Infected - Need Help

[stemsiis]

Good evening,

I'm apparently infected with a virus / malware (MB is blocking several sites almost continuously throughout the day - see attached protection log for details), so I'm posting the results of DDS and GMER recommended by the help instructions pinned on this forum section.

The contents of 'DDS.txt' are posted below.

And I've attached the following files:

- Attach.zip containing Attach.txt (from DDS) and Ark.txt (from GMER)

- mbam-log-2010-07-25 (22-46-10).txt

- protection-log-2010-07-25.txt

I made note of the following while completing each of the tasks in the help instructions:

- DeFogger (DDS) did NOT ask to reboot my machine when finished (contrary to what is stated in the instructions)

- I received a Windows error (something about encountering a problem and needing to close the program) the first time I ran GMER Rootkit Scanner about a minute or so into the run, but the second start did not have any problems.

Appreciate any help that can resolve this problem.

Thanks,

Mark

DDS (Ver_10-03-17.01) - NTFSx86

Run by Mark at 21:17:47.67 on Sun 07/25/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.961 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\system32\WISPTIS.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Documents and Settings\Mark\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229716474031

DPF: {656FAD09-4DE3-4C34-9600-0928C855FD7A} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229716465093

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\3lbh0xw0.default\

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-6 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-19 335240]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-19 27784]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-19 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-19 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-19 297752]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-12-19 304464]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2008-12-19 88192]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-12-19 20952]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2010-4-12 18560]

=============== Created Last 30 ================

2010-07-26 02:15:58 0 ----a-w- c:\documents and settings\mark\defogger_reenable

==================== Find3M ====================

2010-06-06 14:12:16 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-06-06 14:12:14 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-06-06 14:11:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

============= FINISH: 21:19:28.31 ===============

Attach.zip

mbam_log_2010_07_25__22_46_10_.txt

protection_log_2010_07_25.txt

[GT500]

Please download ComboFix from this link, save it on your desktop, turn off your anti-virus software, and run the ComboFix download that you had saved on your desktop.

Combofix will ask you a few questions (such as whether or not you want to install the Windows Recovery Console), give you some general warnings about not using it without supervision, and it will give you some general information about the tool. Please note that the Windows Recovery Console is not required to run ComboFix, and that you do not need it if you have a Windows XP disk.

ComboFix usually takes about 10 minutes to run, unless your computer is heavily infected. It will run through about 50 different stages (listing them all on the blue window that popped up while it was running), and if it does not advance to the next stage after about 10 minutes then that is usually a sign that your anti-virus software is interfering with it.

Once ComboFix is done, it will remove anything that it knows is malicious, and restart your computer. If it didn't find anything malicious, then it will skip that step. The final step takes a few minutes, and when it is done it will open a log in Notepad. Please either copy and paste this log into a reply, or save it on your desktop as a Text Document and attach it to a reply. Please do not take screenshots of the log, or save it as a Word Document.

[stemsiis]

Thanks for your reply!

Combofix has been running for about 25 minutes, but the blue DOS window still states "Scanning for infected files. . ." along with a note that the process typically doesn't take more than 10 minutes but could easily be double that for badly infected machines. the disk drive light comes on for a second or so every 10-15 seconds but I don't think much is happening.

I'm running AVG Free Anti-Virus 8.5 but believe that I was able to disable it through the program's Advanced Settings. Windows Security does indicate that there is no active anti-virus protection at the moment.

Any suggestions?

Thanks,

Mark

[GT500]

ComboFix usually states what stage it is one while it is scanning, and there are 50 stages that it goes through. It's possible that something has deleted part of ComboFix, or prevented part of it from running.

Go ahead and close ComboFix, and restart your computer. Afterwards, please follow the instructions below:

1. Download RootRepeal from the following location and save it to your desktop.
   
   • Zip Mirrors (Recommended)
     
     • Primary Mirror
       
     • Secondary Mirror
       
     • Secondary Mirror
       

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

• Primary Mirror
  
• Secondary Mirror
  
• Secondary Mirror
  

[*]Extract RootRepeal.exe from the archive.

[*]Open on your desktop.

[*]Click the tab.

[*]Click the button.

[*]Check all seven boxes:

[*]Click the 'Ok' button.

