Posts by PhilliePhan

thank you for your help! My computer totally crashed today, and I had to have my brainiac brother come fix it for me. Ended up reinstalling everything. Sooo glad I backed up everything yesterday. Thanks for all your help. I really appreciate it!

You're welcome - happy to help. :)

-- I'm actually glad it worked out this way. Those of us who volunteer in forums always like to try to clean a machine even when the wiser course of action is to reinstall the OS.

You should definitely make sure to update your computer to Service Pack 3 as soon as possible. Get ALL the patches!
Also, get a good Antivirus and Firewall and keep everything updated regularly.
I suggest http://www.comodo.com/home/internet-security/free-internet-security.php <--- It's Free!

Your machine previously had Panda 2007 & Clam - be sure to install only ONE AV program. The free Comodo package will also provide one of the better firewalls available today. A must with the record number of rootkits and backdoor trojans we are seeing these days....

--- You should also keep the free MalwareBytes Anti-Malware onboard. Update it and then do the quick scan once a week (or two, but regularly). Again, be sure to update it to the latest malware detecting definitions beforehand!

Best Luck :)
PP

My computer tells me there is no such file C:\ComboFix.txt. Should I run combofix again?

Yes - please do that if you have the time. This time, use the command I posted previously.

It sounds like you are good to go for a reinstall, but let's see what the combofix says.

PP:)

where do i find this log?

You should find the log at C:\ComboFix.txt.
Just post that for me and we'll see where we stand.

-- Do you have a recovery partition on your machine? Or, did it come with a Windows CD?

-- Do you have a valid Windows product key? Usually it is a sticker attached to your computer - you'll know it when you see it.

-- What is the make and model of the ill computer?

Here's the argument:
1) I'd like to see how our cleaning efforts pan out before we reformat.
However:
2)If you don't have the time, reinstalling windows will be a lot quicker.
And:
3) You should be as certain as possible that the machine is clean before installing SP3 - and a reinstall will provide the most certainty.
And you gotta have SP3 or you leave the machine open to a lot of nasties...

If you have a valid recovery partition, then the fix will amount to the push of a button to revert your computer back to its "right out of the box" state.
You will lose any programs you have installed since and you'll need to do immediate updating of service packs and patches as well as Antivirus and firewall programs.

PP:)

so I think I will play it safe.

Thank you very much for your help! I'll probably close the thread following a successful reinstall.

You're welcome :)

It's always a good idea to play it safe - especially with backdoors and rootkits. You can't take the lack of further symptoms or issues to mean you have nothing to worry about.
Even cleaning these malware will not return your machine to a 100% trustworthy state - though, some people can live with that if they don't use the machine for sensitive issues such as work or financial transactions.

Best Luck :)
PP

I have Win XP and i was learning hw to operate the cacls command and ....

Did you try all of the steps listed here?
http://support.microsoft.com/kb/308421

-- Note that the link calls for XP to first be booted to Safe Mode.

If you have exhausted all other avenues and still have not fixed this, I can talk you through a more complex, but usually effective, method.

PP:)

i cant run combofix until i turn off "malware protection center" I cant find any way to do this. everything i found online about this program says it's actually a trojan so I dont know if I should just go ahead with combofix anyways.

Go ahead with combofix if you are able. Download it and place it on the Desktop as the page says to do.

Then Click START > RUN > in the box type or copy and paste everything in red below and hit ENTER

"%userprofile%\desktop\combofix.exe" /killall

This should run combofix - allow it to finish. It may reboot your machine - let it do so.
Once combofix finishes, please post the log for me.

PP:)

It's a rip off.

How is that a rip off? If somebody stops paying me, I stop working.
Wouldn't you? :)

You can backup to another computer on your network. See --> http://windows.microsoft.com/en-US/windows-vista/Copy-files-to-another-computer
I don't recommend this with an ill machine. I much prefer an external drive for backups.

