA24 . 361344 . . [5.1.2600.5512] . . c:\windows.0\system32\drivers\tcpip.sys

c:\windows.0\System32\sfcfiles.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2003-11-17 3022848]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"P17Helper"="P17.dll" [2005-05-03 64512]
"nwiz"="nwiz.exe" [2003-11-17 753664]
"NeroFilterCheck"="c:\windows.0\system32\NeroCheck.exe" [2006-01-12 155648]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows.0\system32\ctfmon.exe" [2010-03-10 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/25/2009 1:43 PM 135336]
R2 NPF;NetGroup Packet Filter Driver;c:\windows.0\system32\drivers\npf.sys [10/20/2009 9:19 PM 50704]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 cpuz130;cpuz130;\??\c:\docume~2\Alex\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~2\Alex\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~2\Alex\LOCALS~1\Temp\QZKF.tmp --> c:\docume~2\Alex\LOCALS~1\Temp\QZKF.tmp [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows.0\system32\drivers\nmwcdnsu.sys [6/28/2010 11:43 AM 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows.0\system32\drivers\nmwcdnsuc.sys [6/28/2010 11:43 AM 8320]
S3 p17filt;p17filt;c:\windows.0\system32\drivers\p17filt.sys [3/20/2006 6:34 PM 1452032]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ro/
uInternet Settings,ProxyServer = 81.180.120.30:3128
uInternet Settings,ProxyOverride = *.local
TCP: {9F1AD49F-4AFC-4BEA-8E38-0A7E26D00C9A} = 213.157.173.130,213.154.124.1
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {1FE5F6CD-7490-4428-9E79-830E8CC55B8B} - hxxp://82.78.214.29/control/VCViewAtl.cab
DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} - hxxp://82.78.216.195/ActiveView.cab
DPF: {82BD8D58-D696-42C3-B3EB-3FD725CE738C} - hxxp://82.78.200.197/OcxMgr.ocx
DPF: {9E265649-6E0E-4EEA-9F49-DAE0801440CF} - hxxp://82.78.200.166/WebDiginet.CAB
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {EFC162AD-F8AC-11D6-BD6F-0020EDBAC1E7} - hxxp://82.78.216.172/IERemote.cab
FF - ProfilePath - c:\documents & settings\Alex\Application Data\Mozilla\Firefox\Profiles\lwad3xq0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro/
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-Half-Life Dedicated Server Update Tool - d:\hlds\UNWISE.EXE
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-12 02:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~2\Alex\LOCALS~1\Temp\QZKF.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2248)
c:\windows.0\system32\ieframe.dll
c:\windows.0\system32\msi.dll
c:\windows.0\system32\webcheck.dll
c:\windows.0\system32\OneX.DLL
c:\windows.0\system32\eappprxy.dll
c:\windows.0\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows.0\system32\PortableDeviceTypes.dll
c:\windows.0\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows.0\system32\nvsvc32.exe
c:\windows.0\system32\PnkBstrA.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows.0\system32\Rundll32.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows.0\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-12 02:31:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-11 23:31

Pre-Run: 2.381.889.536 bytes free
Post-Run: 2.314.047.488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8D9D7F917C42FA695CD9F91AC731455F

eset:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2d32d89583aff24f85d85e6de91bc81f
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-12 12:52:13
# local_time=2010-07-12 03:52:13 (+0200, E. Europe Daylight Time)
# country="Romania"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 100 346367 53791684 0 0
# compatibility_mode=8192 67108863 100 0 136 136 0 0
# scanned=113587
# found=3
# cleaned=0
# scan_time=4423
C:\Qoobox\Quarantine\C\Documents & Settings\Alex\Application Data\SystemProc\lsass.exe.vir a variant of Win32/Injector.CGU trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul.vir Win32/Dursg.A trojan 00000000000000000000000000000000 I
E:\Programe\Nero Burning ROM v6.6.1.15d.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I

Hope I didn't do something wrong putting all logs here.
Sorry if I did but that I understanded from you.
Like this reply title say... After the ComboFix it restarted and after te firewall was on. I was thinking that ComboFix did that (turning back on). However it was too late to restart again. Today when I started the computer everything was just fine, and after another restart too.
So thank you so much for helping me.
However I'll apreciate if you could tell me what was the "thing" that turns firewall and alerts off every boot?

