New UPS infection - help needed

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

New UPS infection - help needed

Post by spencer.gross.16 on Mon 03 Sep 2012, 2:04 pm

First topic message reminder :

I (stupidly) opened the UPS virus e-mail. Now, in addition to having the option of loading operating system Windows XP Professional from F8, there is now an "operating system" listed named "30," and, of course, my laptop is running incredibly slowly. No, I have not tried clicking on that bogus operating system! But I do want to get rid of it. Sophos saw that it is there (UPS - Mal/NecursDrp-A), but did not eliminate it. Neither Malwarebytes nor SuperAntiSpyware "see" it. Per a thread from a few years ago, I ran OTL and AdwCleaner Here are the Extras.Txt and AdwCleaner.Txt logs (hopefully, someone will recognize something):

OTL Extras logfile created on: 9/2/2012 7:30:32 PM - Run 1
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Downloads
Windows XP Tablet PC Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 66.65% Memory free
3.84 Gb Paging File | 3.24 Gb Available in Paging File | 84.43% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 182.85 Gb Free Space | 78.52% Space Free | Partition Type: NTFS

Computer Name: LIFEBOOK | User Name: Spencer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = internetshortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = ChromeHTML.HJIGKK4FWPTJ5AAAOKWLVN4XXM] -- C:\Documents and Settings\Spencer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistUMP] -- "C:\Program Files\UMPlayer\umplayer.exe" -add-to-playlist "%1" ()
Directory [Digital Photo Professional] -- C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithUMP] -- "C:\Program Files\UMPlayer\umplayer.exe" -play-dir "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"FirewallOverride" = 0
"AntivirusOverride" = 0
"UacDisableNotify" = 0
"AntiSpywareDisableNotify" = 0
"AutoUpdateDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"FirewallOverride" = 0
"AntivirusOverride" = 0
"UacDisableNotify" = 0
"AntiSpywareDisableNotify" = 0
"AutoUpdateDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"UpdatesDisableNotify" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Downloads\mflpro\Data\Disk1\setup.exe" = C:\Downloads\mflpro\Data\Disk1\setup.exe:*:Enabled:Setup.exe -- (Macrovision Corporation)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007A0A19-70CE-4758-8D54-9DD023BB7118}_is1" = BackyardEOS 2.0.4
"{0A02D347-5E53-48A5-BC49-1469393103FA}" = MFL-Pro Suite
"{0CAD092C-5D1E-48AD-A845-E1EBA9AF1AF8}" = Tablet PC Tutorials for Microsoft Windows XP SP2
"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
"{2216560B-CB29-4CEC-B98F-1C037976B317}" = Fujitsu Hotkey Utility
"{23484C5A-E7AE-4F59-B7DF-88D63BEF18F4}" = Meade LPI
"{24CF0DBF-FF47-42E5-A13F-1D4D773E8AC7}" = Security Panel Application
"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java(TM) 7 Update 5
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup
"{5337BED2-73A0-4EB8-A33C-91DFD4C2F82D}" = Fujitsu Pen Service
"{5EBEC21B-9C59-455B-890D-E8F7DC492D8D}" = O2Micro SmartCardBus Windows Driver Installer
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7959721D-8268-4565-9E0E-C41A9F4848A9}" = SigmaTel AC97 Audio Drivers
"{8961E141-B307-4882-ABAD-77A3E76A40C1}" = ASCOM Platform 6 - SP1
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{8C863827-645F-4ABB-8F6C-12D16F34B023}" = Intel(R) mDriver
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{93444A72-EEA4-43E9-A12C-372DCC126A9B}" = Security Panel Application for Supervisor
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)
"{AEAFF885-0382-454D-9B2B-FC4B55F90426}" = Fujitsu Button Utilities
"{B08D94CF-88AA-45ED-B323-30B321DBC92A}" = O2Micro MemoryCardBus Windows Driver
"{B829E117-D072-41EA-9606-9826A38D34C1}" = Sophos Virus Removal Tool
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1108168-3364-4F6F-B19E-1ECA24192164}" = Fujitsu Button Driver Component
"{CA05B399-C9A3-4F51-8E15-90CA867D0280}" = IntelliSonic DX
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"7-Zip" = 7-Zip 9.20
"Access8.0" = Microsoft Access 97
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"ASCOM Celestron Telescope Driver_is1" = ASCOM Celestron Telescope Driver 5.0.28
"ASCOM Platform 6 - SP1" = ASCOM Platform 6 - SP1
"Autostar Suite" = Autostar Suite
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon MOV Decoder" = Canon MOV Decoder
"Canon MOV Encoder" = Canon MOV Encoder
"CSCLIB" = Canon Camera Support Core Library
"DPP" = Canon Utilities Digital Photo Professional 3.6
"Envisage Install" = Envisage Install
"EOS Utility" = Canon Utilities EOS Utility
"Freecorder5.11" = Freecorder 5
"GPUSB_ASCOM_is1" = GPUSB_ASCOM Ver 1.0.0
"GPUSBCheck_is1" = GPUSBCheck 1.2.0
"ie8" = Windows Internet Explorer 8
"InstallShield_{B08D94CF-88AA-45ED-B323-30B321DBC92A}" = O2Micro MemoryCardBus Windows Driver
"Juniper_Setup_Client Activex Control" = Juniper Networks Setup Client Activex Control
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox 14.0.1 (x86 en-US)" = Mozilla Firefox 14.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"MyCamera" = Canon Utilities MyCamera
"Original Data Security Tools" = Canon Utilities Original Data Security Tools
"PHD Guiding_is1" = PHD Guiding 1.12.4
"PhotoStitch" = Canon Utilities PhotoStitch
"Picture Style Editor" = Canon Utilities Picture Style Editor
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Security Task Manager" = Security Task Manager 1.8d
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.4
"UMPlayer" = UMPlayer 0.98 [P3]
"WFTK" = Canon Utilities WFT-E1/E2/E3/E4 Utility
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WRUNINST" = Webroot SecureAnywhere
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Juniper_Setup_Client" = Juniper Networks Setup Client

