Dodni
-
Posts
59 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Dodni
-
-
I use a program called Starter by CodeStuff to manage my startup programs, it doesn't run in the back round but it allows you to easily decide what you want to startup or run on the pc.
You can install it and start to disable some programs and see which one is causing the problem.
Click startups and then look under all sections.
http://www.snapfiles.com/get/starter.html
MrC
I tried MSCONFIG from the START >> RUN and then went to the STARTUP tab and saw the startup items. I had disable a dupe of ATI and another one that I didn't need to run on startup. I also tried a program I got indirectly from one of your maintenance tip links STARTUP LITE that looks at the startup items and disables unused ones. I will try the program you suggested above to see if I get better results.
-
Ok, MrC..... I think the PC is doing well, I don't want to keep you from assisting other people who need help. I still have to END PROCESS for explorer.exe once I boot into Windows and then restart explorer as a new task to get my icons in the systray to appear; I routinely only get MBAM, ATI Catalyst Control Center icon & Network icons to appear in the systray upon initial start of windows. After killing explorer & restarting, I get all to appear except 2 that I know of; Extender resource monitor & Apple Airport extreme manager. Any suggestions and what I could try? I have rebooted many many times, to no avail. Other than that, I think the PC is running well & I thank you immensely for your assistance!! Thanks MrC!!
-
Hey MrC, gotta catch a train to work.... I will catch up after work, later this evening. Thank you for your help in all of this.... truly appreciated
-
ok, the one in the $NTUninstall folder was reported as good too on Jotti's
?????
-
did the scan of the ipsec in the system32/drivers directory
says it looks good
-
This one looks good though:
C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [23:55 16/08/2009] [12:00 10/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
should I scan this with VT?
hmmm this one not looking too gooed either....
1 VT Community user(s) with a total of 3091 reputation credit(s) say(s) this sample is goodware. 2 VT Community user(s) with a total of 2 reputation credit(s) say(s) this sample is malware.
-
at the top in the info box it says:
4 VT Community user(s) with a total of 34538 reputation credit(s) say(s) this sample is goodware. 8 VT Community user(s) with a total of 8 reputation credit(s) say(s) this sample is malware.
so, out of 12, 4 say it is maware and 8 say it is goodware
-
This one looks good though:
C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [23:55 16/08/2009] [12:00 10/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
should I scan this with VT?
-
Yes, I thought it was interesting that 33% say it is malware
-
-
There are 2 restore points;
one created yesterday by OTL at 4:39pm (RP0) and another created at 1:38 this morning (RP1); (I wasn't actively using the PC at 1:38 this morning)
Here is the log from SystemLook
SystemLook 30.07.11 by jpshortstuff
Log created at 10:23 on 09/01/2012 by Administrator
Administrator - Elevation successful
========== filefind ==========
Searching for "ipsec.sys"
C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [23:55 16/08/2009] [12:00 10/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\ERDNT\cache\ipsec.sys --a---- 75264 bytes [15:30 05/01/2012] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys ------- 75264 bytes [23:48 16/08/2009] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\dllcache\ipsec.sys --a--c- 75264 bytes [15:46 15/11/2008] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 75264 bytes [15:46 15/11/2008] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
-= EOF =-
-
Ok, probably my fault that OTL has issues; I had to go back in and turn off real-time protection on the apps that were running. The last try yielded a log:
All processes killed
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 5318 bytes
->Temporary Internet Files folder emptied: 1069650 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 56077401 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 456 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Dondi
->Temp folder emptied: 0 bytes
User: LocalService
->Temp folder emptied: 65716 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: MCX3
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 405 bytes
User: MCX4
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: NetworkService
->Temp folder emptied: 163966 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 51076 bytes
->Flash cache emptied: 58938 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1245096 bytes
%systemroot%\System32 .tmp files removed: 328398 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 67517 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 373526 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 57.00 mb
Restore points cleared and new OTL Restore Point set!
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.
OTL by OldTimer - Version 3.2.31.0 log created on 01082012_150049
Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_d88.dat not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_e70.dat not found!
Registry entries deleted on Reboot...