-- Wiping the hard drive and reinstalling Windows is fairly easy, providing that you have a valid license key and a Windows disk.
-- Your machine may have only a "recovery partition" with which to work. That actually makes things much easier, but, with some of the rootkits today, I wonder if it is 100% safe and effective. 'Course, for a lot of people these days, that's all they have....

If we try to clean this, you'll likely temporarily lose the internet connection - we ought to be able to deal with that.

-- What was the effect of the AVG run? Usually, it will pinpoint the infected driver but fail to remove it because of its critical nature. AVG should tell you that.
No worries - we'll find it soon enough.

Cheers :)
PP

"Firefox can't establish a connection to the server at [insert antivirus site here]." IE won't connect to them.

Hi hodgeemory,

If you need assistance with this problem, please start a new thread and a volunteer should be able to help you.

Cheers :)
PP

I havent had a chance to back up any of my pictures yet. Hoping to have this done tomorrow. do you know if I send all the photo files in a zip folder to my e-mail will I be able to recover those pictures once my computer is running correctly again? I just dont want to run the combofix and risk losing all my documents.

Your best bet would be to use an external hard drive. Or, burn them to DVD or CD.

Frankly, investing in a good, large external hard drive is a good idea. That is the easiest and best way to keep all your important data safe. It is especially easy if you use a drive such as Seagate FreeAgent GoFlex - Though you might want a larger capacity drive.

It is always a good idea to have backups in the event disaster strikes.

-- Running combofix is not going to damage your pictures, etc...
Even on the tiny tiny tiny verrrry remote chance it wrecks your operating system, I should still be able to help you recover your data. So, don't worry about that.

PP:)

How much would I need to spend on a computer (desktop) that would be capable of playing BF3 at all the max settings?

That is difficult to say. Your cheapest option would probably be to build it yourself or have it custom built for you.
That way, you control the costs and components and can optimize the machine for a specific use while perhaps skimping on the stuff you don't really need....

'Course, it would involve a good bit of research on your end.

PP:)

Wow - this machine has collected a ton of malware.
Not as much as the MBAM log might indicate because a lot of those changes were made by one baddie.
But, still, there were a lot of baddies - many should have been cleaned via regular preventive maintenance....

--- Anyhoo, don't do anything else except run combofix as I mentioned in my last post. We need to see if it will remove the worst offender.
So, run combofix as the linky directs and post the resulting log for me.

I don't think it'll come to a reinstall of OS unless you choose to go that way. But, once the machine has been cleaned as best we can do, it'll need to be updated to SP3. But, you need to WAIT until the machine is clean before doing that.

PP:)

Hi Ossray2000,

You have contracted a popular and nasty malware. It is usually accompanied by a backdoor trojan that harvests passwords and other sensitive data. If you use this machine for financial transactions or other important business you should change your passwords via an uninfected machine.

-- Generally, in cases such as this, I recommend wiping the hard drive and reinstalling Windows.

If that is not a feasible option for you, we can try to clean it.

-- You will need a flash drive to transfer programs and scanlogs from the ill computer to one that you can use to post with.

-- Is the internet still disabled? If not, it will be during the cleaning process due to some registry changes and an infected driver tied to DHCP.

Anyhoo, let me know how you want to proceed. At any rate, I suggest you back up any important data, music, pix, documents etc...

Cheers :)
PP

If there is anything else I can do please let me know. I appreciate your willingness to help out!

You are doing fine so far - the malware is making life a bit difficult. The main thing I wanted to see was the GMER log and it shows me what I need to see.

--- In all honesty, since you have a rootkit onboard and are running XP with SP2, you may be best served backing up your important data and then wiping the hard drive and reinstalling Windows and then updating it to SP3.

If you'd prefer to try to clean this machine, we can try - but I still recommend backing up any important data beforehand - pictures, music, documents etc...

If you want to go ahead with the cleaning process, please follow the steps in the link below to run combofix. Be sure to install the Recovery Console.
Once combofix finishes, please post the resulting log and we'll go from there:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Let me know if you have any trouble - I'll try to check back tonight, EST.

PP:)

I dont know how to attach the other file that is supposed to be a ZIP file.

