Dell Vostro with Sirefef.ah rebooting within 90 seconds of boot.

[dschoellkopf]

There is a very similar thread before this.  I did download FSRT in an attempt to run locally on the laptop, but in the repair options, I only have "start-up Repair" and "Dell Backup and Recover Manager" and there is no Command Prompt option for me to run FSRT.  I cannot do anything within the time I have before the system reboots.  I have access to another PC and a flash drive, but I cannot provide you any logs at this point.  I can tell you the user of the laptop called me earlier today when the laptop was going to questionable sites.  I arrived to find the Microsoft Security Essentials was not working correctly and used my account to run Stinger.exe and SuperAntiSpyware.  Stinger found and removed different viruses - I did not write them down (the second one was ZeroDay).  I then ran SuperAnti Spyware and the only thing it found was 146 cookies it removed.  I then installed SuperAnti Spyware and rebooted.  I was able to install and reinstall MS Security Essential, I then rebooted the laptop and had my user lo gin and the virus took off again and since has been rebooting the PC after 60 seconds.  This is extremely frustrating.

[dschoellkopf]

This morning I tried booting and MS Sec. Essentials was working on removing the files and the reboot occurred.  But the boot then failed, so the system repaired startup and now I have a login to the PC.  I have a committment this morning, but will work on the laptop this evening attempting to get logs.  Currently doing a quick scan with MS Sec. Essentials and will use SuperAntiSpyware.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please run this in Safe Mode with NetWorking. If it runs ok, reboot to Normal Mode and try to run it again.
Here's how to get into Safe Mode.

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[dschoellkopf]

Was able to run Malware Bytes.  Look forward to follow-up.

Log from run in "Safe Mode":

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.23.06

Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
dschoellkopf :: PASTOR [administrator]

Protection: Disabled

6/23/2012 10:15:08 PM
mbam-log-2012-06-23 (22-15-08).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 373420
Time elapsed: 27 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Users\mrigg.ADVENT\AppData\Local\Temp\Defrutil.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\mrigg.ADVENT\AppData\Local\Temp\tempfiles.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\mrigg.ADVENT\AppData\Local\Temp\~!#E4B7.tmp (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\mrigg.ADVENT\AppData\Local\{6fca670b-a294-f8f5-0d7a-ae09fabb161a}\n (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\Windows\Installer\{6fca670b-a294-f8f5-0d7a-ae09fabb161a}\n (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\Users\MRigg\AppData\Local\Temp\0.6620756977867873.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
C:\Users\mrigg.ADVENT\Desktop\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

(end)


Log from run in normal boot:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.23.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
dschoellkopf :: PASTOR [administrator]

Protection: Enabled

6/23/2012 10:49:24 PM
mbam-log-2012-06-23 (22-49-24).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 375519
Time elapsed: 51 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[SuperDave]

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
***********************************************************
Download Combofix from any of the links below, and save it to your DESKTOP. 

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

[dschoellkopf]

Ran both:

Security Check log:

Results of screen317's Security Check version 0.99.42 
 Windows 7 Service Pack 1 x86 (UAC is enabled) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Security Center service is not running! This report may not be accurate!
Microsoft Security Essentials   
  (On Access scanning disabled!)
 Error obtaining update status for antivirus! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
 SUPERAntiSpyware     
 Malwarebytes Anti-Malware version 1.61.0.1400 
 Java(TM) 6 Update 23 
 Java version out of Date!
 Adobe Reader X 10.0.1 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent````````[/u] 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````[/u]


ComboFix Log:

