Dodni

Can someone kill this post; it is a mistaken dupe and MrC has resolved my issue in the other thread. Thanks again for the assistance!!! -- Dondi

I tried MSCONFIG from the START >> RUN and then went to the STARTUP tab and saw the startup items. I had disable a dupe of ATI and another one that I didn't need to run on startup. I also tried a program I got indirectly from one of your maintenance tip links STARTUP LITE that looks at the startup items and disables unused ones. I will try the program you suggested above to see if I get better results.

Ok, MrC..... I think the PC is doing well, I don't want to keep you from assisting other people who need help. I still have to END PROCESS for explorer.exe once I boot into Windows and then restart explorer as a new task to get my icons in the systray to appear; I routinely only get MBAM, ATI Catalyst Control Center icon & Network icons to appear in the systray upon initial start of windows. After killing explorer & restarting, I get all to appear except 2 that I know of; Extender resource monitor & Apple Airport extreme manager. Any suggestions and what I could try? I have rebooted many many times, to no avail. Other than that, I think the PC is running well & I thank you immensely for your assistance!! Thanks MrC!!

Hey MrC, gotta catch a train to work.... I will catch up after work, later this evening. Thank you for your help in all of this.... truly appreciated

ok, the one in the $NTUninstall folder was reported as good too on Jotti's ?????

http://virusscan.jotti.org/en/scanresult/f0346af11f67bb604b1d3e3899297ee3e849749d/74a257ce0a9ac57730f305a2e21a5d56c6e2b84e did the scan of the ipsec in the system32/drivers directory says it looks good

hmmm this one not looking too gooed either.... http://www.virustotal.com/file-scan/report.html?id=5a6c11317def14b8c34a8c669eb75f7a8d46f05090c43d3dff602cfa13cc504e-1326125621 1 VT Community user(s) with a total of 3091 reputation credit(s) say(s) this sample is goodware. 2 VT Community user(s) with a total of 2 reputation credit(s) say(s) this sample is malware.

at the top in the info box it says: 4 VT Community user(s) with a total of 34538 reputation credit(s) say(s) this sample is goodware. 8 VT Community user(s) with a total of 8 reputation credit(s) say(s) this sample is malware. so, out of 12, 4 say it is maware and 8 say it is goodware

This one looks good though: C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [23:55 16/08/2009] [12:00 10/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1 should I scan this with VT?

Yes, I thought it was interesting that 33% say it is malware

http://www.virustotal.com/file-scan/report.html?id=394d296f38e7d8efd91a6eec301d9ce6af910e35eb9819f1a9e3363863aedfdc-1326123422#

There are 2 restore points; one created yesterday by OTL at 4:39pm (RP0) and another created at 1:38 this morning (RP1); (I wasn't actively using the PC at 1:38 this morning) Here is the log from SystemLook SystemLook 30.07.11 by jpshortstuff Log created at 10:23 on 09/01/2012 by Administrator Administrator - Elevation successful ========== filefind ========== Searching for "ipsec.sys" C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [23:55 16/08/2009] [12:00 10/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1 C:\WINDOWS\ERDNT\cache\ipsec.sys --a---- 75264 bytes [15:30 05/01/2012] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91 C:\WINDOWS\ServicePackFiles\i386\ipsec.sys ------- 75264 bytes [23:48 16/08/2009] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91 C:\WINDOWS\system32\dllcache\ipsec.sys --a--c- 75264 bytes [15:46 15/11/2008] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91 C:\WINDOWS\system32\drivers\ipsec.sys --a---- 75264 bytes [15:46 15/11/2008] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91 -= EOF =-

Ok, probably my fault that OTL has issues; I had to go back in and turn off real-time protection on the apps that were running. The last try yielded a log: All processes killed ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 5318 bytes ->Temporary Internet Files folder emptied: 1069650 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 56077401 bytes ->Apple Safari cache emptied: 0 bytes ->Flash cache emptied: 456 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: Dondi ->Temp folder emptied: 0 bytes User: LocalService ->Temp folder emptied: 65716 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: MCX3 ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Flash cache emptied: 405 bytes User: MCX4 ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: NetworkService ->Temp folder emptied: 163966 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Java cache emptied: 51076 bytes ->Flash cache emptied: 58938 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 1245096 bytes %systemroot%\System32 .tmp files removed: 328398 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 67517 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 373526 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 57.00 mb Restore points cleared and new OTL Restore Point set! Error starting restore point: System Restore is disabled. Error closing restore point: System Restore is disabled. OTL by OldTimer - Version 3.2.31.0 log created on 01082012_150049 Files\Folders moved on Reboot... File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_d88.dat not found! File\Folder C:\WINDOWS\temp\Perflib_Perfdata_e70.dat not found! Registry entries deleted on Reboot...