Just copy and paste it - we prefer all logs to be pasted into your replies.

What about the other tools I mentioned?
You have some baddies showing that we need to try to pin down. We need to see those logs, if possible.

PP:)

Hi AnnieJo,

Are you able to run the MBAM and the GMER scan as directed in the Read Me First post?
If so, please post the results.

Likewise, see if you are able to access, download and run http://public.avast.com/~gmerek/aswMBR.htm as directed by the linked page.

Let us know how you fare.

Cheers :)
PP

Thanks once again, both for the useful advice and fro the prompt response to the questions.

You're welcome - happy to help :)

A reinstall will definitely do the trick. But, you also have to have your security measures in place immediately.
Get a good firewall on the laptop. I like the free Comodo firewall. They also provide Secure DNS and TrustConnect services which are great for laptops! - especially TrustConnect.

-- It is always a good idea to back up your data on a regular basis - especially with a laptop.

-- You ought to consider performing a "dust-ectomy" on the machine. There are dozens of "how to" videos and guides on the web if you google remove dust from laptop or something similar.

Best Luck :)
PP

Latest update is that combofix is uninstalled, the online scanner found no threats and here is the aswMBR log... actually looking clean finally... whatcha think?

Happy to help :)

I agree - looks good.
Though, with these baddies it is difficult to tell. You put rootkits and backdoors together - especially with the active defense mechanisms this particular family employs - and it becomes a bit of a crapshoot.

Normally, in cases such as this, I recommend wiping the HD and re-installing Windows - it's fastest and 100% effective.
But, since you'd already started, why not finish, right? Plus, reformat is not always a feasible option.

Anyhoo, I'll try to take a closer look at some of the previous logs just to be sure, but at quick glance everything looks OK.

Cheers :)
PP

MSE ran into 29 infections all in the system restore files.

OK - You should flush system restore (turn it off and back on) and then try aswMBR again.

Also, please run http://www.eset.com/us/online-scanner/ and post the results.

-- Move combofix back to the Desktop and then follow the steps in the linky below to uninstall it.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Then, please give me an update on how things are working.

Cheers :)
PP

Would the Trojan be able to retrieve passwords from before the virus infected the system? I assume not, but maybe it is possible to access history to do this?

Never assume with these malware - Here's a quick overview of this type of malware:
http://searchsecurity.techtarget.com/definition/RAT-remote-access-Trojan

These trojans can/may give a bad guy Full Control over your computer.
-- I am operating on the "better safe than sorry" principle here. There is no way to really know what data has been compromised (if any - there may be none) until it is too late. Then, you find out the hard way.
It is possible to pin down whether the backdoor is active or merely waiting/listening for further instructions - but, again, I prefer the BSTS principle :)

Read This---> When Should I Re-Format?

Is it possible to transfer data to an external hard drive or could this infect the external drive and data on it?

There is always risk of reinfection - you need to be careful what you back up. Documents, photos and the like are usually OK. I prefer to use an empty external drive and then scan the crap out of it before transferring the data back to a compy.

I would prefer not to re-install as I don't have a copy of Vista to begin the re-installation.....

That is typically the biggest issue - it'd be a whole lot easier if OEMs still included OS disks with …

Hello, and Thank You for taking the time to read this!
ps : AVG seems unable to remove, delete or do anything to this Trojan, if I empty the virus vault I assume this does nothing and allows it back into the system?
I look forward to hearing from any one kind enough to offer advice or help!!
Thanks in advance!

Hi Treadiculous,

You have contracted a particularly nasty malware. It is usually accompanied by a backdoor trojan that harvests passwords and other sensitive data. If you use this machine for financial transactions you should change your passwords via an uninfected machine.

-- Generally, in cases such as this, I recommend wiping the hard drive and reinstalling Windows.

If that is not a feasible option for you, we can try to clean it. One of the reasons it is difficult to clean is that you will likely lose your internet connection during the cleaning process due to the removal of the infected driver (afd.sys, that you noted) and an altered registry.