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 8/31/2012 6:13:25 PM | Computer Name = LIFEBOOK | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service ContentFilter
(ContentFilter) failed. The Error code is the first DWORD in Data section.

Error - 8/31/2012 6:13:25 PM | Computer Name = LIFEBOOK | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 8680, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 8/31/2012 6:13:25 PM | Computer Name = LIFEBOOK | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service ISAPISearch
(ISAPISearch) failed. The Error code is the first DWORD in Data section.

Error - 8/31/2012 6:21:34 PM | Computer Name = LIFEBOOK | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 8680, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 8/31/2012 6:21:34 PM | Computer Name = LIFEBOOK | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service ContentIndex
(ContentIndex) failed. The Error code is the first DWORD in Data section.

Error - 8/31/2012 6:21:34 PM | Computer Name = LIFEBOOK | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 8680, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 8/31/2012 6:21:34 PM | Computer Name = LIFEBOOK | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service ContentFilter
(ContentFilter) failed. The Error code is the first DWORD in Data section.

Error - 8/31/2012 6:21:34 PM | Computer Name = LIFEBOOK | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 8680, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 8/31/2012 6:21:34 PM | Computer Name = LIFEBOOK | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service ISAPISearch
(ISAPISearch) failed. The Error code is the first DWORD in Data section.

Error - 9/2/2012 6:17:58 PM | Computer Name = LIFEBOOK | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 4.0.1526.0,
P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

[ ASCOM Events ]
Error - 7/24/2012 11:46:32 PM | Computer Name = LIFEBOOK | Source = ASCOM Platform | ID = 24
Description = UninstallAscom - Exception System.InvalidOperationException: This access
control list is not in canonical form and therefore cannot be modified. at System.Security.AccessControl.CommonAcl.ThrowIfNotCanonical()

at System.Security.AccessControl.CommonAcl.AddQualifiedAce(SecurityIdentifier
sid, AceQualifier qualifier, Int32 accessMask, AceFlags flags, ObjectAceFlags objectFlags,
Guid objectType, Guid inheritedObjectType) at System.Security.AccessControl.DiscretionaryAcl.AddAccess(AccessControlType
accessType, SecurityIdentifier sid, Int32 accessMask, InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags) at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification
modification, AccessRule rule, Boolean& modified) at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule
rule) at ASCOM.Utilities.RegistryAccess.SetRegistryACL() in C:\ASCOM Build\Export\ASCOM.Utilities\ASCOM.Utilities\RegistryAccess.vb:line
619 at UninstallAscom.Program.Main() in c:\ASCOM Build\Export\Releases\ASCOM
6\Uninstaller\UninstallASCOM\Program.cs:line 223

[ System Events ]
Error - 9/2/2012 10:03:20 PM | Computer Name = LIFEBOOK | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the WRSVC service, but this action
failed with the following error: %%1056

Error - 9/2/2012 10:03:27 PM | Computer Name = LIFEBOOK | Source = Service Control Manager | ID = 7031
Description = The WRSVC service terminated unexpectedly. It has done this 3 time(s).
The following corrective action will be taken in 10000 milliseconds: Restart the
service.