Ok, I changed the curly brace to a bracket and ran another RUN FIX with OTL just after my last post (~1hr ago).... OTL is still "running" at the same spot KILLING PROCESS DO NOT INTERRUPT I think we may be miscommunicating regarding the ipsec.sys because of the way I formatted my own log from the MSE scan: Virus:Win32/Sirefef.N (ALL DISINFECTED) file:C:\System Volume Information\_restore{7D16AC66-F68E-485C-93DB-231595C53BA9}\RP994\A0162931.sys driver:IPSec file:C:\WINDOWS\system32\drivers\ipsec.sys These are 2 separate entries in the MSE scan log. I went into each entry individually and copy/pasted the file/info section on the bottom portion of the properties of each entry. So, the Sirefef.N had 2 entries: This was the first one: file:C:\System Volume Information\_restore{7D16AC66-F68E-485C-93DB-231595C53BA9}\RP994\A0162931.sys ...and this was the second one. This was the one that had me concerned because we used a Combofix script to fix ipsec.sys in our earlier steps driver:IPSec file:C:\WINDOWS\system32\drivers\ipsec.sys

Ok, that was a hard crash of the system... OTL created an error dialog box right away and then the rest of the OS became unresponsive. Was that last character in the script supposed to be a bracket instead of a curly brace?

The one that had me worried in that MSE scan was the last one I listed in my log: Virus:Win32/Sirefef.N (ALL DISINFECTED) driver:IPSec file:C:\WINDOWS\system32\drivers\ipsec.sys Besides that, I am almost all the way through your guide of preventive tips; I have completed everything just before the point of using OpenDNS. I have had some issues on startup of windows though; I am assuming since I have Secunia and MBAM installed this may be what is at issue. The issue is that once the desktop appears on Windows logon, the taskbar freezes with the hourglass going the entire time when hovering over the taskbar. The clock in the taskbar stops for at least 3 - 6 minutes. When the system finally "comes-to", I only have 3 icons in my systtray (MBAM, the network icon annd my ATI icon). I am missing all of the rest of them (at least 10 more apps have a systray icon that should be appearing - eject media icon, usb boost, extender resource monitor, apple airport manager, PC Tools Firewall Plus, LogMeIn, MSE, Transcode 360, Audio Icon,.... i think there is like one or two more, but can't remember at the moment). I am able to arificially get them back by going to task manager and end the explorer.exe process, then in task manager do a new task and restart explorer.exe... I usually get almost all the icons back at this point.

I need to run out the door, but I will be back after 3pm EDT... is the PC "clean" or is there more cleaning to do?

In and out are set to Block, Allow All, Allow Trusted or Ask?

Found in the EVENT VIEWER this error re: MSE The description for Event ID ( 5000 ) in Source ( Microsoft Security Client ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: mssecurityclient, msseces.exe, 2.1.1116.0, 0x80501001, applyactions, cthreatdialog__onallactionscomplete, 0, security essentials, NIL, NIL, NIL.

I wasn't having any issues; no freezing or anything, but I did exclude MBAM from MSE and had MBAW ignore MSE anyways as per the tweak.

Hey MrC. I completed the Windows Update, I re-activated MSE, purchased a license to MBAM and activated real-time monitoring on both. I got PC Tools Firewall Plus and installed as well. Once I installed PC Tools Firewall Plus, it prompted me a bunch of times about blocking certain applications that were acting like servers, etc., but the one that puzzled me was Windows Explorer; I set it to ASK for both IN- and OUT-bound. Not sure what to set this at, and if anything should be going outbound from Windows Explorer. Next, after I activated MSE, it barked at me saying that it hadn't done a full scan in a while, so I started it last night, and it just completed a few minutes ago. It found 33 threats. I told MSE to clean, and I immediately received an error. I hit OK, and hit clean again, and it went through the cleaning process and at the end, it generated an error again. I looked at the history and it looks like is "cleaned" the PC. I hand-made a log and attached (I couldn't find a log for MSE - if you'd rather have that, let me know) MyMSEScanLog.txt

MrC, I was reading your preventive maintenance page (after I created a restore point and am currently doing a Windows Update), and wanted to know if MSE should, should not, or must, be running in real-time protection mode while Malwarebytes Anti-Malware Pro is also running in real-time protection mode, or if it isn't even an issue?

wscript.exe error that is

I did get a wscript.exe 2 times... but I don't think it is much of an issue. Thank you MrC, I'll be hitting PP thing... much appreciated!!