-- You will need a flash drive to transfer programs and scanlogs from the ill computer to one that you can use to post with.

-- Let me know how you'd like to proceed. This infection can be cleaned, but you'll never be able to trust the machine 100% due to the specific nature of the infection (rootkit).

Cheers :)
PP

PP: Many thanks for your reply. Its been several weeks since I submitted the file to virusscan.jotti.org and never did get an answer. I did a scan with Malwarebytes/SuperAntispyware/and Avira and no virus was detected so I am hoping this means that the file is legitimate.

The results from Jotti and Virustotal are pretty much immediate unless there is a long queue of uploaded files waiting to be scanned. Both sites tell you where you are in line - usually there is no line and your file will begin being scanned as soon as the upload is finished.
The process takes only a minute or so.

Cheers :)
PP

For example, visit this site:
http://rancidtaste.hubpages.com/hub/How-to-create-a-batch-file

Or not.

The page you linked is all too brief, misleading in some places, and flat out wrong in others. For example, the writer doesn't even know the purpose of @Echo Off in a batch file.

Type @echo off at the beginning of the file. This line prevents the spaces in the batch file to read during execution time.

Say what?

Here are a few far better resources:
http://www.computerhope.com/batch.htm
http://www.ericphelps.com/batch/
http://users.cybercity.dk/~bse26236/home.html

Perhaps the writer of the page you linked could learn something there...

Cheers :)
PP

hi im seeking your assistance. everytime i open my laptop Error loading otvasbpt.dll appears. please help me t fix this problem! thank you so much

Hi kefert,

Sounds like a malware file has been removed but it is still being called on startup.
Please follow the steps in the linky below:

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

I or another volunteer will check back as time permits.

Cheers :)
PP

It looks like you are on the right track.

I'd like to see the other logs I requested because, if the rootkitted malware is still active, it'll just reinfect another driver and you'll be back at square one.

This malware infects a random driver (from a small predetermined pool) and cleaning attempts bork the internet connection because they do not replace the infected driver, nor do they address the registry damage.

-- Did you back up the registry before hacking it? If not, I suggest you do so with a tool such as ERUNT.

Anyhoo, please post the logs and we'll go from there.

Cheers :)
PP

I hope that I can find a solution through this community.

We can try :)

-- Do you have any logs from the malware removal process? If so, please post them.

-- Please download and run Farbar Service Scanner
Check all the boxes and hit scan. It should produce a log. Please post the FSS.txt for us.

-- Please follow the steps in the linky below to obtain the GMER scanlogs and the DDS Logs:

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

I or another volunteer will try to check back as time permits.

-- 'Course, if you have issues connecting the ill machine, you'll need a flash drive to transfer the tools and scanlogs....

Cheers :)
PP

Hey - sorry I missed your post.

-- Is the ill machine able to connect to the internet now?

-- Did all the runs of combofix use the cfscript? We'll probably need to update it and run it again without the last cfscript - But, it may bork the internet again.

-- Please post the results of the MBAM and MSE runs.

-- Please run aswMBR.exe as per the linky and post the log and let's see what that tells us.

--Likewise, if you are able to run a fresh GMER scan as per the Read Me First Sticky post, that would be cool too.
Let's see if we can pin this sucker down....

PP:)

Hi PhilliePhan,
Thanks. Let me try

You're welcome.
Let me know how it turns out.

PP:)

Hi PhilliePhan,
Thanks. I am also using the same software which my friend trying to install. So what if i export that particular registry key and send to him ?.Is he able to add that key to his registry?.
-vinod

You could probably do that.
You might run into problems if the AppDataDir value is different for his setup, but a reinstall should work because the key will now exists and the value can written anew.

It is easier just to have him open a command prompt and create the reg key.
At command prompt, type:

REG ADD HKEY_LOCAL_MACHINE\Software\ESET\ESET Security\CurrentVersion\Info ENTER
Note it is REG<space>ADD<space>HKEY

Then, you'll need to reinstall as before and it should work this time.

If that fails, you'll need to completely remove ESET from the system (All files and reg keys) and start from scratch.