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

[stemsiis]

I couldn't close ComboFix so had to do a "hard" reboot by turning off the power. Once re-booted, I decided to try ComboFix again, and this time it indicated that a new version of ComboFix was available so I let the program update itself and run. No problems this time, so attached is the log file it created. The program did not reboot my machine, but I do still have the log file open - perhaps when I close it, the program will reboot my machine.

Appreciate the help thus far. Hopefully we can get rid of the virus/malware.

Thanks.

ComboFix_log_2010_07_28.txt

[GT500]

Well, that ComboFix log looks pretty good. Please run an online virus scan through ESET to make sure that everything was cleaned up. Here are the steps:

1. Turn off your anti-virus software.
   
2. Click on this link.
   
3. Click on the "ESET Online Scanner" button.
   
4. Put a check in the box that says "YES, I accept the Terms of Use."
   
5. Click the 'Start' button just to the right of the checkbox.
   
6. Uncheck the box that says "Remove found threats" (this is very important).
   
7. Click on "Advanced settings".
   
8. Put a check in the box that says "Scan for potentially unsafe applications".
   
9. Verify that "Scan for potentially unwanted applications" is also checked.
   
10. Verify that "Enable Anti-Stealth technology" is also checked.
    
11. Click the 'Start' button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
    
12. When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
    
13. Save that text file on your desktop, and then copy and paste it into a reply for me.
    
14. Close the ESET online scan.
    

I will take a look at the log, and let you know if anything needs removed.

[stemsiis]

Here you go...

Thanks.

ESET_log_2010_07_29.txt

[GT500]

OK, that log looks good (would have let you known earlier if my silly phone would have opened the log, I can't wait until Opera Mobile is available for the Palm Pre).

Please open Malwarebytes' Anti-Malware, and run the update. Once it's done updating, run a Quick Scan, remove anything it finds, and attach the log to a reply.

[stemsiis]

Attached is the log from my updated QuickScan this morning. Apparently nothing found.

What about the trojan that was found earlier by ESET as shown below?

C:\Qoobox\32788R22FWJFW\ipsec.sys Win32/Olmarik.ZC trojan

Did a subsequent automatic scan by Malwarebytes take care of it? I guess I could review some of the previous logs to see if it was removed. I did run a search on my C:\ drive and this is what it found for a search of *ipsec*.sys:

C:\WINDOWS\ServicePackFiles\i386

C:\WINDOWS\system32\drivers

Thanks.

mbam_log_2010_08_02__08_04_14_.txt

[GT500]

What about the trojan that was found earlier by ESET as shown below?

C:\Qoobox\32788R22FWJFW\ipsec.sys Win32/Olmarik.ZC trojan

This detection was actually a part of ComboFix, and while it is not malicious, it is a powerful tool that occasionally comes bundled with something malicious (lazy creators of malicious software will often take advantage of useful tools that were created for technicians in order to automate tasks that they don't want to have to write out their own code to do), so ESET will detect it just in case (they don't really know if the ipsec.sys file came with ComboFix or if it came with some sort of malicious software, so they prefer to be on the safe side). In this case the file is perfectly safe, and is not a threat.

From the logs, everything is looking good. Let me know if you are still having any issues.

[stemsiis]

OK. Everything appears fine on my end. The daily protection logs from Malwarebytes no longer show it constantly blocking access to certain websites.

Are there any additional steps that I need to take? For instance, do I need to run DeFogger (DDS) again to reactivate a certain process?

Thanks.

[GT500]

Are there any additional steps that I need to take? For instance, do I need to run DeFogger (DDS) again to reactivate a certain process?

Yes, if you ran DeFogger to disable virtual drives then you will probably want to go ahead and re-enable them. You may also want to delete all of the tools that we have used while fixing your computer.

You may also want to read the article at this link which talks about preventing your computer from getting infected.

[stemsiis]

Thanks again for all your help!! And I appreciate the link you sent to your webpage about security - very good information.

[GT500]

Thanks again for all your help!! And I appreciate the link you sent to your webpage about security - very good information.

You are quite welcome.

I am going to go ahead and close this topic so that it won't get hijacked. If you need me to reopen it, then please click on my user name over to the left, and send me a message.