About two hours ago, my computer lost internet connection and was searching for network address. This happens a lot, and so far I thought it is normal. But when I right-clicked the icon for “repair”, restarted the connection search. But instead of simply reconnecting I noticed a Windows Security Alert popup that said my firewall was disabled. Also my computer went very slow at the time, but is now normal speed and connected. But the popup quickly disappeared as soon as it was shown. I immediatly checked the settings, but it showed firewall was still on. I still have popup saying I turned off automatic updates (I did do this), but it is no longer saying my firewall is off. What could have cause this weird thing to happen? Since then there has been no sign or sympton of infection.

Here is my highjack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:13 PM, on 12/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..\Run: [SmartRAM] C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
O4 - HKLM..\Run: [avast!] “C:\Program Files\Alwil Software\Avast4\ashDisp.exe”
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [a-squared] “C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe” /d=60
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [Advanced SystemCare 3] “C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe” /startup
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203793280531
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203883312734
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

–
End of file - 6605 bytes

Other than a suspicion what makes you think it is maleware as you have more anti-spyware installed than you can shake a stick at.

AdAware (a waste of HDD space), a-squared not very effective other than the fact it has resident protection, Spybot S&D with tea-timer enabled, SAS. I would say that is over kill and you could probably lose the first two without any major decrease in protection.

This can put quite a load on your system and on occasion it crashes, so I don’t know if that might have anything to do with your connection problems.
C:\WINDOWS\system32\SearchIndexer.exe

See http://www.google.co.uk/search?q=SearchIndexer.exe

Other than that I don’t see anything obvious.

This is I believe an old version of acrobat pdf reader and as such vulnerable:
I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

Unknown:
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
This is just an activX control and if required by a site would be reinstalled.

Thank you for a quick reply. The first step to solving a problem is acceptance. I do have way too much overprotection on my computer. I will certainly research which are the best programs to keep. Don’t worry, Avast will always have a place with my computer.

But does anyone know anything about the Firewall question? That is what worries me, and made me decide to download some of those programs in the heat of the moment. So far, it has been over four hours and no sign or sympton of infection, but what would have caused the security alert to quickly say my firewall is disabled, but it was only for a second, then is and continues to be still on. Was my computer highjacked? Just a fluke in the computer? A conflict? I don’t know, but so far everything is clean, but he question is why did it happen?

Another question, but a quick one. What should I do with the unkown “O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}”? Can I check when it was created on my computer? What should I do with it?

I wil deal with the quick one first, get rid (Fix:) of the O10 entry, it isn’t critical as it can easily be restored by whatever created it, notice the ‘whatever’ bit, if after searching on the entry found nothing I doubt you would find what put it on your computer (or I wouldn’t have put it under Unknown).

As for the firewall question, I honestly don’t know or I would have hazarded a guess.

However, you don’t mention what firewall you have, but from your log file I would assume windows XP, which being severe is like a fire door that only protects you from fire if you are on the right side of the door.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

• There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

As requested, here is my malwarebytes’ anti-malware. For other information I did find, quarentine, and delete infected folders nGpxx01 and f02WtR in system32. I have done SuperAntispyware, Spybot, a-squared,Advanced SystemCare Professional, Avast, ccleaner, ad-aware. I have done scans optioned to max, in safe mode, but have found only those two infected folders. But when I restarted my computer less than five minutes ago, I got another Windows Security Alert saying my Windows firewall was turned off, but in less than three seconds the text was cleared and it didn’t show the Windows firewall was off (only my Automatic Updates are off, which I did do). This time the Windows firewall turned off, was when my computer was loading programs in starting. just happened again when I disabled my Wireless Network Connection in My Network Connections, and then clicked repair, while it was repairing. Please help with any theories or advice, I have found no infections, so could this be a conflict or error?

My first suggestion is to get a firewall that provides more protection and hopefully that will far better than the windows firewall, which is why I gave the general firewall info.

If you are coming up empty on scans it is possible something could be hidden by a rootkit, which may or may not be responsible for the firewall issue. If after the WSC alert text about the firewall being off, is the firewall actually off, Windows Control Panel, Security Center ?

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.

• Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
• Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
• F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight

Welcome to the forums, ahhnoo.

Just for your peace of mind, the 016 entry that you ask about belongs to adobe systems. So, I guess you have some adobe product (pdf reader, flash player, etc) on your computer. In your HJT log, it seems the entry just below mentions Shockwave.

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
http://www.systemlookup.com/O16/628-gp_cab.html

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)

So, there is no need to worry about that entry. I hope the info above helps you.

Thanks all for the continuing support. Since my last post, I have installed Comodo Internet Security Firewall package (free). And since I have installed Comodo, I have had no WSC alerts about firewalls off. In response to the above question, No the firewall was never seen to be off, only the WSC alert saying it was for a second and then the alert would be changed and would say the firewall was on. It was like the firewall restarted on its own or something. What could cause this if it is not an infection?