Cheers :)
PP

Hello Phillie
Sorry for the delay. Started my own workweek and haven't had time to look at the comp in a bit. Should be able to get to this in the next day or so.

Possibly a dumb question but what it to stop me from simply re-installing the MB network drivers from scratch?

No worries - I'm in the same boat, free time-wise.

-- Nothing is stopping you from reinstalling the drivers. Whether that will work, I couldn't tell you. I doubt it, due to the nature of this malware and and the infected system drivers and registry changes.
Thing is, I've seen so many different variations on this infection that it makes my head spin. I don't have as much time as I used to to devote to keeping up to date on these baddies - these are so destructive that the repair processes are varied and difficult.

In some cases, removing and rebuilding TCP/IP is the only resort. Here is a good resource for that:
http://smokeys.wordpress.com/2008/07/20/how-to-recover-a-really-dead-windows-xp-sp2sp3-tcpip-stack/

-- Try the steps I posted and see if they help. Also, do try to get some restore disks. It is just a good idea to have them on hand - especially with all the rootkits we are seeing these days.

PP:)

Then he searched the registry to find that particular key but he can't find that.

Hi Vinod,

That sounds like the problem - you may need to add that registry key. Do you know how to do that?

If not, I can help you. Let me know.

Cheers :)
PP

It's totally OK, you've helped me so much!
I did the complete system destructive recovery and downloaded Kaspersky Internet Security 2012.
HOWEVER, I totally forgot I wasn't supposed to do that until I ran ComboFix. I've gotten just 1 error so far, although I can't remember exactly what it said.

Happy to try to help :)

OK - Well I guess if the recovery has gone well enough that you are installing SP3, then those files removed by combofix must not have been too vital.... No need now to DL or run combofix - so don't do that.

-- The AV detections may be heuristic detections based on known malware patterns - probably false positives. No worries at this point.

Let me know when you get everything back to normal. Do Not run any other tools other than Kaspersky.

I would suggest getting hold of some recovery disks from the OEM of your compy. Or, order them from M$. I never understood why OEMs stopped including OS disk with compy (well... greed, I guess), but these days they are more needed than ever...

PP:)

As for the symptoms, I don't seem to be getting any of the mentioned ones.

Sorry I'm not as up to date on these baddies as I used to be. Just don't have as much free time to indulge my malware-fighting hobby as I used to....

OK - I took a quick look at some writeups and you should be OK on this front.
The Sirefef family doesn't employ a bootkit function like the Olmarik/Olmasco TDL type rootkit family does.

Still a pain in the ass, though....

PP:)

C:\WINDOWS\system32\drivers\netbt.sys Win32/Sirefef.DA trojan unable to clean

This is problematic - fixing this will bork the internet connection. We ought to be able to fix that, but some cases are considerably more difficult than others.

'Course, if you do a Recovery, then no worries :)

-- Be careful backing up the files. I doubt you'll backup any malware because this baddie seems to limit itself to certain drivers, but again I'm not certain....

As for the symptoms, I don't seem to be getting any of the mentioned ones.

Yeah - I don't think you have this variant.
This is more a case on my part of "better safe than sorry." With this malware and with rootkits in general, there are a lot of things I do not know. And, there are a lot of things you cannot be "certain" of with these malware.
They are ever evolving....

I would think a restoration would remove any malware created partition, but I don't know for certain. For all I know, it could protect itself.

It ain't going to hurt anything to check with GParted and see if the signs are there. If there's no sign of the malware partition, then you can proceed to do the restore with confidence.

I can't understand symptoms 6 or 7, however.

Those pertain to the fixes for previous versions which infected the MBR. Obviously, if the malware has created it's own partition, then those remedies will have no effect or actually create more problems...

** I have attached a new CFScript that should dequarantine those legit files combofix removed. Just run it as you did the previous one and post me the resulting log.

PP:)

I don't think I have the OS disc, but I might be able to find it. Is there any way to see if it did create a new partition? Thanks again

Yes - negster22 has an interesting approach to fixing this using GParted (if indeed this is the case) or checking to see if the malware partition has been created.