ComboFix 12-06-24.03 - dschoellkopf 06/24/2012  15:53:49.1.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2999.2055 [GMT -4:00]
Running from: c:\users\dschoellkopf.ADVENT\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\mrigg.ADVENT\AppData\Roaming\36EA70.exe
c:\users\mrigg.ADVENT\AppData\Roaming\apsdp.dll
c:\users\mrigg.ADVENT\AppData\Roaming\cpinfi.dll
c:\users\mrigg.ADVENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\users\mrigg.ADVENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk
c:\users\MRigg\Documents\~WRL0234.tmp
c:\windows\system32\drivers\npf.sys
.
.
(((((((((((((((((((((((((   Files Created from 2012-05-24 to 2012-06-24  )))))))))))))))))))))))))))))))
.
.
2012-06-24 19:58 . 2012-06-24 20:00   --------   d-----w-   c:\users\dschoellkopf.ADVENT\AppData\Local\temp
2012-06-24 19:58 . 2012-06-24 19:58   --------   d-----w-   c:\users\mrigg.ADVENT\AppData\Local\temp
2012-06-24 19:35 . 2012-06-24 19:59   56200   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0F69C0A-7A29-44B7-86A2-CED118B9A157}\offreg.dll
2012-06-24 02:07 . 2012-06-24 02:07   --------   d-----w-   c:\users\dschoellkopf.ADVENT\AppData\Roaming\Malwarebytes
2012-06-24 02:07 . 2012-06-24 02:07   --------   d-----w-   c:\programdata\Malwarebytes
2012-06-24 02:07 . 2012-06-24 02:07   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-06-24 02:07 . 2012-04-04 19:56   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-06-24 00:59 . 2012-06-24 00:59   --------   d-----w-   c:\users\dschoellkopf.ADVENT\AppData\Local\Apple
2012-06-23 13:06 . 2012-06-23 13:06   --------   d-----w-   c:\users\dschoellkopf.ADVENT\AppData\Roaming\SUPERAntiSpyware.com
2012-06-23 13:06 . 2012-06-23 13:06   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-06-22 20:31 . 2012-06-22 20:31   713784   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{00B5B2C6-7759-4C6C-BE5D-2364D0D43887}\gapaengine.dll
2012-06-22 20:31 . 2012-05-31 00:41   6762896   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0F69C0A-7A29-44B7-86A2-CED118B9A157}\mpengine.dll
2012-06-22 20:27 . 2012-06-22 20:27   --------   d-----w-   c:\program files\Microsoft Security Client
2012-06-22 20:13 . 2012-06-22 20:13   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2012-06-22 20:06 . 2012-06-22 20:06   --------   d-----w-   c:\users\dschoellkopf.ADVENT\AppData\Local\Google
2012-06-22 20:05 . 2012-06-22 20:05   --------   d-sh--w-   c:\windows\system32\%APPDATA%
2012-06-22 20:03 . 2012-06-24 01:45   14664   ----a-w-   c:\windows\stinger.sys
2012-06-22 20:02 . 2012-06-24 01:52   --------   d-----w-   c:\program files\stinger
2012-06-22 20:01 . 2012-06-22 20:01   --------   d-----w-   c:\users\dschoellkopf.ADVENT\AppData\Local\Apple Computer
2012-06-22 13:43 . 2012-06-22 13:43   --------   d-----w-   c:\users\mrigg.ADVENT\AppData\Local\{7C022A34-BC6F-11E1-8270-B8AC6F996F26}
2012-06-22 13:43 . 2012-06-23 13:51   --------   d-----w-   c:\programdata\B7E858860001D2500001485FB4EB238B
2012-06-21 12:52 . 2012-06-02 22:19   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-21 12:52 . 2012-06-02 22:19   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-06-21 12:52 . 2012-06-02 22:12   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-21 12:52 . 2012-06-02 22:19   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-06-21 12:52 . 2012-06-02 22:19   35864   ----a-w-   c:\windows\system32\wups.dll
2012-06-21 12:52 . 2012-06-02 22:19   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-21 12:52 . 2012-06-02 22:12   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-06-21 12:51 . 2012-06-02 19:19   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-21 12:51 . 2012-06-02 19:12   33792   ----a-w-   c:\windows\system32\wuapp.exe
2012-06-13 21:29 . 2012-04-28 03:17   183808   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-06-13 21:29 . 2012-04-07 11:26   2342400   ----a-w-   c:\windows\system32\msi.dll
2012-06-13 21:29 . 2012-05-01 04:44   164352   ----a-w-   c:\windows\system32\profsvc.dll
2012-06-13 21:29 . 2012-04-26 04:45   58880   ----a-w-   c:\windows\system32\rdpwsx.dll
2012-06-13 21:29 . 2012-04-26 04:45   129536   ----a-w-   c:\windows\system32\rdpcorekmts.dll
2012-06-13 21:29 . 2012-04-26 04:41   8192   ----a-w-   c:\windows\system32\rdrmemptylst.exe
2012-06-13 21:29 . 2012-05-15 01:05   2343936   ----a-w-   c:\windows\system32\win32k.sys
2012-06-13 21:29 . 2012-04-24 04:36   140288   ----a-w-   c:\windows\system32\cryptsvc.dll
2012-06-13 21:29 . 2012-04-24 04:36   1158656   ----a-w-   c:\windows\system32\crypt32.dll
2012-06-13 21:29 . 2012-04-24 04:36   103936   ----a-w-   c:\windows\system32\cryptnet.dll
2012-06-05 09:53 . 2012-06-05 09:53   602112   ----a-w-   c:\windows\system32\xvid.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-22 13:43 . 2012-04-06 10:07   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-06-22 13:43 . 2011-10-06 11:43   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-31 04:39 . 2012-05-09 20:09   3968368   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-03-31 04:39 . 2012-05-09 20:09   3913072   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-03-30 10:23 . 2012-05-09 20:09   1291632   ----a-w-   c:\windows\system32\drivers\tcpip.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-31 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-11 3905408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-01-08 1602856]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-04-07 495708]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-07 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-07 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-07 170520]
"FreeFallProtection"="c:\program files\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-10-01 727664]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2011-03-26 5249024]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-08-19 487562]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2010-05-20 206336]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2012-02-23 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-20 795936]
WNW Tray Agent.lnk - c:\program files\Wiley\Webster's New World\HKML_SRV.exe [2012-3-5 147456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer9"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-31 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-22 257224]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-31 136176]
R3 HtcUsbMdmV32;HTC Proprietary USB Driver;c:\windows\system32\DRIVERS\HtcUsbMdmV32.sys [2009-10-27 105984]
R3 HtcVCom32;HTC Diagnostic Port;c:\windows\system32\DRIVERS\HtcVComV32.sys [2009-10-27 105984]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 74112]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 214952]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-08-10 171520]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-05-25 32408]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-31 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2010-08-20 17648]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_f39a6924a795ad94\aestsrv.exe [2009-03-03 81920]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-11-04 2320920]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-09-29 43888]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2010-08-12 146528]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-08-31 247808]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-03-05 277536]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 13:43]
.
2012-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-31 01:06]
.
2012-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-31 01:06]
.
2012-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2386491873-859104461-4135279999-1112Core.job
- c:\users\mrigg.ADVENT\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-18 10:20]
.
2012-06-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2386491873-859104461-4135279999-1112UA.job
- c:\users\mrigg.ADVENT\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-18 10:20]
.
2012-06-15 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-08-05 23:47]
.
2012-06-24 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-08-05 23:47]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1392)
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\program files\Wiley\Webster's New World\HKMLLoad.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_f39a6924a795ad94\STacSV.exe
c:\program files\Dell\DW WLAN Card\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Dell\DW WLAN Card\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-06-24  16:04:35 - machine was rebooted
ComboFix-quarantined-files.txt  2012-06-24 20:04
.
Pre-Run: 220,648,644,608 bytes free
Post-Run: 231,809,028,096 bytes free
.
- - End Of File - - 38926F0F2C0F8B13771DA4C67A6A8F69