Bobbye · Jul 13, 2010

Okay, checking the logs:

Regarding setupapi.dll> that is a legitimate file for Microsoft Windows Setup API

2 questions:
1. Have you ever had a Vundo malware infection that you know of?
2. Have you ever reinstalled the operating system.

There are multiple files that are either corrupt or another copy of Windows in the wrong directory:

This Directory, c:\windows\system32\. has become this c:\windows.0\system32\ This means that functions that need a file or folder in windows\System32 aren't going to be able to find the files because they are now in windows.0\system32.

Regarding the Security Center:

3. but strangely if I logoff and then I logon (Windows Started Again) the Firewall and Alerts remain On...so what I should understand from 2 and 3 if they are completly opposite eachother.
4. And also something that is opposite to 3 is that sometimes i restart and enter in Security Center I see the green light on Firewall but one second later it's get red and the popup on systemtray appears telling me that is off.

Are you absolutely sure this is the 'real Windows Security Center' and that you are getting legitimate Alerts?

I'd like you to run this program please:
Please download VundoFix.exe HERE and save to your desktop:

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the ‘Fix Vundo’ button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Please attach the C:\vundofix.txt log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

There are some drivers I will remove from Combofix after you run this.

Alextasy · Jul 13, 2010

No. 3

A: setupapi.dll is usually loaded from system32 (this file is not infectet)
Any application check firstly in it's own directory...then in system32
So in the browsers folders was an infected setupapi.dll (pure and simple)
1: It's the first time I heard about this word... "vundo"
2: As you can see there is WINDOWS.0... so Logically I did..
My PC's current Windows installation dir is WINDOWS.0
there never was WINDOWS from the current Installed Windows.
So nothing became nothing.
I am absolutely sure that was legitimate Security Center Alerts...
I am not another noob that say he know to handle a PC.
For example I even not alow any instalation of any kind of toolbar...I always keep my browsers clean...or any kind of Ad-Aware that could even be Spyware or just slowing down the PC. I update almost everyday my Antivirus... but however seems that is not so good compared to NOD32 but is better than nothing, and it has the minimum resource needed. I don't install/use modiffied windows.
About the Windows Update... I used to update some while ago but ..last time (about 1 year ago) I was just updating to last thing as ussually and after restart every type of boot (even Safe mode) resulted in BSOD...It might be a verry big coincidence...I trust Microsoft..I wouldn't happen that. Even If I reinstall the windows the system BSOD`ed on the first boot...so I did a Clean Install on other directory. Etc. (Like you might noticed NOW i have "Documents & Settings" not Documenst and Settings. [If you might asking... I know Formatting but I have my personal reasons not to format partition C...I actually know lots...software hardware thnigs but this problem wich I was made to come here was beyond my skills (I don't ussualy get infected... but now it's 2010...who the hell is absolutely untoched by these things wich are growing extremly fast in number)].

I may think you reffered at sfcfiles.dll (corrupt files you talked about) wich is ussually needed by Backup program. (wich I don't use it).
This was happening 09.07.2010 a day before the actual infection.

Avira AntiVir Personal
Report file date: 9 iulie 2010 22:24

Scanning for 2329261 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : VECTRA