Error - 9/2/2012 10:03:29 PM | Computer Name = LIFEBOOK | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the WRSVC service, but this action
failed with the following error: %%1056

Error - 9/2/2012 10:03:35 PM | Computer Name = LIFEBOOK | Source = Service Control Manager | ID = 7031
Description = The WRSVC service terminated unexpectedly. It has done this 4 time(s).
The following corrective action will be taken in 10000 milliseconds: Restart the
service.

Error - 9/2/2012 10:03:37 PM | Computer Name = LIFEBOOK | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the WRSVC service, but this action
failed with the following error: %%1056

Error - 9/2/2012 10:03:44 PM | Computer Name = LIFEBOOK | Source = Service Control Manager | ID = 7031
Description = The WRSVC service terminated unexpectedly. It has done this 5 time(s).
The following corrective action will be taken in 10000 milliseconds: Restart the
service.

Error - 9/2/2012 10:03:45 PM | Computer Name = LIFEBOOK | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the WRSVC service, but this action
failed with the following error: %%1056

Error - 9/2/2012 10:03:53 PM | Computer Name = LIFEBOOK | Source = Service Control Manager | ID = 7031
Description = The WRSVC service terminated unexpectedly. It has done this 6 time(s).
The following corrective action will be taken in 10000 milliseconds: Restart the
service.

Error - 9/2/2012 10:03:54 PM | Computer Name = LIFEBOOK | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the WRSVC service, but this action
failed with the following error: %%1056

Error - 9/2/2012 10:04:01 PM | Computer Name = LIFEBOOK | Source = Service Control Manager | ID = 7031
Description = The WRSVC service terminated unexpectedly. It has done this 7 time(s).
The following corrective action will be taken in 10000 milliseconds: Restart the
service.


< End of report >
____________________________________________________________________________

# AdwCleaner v2.000 - Logfile created 09/02/2012 at 20:50:10
# Updated 30/08/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Spencer - LIFEBOOK
# Boot Mode : Normal
# Running from : C:\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKCU\Software\Ask&Record
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
Key Found : HKLM\Software\Conduit

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Spencer\Application Data\Mozilla\Firefox\Profiles\gflzbfym.default\prefs.js

Found : user_pref("browser.search.defaultenginename", "Web Search");
Found : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&Sea[...]

Profile name : default
File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eh337h0r.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v21.0.1180.83

File : C:\Documents and Settings\Spencer\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1541 octets] - [02/09/2012 20:50:10]

########## EOF - C:\AdwCleaner[R1].txt - [1601 octets] ##########


Thanks in advance for any help!
Spencer G.

spencer.gross.16

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2012-09-03
Operating System : Windows XP Tablet

View user profile

Back to top Go down


Re: New UPS infection - help needed

Post by DragonMaster Jay on Thu 20 Sep 2012, 3:38 am

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: New UPS infection - help needed

Post by spencer.gross.16 on Mon 24 Sep 2012, 4:28 am

The predominant problem is stupendous [i]slowness.[i] I haven't responded in a couple days because I was running a scan (SuperAntiSpyware) and it took 48 hrs. Most of that time Task Manager showed System Idle at 99%. It could take 30 seconds per file.
Minimizing a window can take several minutes during which nothing else responds.
I do get occassional Blue Screens, but infrequently. I do have about 6 svchost.exe running, but all listed at 0%. No fake antivirus alerts.
Mostly just so slow, slow slow that I can hardly use the computer!

spencer.gross.16

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2012-09-03
Operating System : Windows XP Tablet

View user profile

Back to top Go down

Re: New UPS infection - help needed

Post by DragonMaster Jay on Mon 24 Sep 2012, 7:01 am

Please do a memory test: [You must be registered and logged in to see this link.]