Since my last reply, good news and bad news. Good news: I have done Panda rootkit scan, all clean and no signs of infection. I also RootkitBuster scan, all clean and no signs of infection. Bad/questionable news: I am still perplexed as to why the former incident with the Windows Security Alert with the Windows Firewall. So far no alert has appeared since I installed Comodo. Theories, or tellings of past similar experiences are greatly appreciated. I also did SDFix scan. But I don’t know how to interpret the results. Here:

b]SDFix: Version 1.240 [/b]
Run by UserOne on Tue 12/30/2008 at 11:30 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

                             [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 23:39:26
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes …

scanning hidden services & system hive …

scanning hidden registry entries …

scanning hidden files …

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000”
“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE::Enabled:Microsoft Office Outlook"
“C:\Program Files\Google\Google Talk\googletalk.exe”="C:\Program Files\Google\Google Talk\googletalk.exe::Enabled:Google Talk”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000”

Remaining Files :

Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR — “C:\Program Files\Spybot - Search & Destroy\advcheck.dll”
Mon 15 Sep 2008 1,562,960 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SDHelper.dll”
Thu 14 Aug 2008 1,429,840 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe”
Wed 30 Jul 2008 4,891,984 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe”
Tue 16 Sep 2008 1,833,296 A.SHR — “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe”
Wed 22 Oct 2008 962,896 A.SHR — “C:\Program Files\Spybot - Search & Destroy\Tools.dll”
Mon 12 Apr 2004 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak”
Sat 23 Feb 2008 4,348 …SH. — “C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak”
Wed 4 Apr 2007 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp”
Sat 23 Feb 2008 0 A.SH. — “C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp”

Finished!

The WSC is in technical terms a bit flaky at times, on occasion it has said avast was disabled or you have no anti-virus, etc. when avast was installed and running. So there are times when its database/information appears to be damaged and needs a repair to jolt it back to life.

By installing Comodo it has effectively forced it to update/repair its database, so it now sees Comodo as the firewall and have forgotten the previous issue it felt the windows firewall had.

Well hopefully my previous post will have cleared up the posibility of why it was reporting the firewall as off.

The S&D files I would say are legit.

I have a number of hidden files in my DRM (Hidden) folder, though I have no Cache sub folder nor no All Users.WINDOWS folder. They are however most probably legit.

I don’t have any DRM media on my system nor have I played any DRM media, so that may account for the lack of a Cache sub-folder in the DRM folder.

Restart your WSC:

http://forum.avast.com/index.php?topic=23457.msg193534#msg193534
http://windowsxp.mvps.org/repairwmi.htm

Tech, there is no need to do this (the key words being ‘why the former incident’) as it was when ahhnoo was only using the windows xp firewall, the problem was resolved by the installation of another firewall (Comodo) which is now correctly recognised and reported as running by the WSC (“So far no alert has appeared since I installed Comodo.”).

I disagree… I think it could correct the repository to detect the firewall correctly. If Windows does not detect it’s own firewall, something is wrong.

But it is detecting the new firewall correctly and updating/repairing the repository won’t change that nor get it to correctly detect that the windows firewall ‘was’ running.

Yes, it would be worth doing if there was a problem in the detection of the new firewall or ahhnoo was still only using the windows firewall. But since it wouldn’t change any historical data there is little point in doing it, however, that is something for ahhnoo to decide.

It’s a New Year’s miracle. I never expected people able to respond and assist on a holiday. This is a great forum for a great program.

I haven’t a security alert since I instralled Comodo. In Windows Security Center, it say “At least one of the firewalls installed on this computer is currently on…Note: Two or more firewalls running at the same time can conflict with eachother”.

I know there are pros and cons for two firewalls on, but for future references, if I keep both on, is there a way to get a notify that one of them GETS turned off, or THINKS its off, in the future? An example, if in the future Windows Firewall does this false report again? I want to be able to know if one of my firewalls gets disabled, not just knowing that “at least one of them is on”? Though I know Comodo is on, I want to know the status of Windows Firewall?

May you all have a great New Year’s celebration, and hope Y2K bug ain’t just nine years late.

Short answer it is a no, no, to even try two software firewall at the same time. Comodo when you install it would switch off the windows firewall.

The WSC is flaky and is not able to do complex monitoring of multiple applications for a single purpose, e.g. firewall, it has enough to concern itself just monitoring one firewall as you have already found

A Happy New Year to you too.

Windows Security Center does not do this, i.e., do not inform that one is disabled and another is enabled. It’s binary: there is or there is not a firewall active.

Yeah, avast forums are very active.
Happy New Year.