-
Ok, I changed the curly brace to a bracket and ran another RUN FIX with OTL just after my last post (~1hr ago).... OTL is still "running" at the same spot KILLING PROCESS DO NOT INTERRUPT
I think we may be miscommunicating regarding the ipsec.sys because of the way I formatted my own log from the MSE scan:
Virus:Win32/Sirefef.N (ALL DISINFECTED)
file:C:\System Volume Information\_restore{7D16AC66-F68E-485C-93DB-231595C53BA9}\RP994\A0162931.sys
driver:IPSec
file:C:\WINDOWS\system32\drivers\ipsec.sys
These are 2 separate entries in the MSE scan log. I went into each entry individually and copy/pasted the file/info section on the bottom portion of the properties of each entry. So, the Sirefef.N had 2 entries:
This was the first one:
file:C:\System Volume Information\_restore{7D16AC66-F68E-485C-93DB-231595C53BA9}\RP994\A0162931.sys
...and this was the second one. This was the one that had me concerned because we used a Combofix script to fix ipsec.sys in our earlier steps
driver:IPSec
file:C:\WINDOWS\system32\drivers\ipsec.sys
-
Ok, that was a hard crash of the system... OTL created an error dialog box right away and then the rest of the OS became unresponsive. Was that last character in the script supposed to be a bracket instead of a curly brace?
-
The one that had me worried in that MSE scan was the last one I listed in my log:
Virus:Win32/Sirefef.N (ALL DISINFECTED)
driver:IPSec
file:C:\WINDOWS\system32\drivers\ipsec.sys
Besides that, I am almost all the way through your guide of preventive tips; I have completed everything just before the point of using OpenDNS. I have had some issues on startup of windows though; I am assuming since I have Secunia and MBAM installed this may be what is at issue. The issue is that once the desktop appears on Windows logon, the taskbar freezes with the hourglass going the entire time when hovering over the taskbar. The clock in the taskbar stops for at least 3 - 6 minutes. When the system finally "comes-to", I only have 3 icons in my systtray (MBAM, the network icon annd my ATI icon). I am missing all of the rest of them (at least 10 more apps have a systray icon that should be appearing - eject media icon, usb boost, extender resource monitor, apple airport manager, PC Tools Firewall Plus, LogMeIn, MSE, Transcode 360, Audio Icon,.... i think there is like one or two more, but can't remember at the moment). I am able to arificially get them back by going to task manager and end the explorer.exe process, then in task manager do a new task and restart explorer.exe... I usually get almost all the icons back at this point.
-
I need to run out the door, but I will be back after 3pm EDT... is the PC "clean" or is there more cleaning to do?
-
Looks like they're from system restore.
The firewall has to go through a learning process.
I have explorer set to in and out.
MrC
In and out are set to Block, Allow All, Allow Trusted or Ask?
-
Found in the EVENT VIEWER this error re: MSE
The description for Event ID ( 5000 ) in Source ( Microsoft Security Client ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: mssecurityclient, msseces.exe, 2.1.1116.0, 0x80501001, applyactions, cthreatdialog__onallactionscomplete, 0, security essentials, NIL, NIL, NIL.
-
Yes, there's a little tweak to apply if there's any problems:
http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=181018entry181018
MrC
I wasn't having any issues; no freezing or anything, but I did exclude MBAM from MSE and had MBAW ignore MSE anyways as per the tweak.
-
Hey MrC. I completed the Windows Update, I re-activated MSE, purchased a license to MBAM and activated real-time monitoring on both. I got PC Tools Firewall Plus and installed as well.
Once I installed PC Tools Firewall Plus, it prompted me a bunch of times about blocking certain applications that were acting like servers, etc., but the one that puzzled me was Windows Explorer; I set it to ASK for both IN- and OUT-bound. Not sure what to set this at, and if anything should be going outbound from Windows Explorer.
Next, after I activated MSE, it barked at me saying that it hadn't done a full scan in a while, so I started it last night, and it just completed a few minutes ago. It found 33 threats. I told MSE to clean, and I immediately received an error. I hit OK, and hit clean again, and it went through the cleaning process and at the end, it generated an error again. I looked at the history and it looks like is "cleaned" the PC. I hand-made a log and attached (I couldn't find a log for MSE - if you'd rather have that, let me know)
-
MrC, I was reading your preventive maintenance page (after I created a restore point and am currently doing a Windows Update), and wanted to know if MSE should, should not, or must, be running in real-time protection mode while Malwarebytes Anti-Malware Pro is also running in real-time protection mode, or if it isn't even an issue?
-
wscript.exe error that is
-
I did get a wscript.exe 2 times... but I don't think it is much of an issue.
Thank you MrC, I'll be hitting PP thing... much appreciated!!
-
ok, did those and rebooted
Win XP Security 2012 Plus Ping.exe
in Resolved Malware Removal Logs
Posted
Can someone kill this post; it is a mistaken dupe and MrC has resolved my issue in the other thread. Thanks again for the assistance!!!
-- Dondi