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 19.04.2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 20.04.2010 09:58:15
AVSCAN.DLL : 10.0.3.0 46440 Bytes 20.04.2010 09:58:14
LUKE.DLL : 10.0.2.3 104296 Bytes 07.03.2010 16:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 10.02.2010 21:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06.11.2009 16:54:49
VBASE001.VDF : 7.10.1.0 1372672 Bytes 19.11.2009 20:55:03
VBASE002.VDF : 7.10.3.1 3143680 Bytes 20.01.2010 00:08:49
VBASE003.VDF : 7.10.3.75 996864 Bytes 26.01.2010 23:04:09
VBASE004.VDF : 7.10.4.203 1579008 Bytes 05.03.2010 15:42:06
VBASE005.VDF : 7.10.6.82 2494464 Bytes 15.04.2010 20:28:31
VBASE006.VDF : 7.10.7.218 2294784 Bytes 02.06.2010 17:02:24
VBASE007.VDF : 7.10.7.219 2048 Bytes 02.06.2010 17:02:24
VBASE008.VDF : 7.10.7.220 2048 Bytes 02.06.2010 17:02:24
VBASE009.VDF : 7.10.7.221 2048 Bytes 02.06.2010 17:02:24
VBASE010.VDF : 7.10.7.222 2048 Bytes 02.06.2010 17:02:24
VBASE011.VDF : 7.10.7.223 2048 Bytes 02.06.2010 17:02:24
VBASE012.VDF : 7.10.7.224 2048 Bytes 02.06.2010 17:02:24
VBASE013.VDF : 7.10.8.37 270336 Bytes 10.06.2010 15:08:55
VBASE014.VDF : 7.10.8.69 138752 Bytes 14.06.2010 16:56:28
VBASE015.VDF : 7.10.8.102 130560 Bytes 16.06.2010 10:23:36
VBASE016.VDF : 7.10.8.135 152064 Bytes 21.06.2010 12:39:54
VBASE017.VDF : 7.10.8.163 432128 Bytes 23.06.2010 17:55:49
VBASE018.VDF : 7.10.8.194 133632 Bytes 27.06.2010 19:15:41
VBASE019.VDF : 7.10.8.220 134656 Bytes 29.06.2010 21:41:33
VBASE020.VDF : 7.10.8.252 171520 Bytes 04.07.2010 16:13:53
VBASE021.VDF : 7.10.9.19 131072 Bytes 06.07.2010 16:26:10
VBASE022.VDF : 7.10.9.36 297472 Bytes 07.07.2010 20:29:47
VBASE023.VDF : 7.10.9.37 2048 Bytes 07.07.2010 20:29:47
VBASE024.VDF : 7.10.9.38 2048 Bytes 07.07.2010 20:29:47
VBASE025.VDF : 7.10.9.39 2048 Bytes 07.07.2010 20:29:47
VBASE026.VDF : 7.10.9.40 2048 Bytes 07.07.2010 20:29:47
VBASE027.VDF : 7.10.9.41 2048 Bytes 07.07.2010 20:29:47
VBASE028.VDF : 7.10.9.42 2048 Bytes 07.07.2010 20:29:47
VBASE029.VDF : 7.10.9.43 2048 Bytes 07.07.2010 20:29:47
VBASE030.VDF : 7.10.9.44 2048 Bytes 07.07.2010 20:29:47
VBASE031.VDF : 7.10.9.56 112640 Bytes 09.07.2010 18:13:56
Engineversion : 8.2.4.10
AEVDF.DLL : 8.1.2.0 106868 Bytes 23.04.2010 20:32:35
AESCRIPT.DLL : 8.1.3.39 1335674 Bytes 07.07.2010 16:26:12
AESCN.DLL : 8.1.6.1 127347 Bytes 13.05.2010 00:54:45
AESBX.DLL : 8.1.3.1 254324 Bytes 23.04.2010 20:32:35
AERDL.DLL : 8.1.4.6 541043 Bytes 17.04.2010 20:28:37
AEPACK.DLL : 8.2.2.5 430453 Bytes 23.06.2010 17:56:36
AEOFFICE.DLL : 8.1.1.6 201081 Bytes 07.07.2010 16:26:11
AEHEUR.DLL : 8.1.1.38 2724214 Bytes 23.06.2010 17:56:28
AEHELP.DLL : 8.1.11.6 242038 Bytes 23.06.2010 17:55:59
AEGEN.DLL : 8.1.3.13 381300 Bytes 07.07.2010 16:26:11
AEEMU.DLL : 8.1.2.0 393588 Bytes 23.04.2010 20:32:34
AECORE.DLL : 8.1.15.3 192886 Bytes 13.05.2010 00:54:45
AEBB.DLL : 8.1.1.0 53618 Bytes 23.04.2010 20:32:33
AVWINLL.DLL : 10.0.0.0 19304 Bytes 14.01.2010 10:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 14.01.2010 10:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 18.02.2010 14:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 20.04.2010 09:58:15
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 20.04.2010 09:58:15
AVARKT.DLL : 10.0.0.14 227176 Bytes 20.04.2010 09:58:14
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 26.01.2010 07:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 28.01.2010 10:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 16.03.2010 13:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 19.02.2010 12:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28.01.2010 11:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 20.04.2010 09:58:14