I am not going to be around much this weekend - lots of football and beer to be taken care of ;)

Her blog is very detailed and you should be able to follow the steps easily:

Using GParted to Edit the Partion Table & Manage Partitions

http://secure-computer-solutions.com/blog/

http://secure-computer-solutions.com/blog/2011/11/a_new_tdl4_with_a_stealthy_new.html

I'll try to check back tonight - let me know how this are going.
-- If you choose to use the recovery partition, wait until we restore those replicators combofix removed.

*** Obviously, you want to be careful messing with the partitions. If you don't see exactly what you're looking for, bets to leave it alone....

PP:)

I am willing to do a complete "Destructive Recovery" if this doesn't work. Would that completely fix my problem/

Yes - Actually, in cases such as this, that would be the best solution.

There are only two problems I can think of:
1) The second run of combofix removed some legit files that may be necessary to the recovery process. We'd need to fix that before you went ahead. So I'd need to see the below log.

-- Please open a command prompt (Start > Run > Type CMD ENTER
Then copy&paste the command below and hit enter:
dir /a /s "C:\Qoobox\Quarantine\" >> C:\PEEK.txt
Please post the C:\PEEK.txt

2) The second problem is this - I have seen variations of this malware that, rather than infecting the MBR, actually create a new partition on the HD and flag it to boot first. If that is the case here, I believe we'd need to remove that if you are using the recovery partition.
If you have OS disk, then it won't be a problem because you can completely wipe the hard drive prior to reinstall.....

PP:)

Does anyone know about the complexity of this program? And if it is really that hard to use?

It is quite easy to use and you will probably need to use it for this infection.

But, combofix is a complex tool and, should things go awry (and they do all too often), you'd be well served to have a knowledgeable volunteer around to help you....

So, Do Not run combofix just yet.

Your best starting point would be here:

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

I or another volunteer will check back as time permits.

Cheers :)
PP

Many thanks for all your help by the way. Learning a lot about rootkit style virus' now... unfortunately.

Happy to try to help!

Sorry for the delay - I fear this will be a bit of a drawn out process.
A lot of malware has killed internet connections over the years, but this new strain is the worst I've seen in the 8 years or so that I have been volunteering in forums. This one is particularly damaging to the TCP/IP stack and we may not be able to repair it.

Even as we proceed, you should probably get in touch with the computer manufacturer (OEM) and have them send you recovery disks. Or talk to Microsoft and get them. You should have a valid Product Key stuck on the compy somewhere and that should keep any costs to a minimum.

Let's try this first and hope we get lucky by throwing the kitchen sink at this:

-- Please download these and transfer them to the Desktop of ill computer:
1) The attached CFScript.txt

2) Option^Explicit's Winsock XP Fix

3) MiniToolBox

THEN:

Close ALL browser windows and then drag the CFScript.txt on the Desktop into ComboFix.exe just like this.

-- Let Combofix run and post the log in the next reply.

NEXT:
Open a command prompt (START > RUN > CMD) and enter the following one by one, hitting …

yay! i turned windows defender off and ran the norton removal tool.....

Great! One less thing to worry about tomorrow :)

I'll defer to Judy on the AV/Firewall side of things.

The Comodo/Avira conflict was resolved a couple years ago.

I really like Avira - It just seems to have all sorts of imaginary issues with various firewalls and other security products these days. Especially with the latest versions.

Avira has had issues with SpywareBlaster (that Judy recommended, BTW :) ) and has even called for the removal of MBAM.

See below:
http://www.pcreview.co.uk/forums/re-avira-wants-uninstall-everything-t4042965.html

As long as you have configured your firewall properly to allow Avira's components to operate unhindered, there should be no problems.

Cheers :)
PP

error: the system was unable to find the specified registry key or value.

OK - let's add it, then.

Download the attached ZIP and Extract FIXWinDef.reg from the zip to the Desktop.
DoubleClick FIXWinDef.reg and Allow it to merge into the registry.