[SuperDave]

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*****************************************************
Update your Adobe Reader. get.adobe.com/reader.

Be sure to uncheck the Free McAfee Security Scan so it isn't installed.

******************************************************
Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply
********************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[dschoellkopf]

Thanks for your help so far - I definitely appreciate it!!!!!!!!!!

I look forward to next steps.

I had to deviate on the Adobe Reader step.  I will explain below:

*****

Java upgraded from 1.6.0.23 to version 1.6.0.33.

*****

Adobe Reader 10.0 removed - do not have Internet where I currently am, so I will add Adobe Reader 10.1.3 tonight when I get home and can open an Internet connection.

*****

ASWMBR.exe ran - Log below:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-26 12:36:49
-----------------------------
12:36:49.152    OS Version: Windows 6.1.7601 Service Pack 1
12:36:49.152    Number of processors: 4 586 0x2505
12:36:49.168    ComputerName: PASTOR  UserName:
12:36:50.306    Initialize success
12:37:28.393    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
12:37:28.409    Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
12:37:28.424    Disk 0 MBR read successfully
12:37:28.424    Disk 0 MBR scan
12:37:28.440    Disk 0 Windows VISTA default MBR code
12:37:28.440    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0       39 MB offset 63
12:37:28.471    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        11420 MB offset 81920
12:37:28.487    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       293784 MB offset 23470080
12:37:28.487    Disk 0 scanning sectors +625139712
12:37:28.565    Disk 0 scanning C:\Windows\system32\drivers
12:37:34.664    Service scanning
12:37:47.207    Modules scanning
12:37:54.726    Disk 0 trace - called modules:
12:37:54.742    ntkrnlpa.exe CLASSPNP.SYS disk.sys stdcfltn.sys ACPI.sys halmacpi.dll iaStor.sys
12:37:55.272    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87e09030]
12:37:55.272    3 CLASSPNP.SYS[8b5b959e] -> nt!IofCallDriver -> [0x87e085a0]
12:37:55.272    5 stdcfltn.sys[8b7f1896] -> nt!IofCallDriver -> [0x86243878]
12:37:55.288    7 ACPI.sys[8aec03d4] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x86248028]
12:37:55.288    Scan finished successfully
12:38:21.152    Disk 0 MBR has been saved successfully to "E:\MBR.dat"
12:38:21.184    The log file has been saved successfully to "E:\aswMBR_log.txt"