Configuration settings for the scan:
Jobname.............................: avguard_async_scan
Configuration file..................: C:\Documents & Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4c707f51\guard_slideup.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: high

Start of the scan: 9 iulie 2010 22:24

The scan of running processes will be started
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ymsgr_tray.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'uTorrent.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'Rundll32.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\WINDOWS.0\system32\sfcfiles.dll'
C:\WINDOWS.0\system32\sfcfiles.dll
[DETECTION] Is the TR/Dropper.Gen Trojan

Beginning disinfection:
C:\WINDOWS.0\system32\sfcfiles.dll
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4e80dcf8.qua'.

End of the scan: 9 iulie 2010 22:27
Used time: 00:02 Minute(s)

The scan has been done completely.

0 Scanned directories
33 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
32 Files not concerned
0 Archives were scanned
0 Warnings
1 Notes

The scan results will be transferred to the Guard.

[I'll explain again my theory... if you put head by head all that checkings the only meaning is that the virus was turning of firewall on System Shut Down cause on Logoff the system is not turned of...and back on is everythig like it was (I DON'T mistake Logoff with Switch)... but everything that supress this is that thing that like 2 times I caught is when was turned off (I mean that I entered in Security Center before it was turned off by virus...but right after it was). Hope you'd understanded but it's no matter now...everything is fixed]

I almost forgot... You didn't telled me wich of the infected files (deleted files) you thnik it was the "virus" the was doing that (firewall off). I checked out on google the viruses mentioned out by ESET Online Scaner but none of them seems to have these simptoms or maybe nobody noticed that or however I didn't noticed the simptoms mantioned on the sites I founded out. :haha:
And again some of the files "deleted" (quarantined) by ComboFix are not viruses or infections...for exemple Settings.reg wich contains some registry keys to default the settings for the Creative Soundcard. However I agree it's method... I personally take that like a suspicious file. or that Notepad.exe from Windows directory wich originally is on system32...but is only a clean copy of it but I don't know how it getted there.

LOG:

VundoFix V7.0.6

Scan started at 10:51:39 14.07.2010

Listing files found while scanning....

No infected files were found.

Beginning removal...

Bobbye · Jul 14, 2010

I'm sorry- I don't understand what you're try to say or do. It sounds like you are disputing all of the cleaning directions and results.

Currently, you have system files and folders running as both windows and windows.0. Therefore the system will not be able to identify some of the files when they are needed. Since you say it's fixed, would you like me to close the thread?

Alextasy · Jul 15, 2010

I did a Malwarebytes' Anti-Malware & ESET NOD32 Online Scanner both "full" scan (all partitions) and everything seems to be just fine.

You may close the thread after we clear what didn't you understanded... answer above questions.

What are you base on when you say I have system files and folders on both windows and windows.0?

There is NO system files on "windows" Folder. What made you say it is functional?

All I trying to say is that the currently functional windows is insalled on windows.0 ...so why you may think that have something to do with "windows" folder?

On the other hand this might bring improved security because of some treats that are "installing" in folder named Windows and not in %WinDir% or %SystemRoot%.. etc.

After the Vundo's Clean report you still removed some drivers from Combofix?

And not the last.. Thank You Verry Much For The Best Help I Could Get Ever!

Bobbye · Jul 15, 2010

You're welcome. Since you consider the matter resolved, Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted
Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
Go to Start > All Programs > Accessories > System Tools
Click "System Restore".
Choose "Create a Restore Point" on the first screen then click "Next".
Give the Restore Point a name> click "Create".
Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Solved Windows firewall keeps turning off

Alextasy

Bobbye

Posts: 16,313 +36

Alextasy

Attachments

Bobbye

Posts: 16,313 +36

Alextasy

Bobbye

Posts: 16,313 +36

Alextasy

Bobbye

Posts: 16,313 +36

Similar threads

Latest posts