REBOOT and see if that helps.

I'll be back tomorrow - Judy may have additional steps to try should this fail....

PP:)

While I'm away, please try this command in elevated command prompt:

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet/services/windefend /s >> C:\Peek.txt

Please post me the C:\Peek.txt

PP:)

ok i used an administrator command prompt and did the verifyrepository and salvagerepository. both commands returned with "wmi is consistent". after i rebooted, i went to services but windows defender is still not there.

OK - I will grab my Win7 compy and look at a few reg keys.

I'll probably won't be back until tomorrow evening, EST.

PP:)

WMI repository verification failed
error code: 0x80041003
facility: wmi
description: access denied

** Make sure you are running an Administrator Command Prompt

Let me get on my Win7 laptop and look at some reg keys.

In the meantime, let's try running this command:

winmgmt /salvagerepository

Run it over and over until it doesn't fail ( well, within reason, say 5-7 times).

If it runs with no error, REBOOT and see if windows defender shows up in services.

Again, be sure to use the elevated command prompt.

PP:)

i did the fix.bat step, services.msc still doesn't show windows defender

That was directed at the Norton and trying to remove that from Security Center, though it ought to resolve erroneous Windows Defender status, as well.

Let's have another look:
Open a command prompt and copy&paste:
winmgmt /verifyrepository ENTER
and tell us the result.

A number of AV programs will shut down Windows Defender + some malware will bork it. I'm not sure what is behind this current issue.

PP:)

K ran the ffs and the first thing that happened was a microsoft security window came up notifying me of a win32/sirefef.n virus in one of the system32 drivers.

Right. That's your variant of the zeroaccess rookit.
It looks like afd.sys is infected.

-- Usually this type of infection is a pretty high security risk. If you do online banking or financial transactions, you should change any passwords for those accounts using a clean computer.
If you can afford to lose the data on your machine, a reformat is the only way to assure yourself that the machine is 100% clean.
Otherwise, we can try to get it back online and finish cleaning it as best as possible.

Trouble is, the rest of the log looks OK. Usually that is good news - not this time because it means that the connection issues are probably going to be much more difficult to sort out. We will likely need a lot of trial and error testing to isolate the problem.

**Please run Farbar Service Scanner again and, in the box, type afd.sys and then hit Search Files and post that for me.

I will check back as time permits.

PP:)

Sorry for responding so late...

No Worries.
I, too, am really busy these days. My forum time is going to be intermittent.

I'd like to see all those logs from my last post, if possible.

Cheers :)
PP

And combofix broke my net connection. Working on that now

It'll do that when you have a rootkit in the TCP/IP stack. Combofix also deleted some legit Acer files - they don't look terribly important (except for perhaps the English language one), but I can't be certain.

-- To get back online, you'll need a flashdrive to transfer programs to and from the ill computer.
I will try to help you fix this, but I am really busy with work these days and don't have a lot of forum time.

I am sorry we didn't have a qualified volunteer available to assist you. It is not a good idea to run a powerful tool such as combofix without the assistance of someone familiar with its usage because they are not going to be around to get you out of trouble.
Another example of why this should not be an open forum, I suppose.

Anyhoo, please do the following:

-- Please download and run Farbar Service Scanner
-- Check ALL the boxes and hit scan. It should produce a log. Please post the FSS.txt for me.

-- Also, on the ill machine, please open a command prompt (Start > Run > Type CMD ENTER
Then type the command below and hit enter:
dir /a /s "C:\Qoobox\Quarantine\" >> C:\PEEK.txt
Please post the C:\PEEK.txt

Note the spaces:
dir <space>/a<space>/s<space> "C:\Qoobox\Quarantine\" <space>>> <space>C:\PEEK.txt

I will check back as time permits.

the message popped up saying combofix is now uninstalled. no problems :)

Sounds like you're good to go!

Cheers :)
PP

ok i've done away with norton :D

Great!

All that is left to do is to uninstall combofix as per the linky below:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Let us know if you run into any problems with the above.

Happy New Year :)
PP