*****

SYSPROT RootKit run successfully - log below:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: 9022D000
Module End: 903E2000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpfve.sys
Service Name: ---
Module Base: 97D18000
Module End: 97D29000
Hidden: Yes

Module Name: C:\Windows\system32\DRIVERS\WUDFRd.sys
Service Name: WUDFRd
Module Base: ACBB3000
Module End: ACBD4000
Hidden: Yes

Module Name: \??\C:\Users\DSCHOE~1.ADV\AppData\Local\Temp\aswMBR.sys
Service Name: aswMBR
Module Base: ACBD4000
Module End: ACBE0000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Object: C:\Users\mrigg.ADVENT\AppData\Roaming\Microsoft\Office\Recent\???S ?O??.LNK
Status: Hidden

Object: C:\Users\mrigg.ADVENT\Documents\???S ?O??.docx
Status: Hidden

Object: C:\Windows\CSC\v2.0.6\namespace
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\pq
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\sm
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\temp
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTkerberos.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
Status: Access denied

[dschoellkopf]

Also - Please let me know if I should repeat any steps after I install Adobe Reader 10.1.3

[SuperDave]

Also - Please let me know if I should repeat any steps after I install Adobe Reader 10.1.3

No, just get your Adobe updated. Malware just love out-of-date programs.
Please tell me how your computer is working now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[dschoellkopf]

Ran ESET - Log below.

The PC has been working OK.  Need to run as the user again.  Will touch base again after I run as the user.  I am a little nervous this last tool found 4 things, but I'm hopeful.


C:\Qoobox\Quarantine\C\Users\mrigg.ADVENT\AppData\Roaming\36EA70.exe.vir   a variant of Win32/Kryptik.AHHS trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\mrigg.ADVENT\AppData\Roaming\apsdp.dll.vir   a variant of Win32/Medfos.AI trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\mrigg.ADVENT\AppData\Roaming\cpinfi.dll.vir   a variant of Win32/Medfos.AH trojan   cleaned by deleting - quarantined
C:\Users\mrigg.ADVENT\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\7dafdd8c-1c7ebf08   a variant of Win32/Injector.SZS trojan   cleaned by deleting - quarantined

[dschoellkopf]

Logged back in as the user and re-enabled Microsoft Security essentials.  All seems well so far.

[dschoellkopf]

Just a note, ran a full MS Sec. Essentials scan as the user who got the infection last night and nothing came up.  So it seems pretty good at this point.  Look forward to your comments as to where we are.

[SuperDave]

That looks good. Let's do some cleanup.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

***************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
***************************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
***********************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[dschoellkopf]

<removed Super AntiSpyware>

Uninstalled ComboFix

Cleaned Temp Internet files of both users.

Ran TFC

Loaded Comodo Personal Firewall

Could not get to Secundia site.

Loaded updates (neither were critical - 1 Windows 7 & 1 MS Sec. Essentials)

Loaded WOT

Loaded SpyBlaster

Loaded SpyBot, downloaded updates and did a scan. (Will update the post if it finds something)

The laptop is looking good.  Lots of tools to help my user from getting into trouble again!!!!!!

[dschoellkopf]

Spybot found and fixed 2 things Casale-media & DoubleClick.

Do you think we are done at this point?

[SuperDave]

Spybot found and fixed 2 things Casale-media & DoubleClick.

Do you think we are done at this point?

Yes, unless something else comes up. You might also keep SAS and MBAM, if you wish. Update them and run them on a regular basis.

[dschoellkopf]

Thank you so much.  Will do on the suggestions.

[SuperDave]

Thank you so much.  Will do on the suggestions.

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.