Then, let me know results. It takes one to two hours at the most, usually.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: New UPS infection - help needed

Post by spencer.gross.16 on Wed 26 Sep 2012, 12:34 pm

Well, it took a while to get MemTest to work: 4.0 wouldn't run on my computer, so I ended up using 3.5b...but, no Errors, no ECC Errors.
A friend suggested 1) 2G RAM actually run slower than 1G on this processor, and 2) maybe I have some incorrect BIOS setting. I wanted to see if you think either of those might explain the extreme slowness. He suggested I actually take out 1G RAM.

spencer.gross.16

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2012-09-03
Operating System : Windows XP Tablet

View user profile

Back to top Go down

Re: New UPS infection - help needed

Post by spencer.gross.16 on Wed 26 Sep 2012, 12:45 pm

Oh, I may have solved the extra OS ("30") mystery: Before I contacted GeekPolice.net, I had tried to delete SpyBot to eliminate things which might have been slowing the computer, but it persisted in my Startup, so I used msconfig and deleted the SpyBot line from boot.ini. There is another line in boot.ini: Timeout.old=30, which I just read might have been introduced by SpyBot to create a faster and easier boot to Safe Mode, but I haven't tried it yet to see if it, in fact, boots into Safe Mode.

spencer.gross.16

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2012-09-03
Operating System : Windows XP Tablet

View user profile

Back to top Go down

Re: New UPS infection - help needed

Post by DragonMaster Jay on Thu 27 Sep 2012, 3:59 am

Well, it definitely is not connected with another operating system or partition for that matter.

2G RAM actually run slower than 1G on this processor
I find this untrue. RAM is different than CPU power. Processing is hardware that runs the programs and helps process information to memory. It only has an effect on how much data can be written to memory at one time.

The more memory you have (RAM), the more available space in memory there is that the processor can help write to.

If RAM were a problem, then the test would have found faults.

What were the MEMTEST results?


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: New UPS infection - help needed

Post by spencer.gross.16 on Fri 28 Sep 2012, 4:56 am

Well, it took a while to get MemTest to work: 4.0 wouldn't run on my computer, so I ended up using 3.5b...but, no Errors, no ECC Errors.

spencer.gross.16

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2012-09-03
Operating System : Windows XP Tablet

View user profile

Back to top Go down

Re: New UPS infection - help needed

Post by DragonMaster Jay on Sat 29 Sep 2012, 5:35 am

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:


  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: New UPS infection - help needed

Post by spencer.gross.16 on Mon 01 Oct 2012, 4:46 pm

1) The computer continues to be very slow; 2) I do seem to be having a fair number of system crashes (blue screen) every couple days, but I see no pattern.

spencer.gross.16

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2012-09-03
Operating System : Windows XP Tablet

View user profile

Back to top Go down

Re: New UPS infection - help needed

Post by DragonMaster Jay on Mon 01 Oct 2012, 7:58 pm

Please follow this guide and post information back: [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: New UPS infection - help needed

Post by spencer.gross.16 on Tue 02 Oct 2012, 4:44 pm

I ran the SF diagnostic tool, but I can't figure out how to upload either the folder (sf_01-10-2012) or the .zip file made from it. I can't use servimg because it does not upload .zip files. I've spent the past hour trying to figure this out without success..so, I'm declaring defeat!

spencer.gross.16

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2012-09-03
Operating System : Windows XP Tablet

View user profile

Back to top Go down

Re: New UPS infection - help needed

Post by DragonMaster Jay on Tue 02 Oct 2012, 7:49 pm

Please upload it to [You must be registered and logged in to see this link.] and post download link here...


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: New UPS infection - help needed

Post by spencer.gross.16 on Wed 03 Oct 2012, 3:24 am

[You must be registered and logged in to see this link.]

Thanks!

spencer.gross.16

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2012-09-03
Operating System : Windows XP Tablet

View user profile

Back to top Go down

Re: New UPS infection - help needed

Post by DragonMaster Jay on Wed 03 Oct 2012, 4:43 am

Please download BlueScreenVew
Unzip the downloaded file and double click on BlueScreenView.exe file to run the program.
When scanning is done, go Edit > Select All.
Go File > Save Selected Items, and save the report as BSOD.txt.
Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: New UPS infection - help needed

Post by spencer.gross.16 on Wed 03 Oct 2012, 6:44 am

==================================================
Dump File : Mini093012-01.dmp
Crash Time : 9/30/2012 10:18:39 PM
Bug Check String : CRITICAL_OBJECT_TERMINATION
Bug Check Code : 0x000000f4
Parameter 1 : 0x00000003
Parameter 2 : 0x898bfda0
Parameter 3 : 0x898bff14
Parameter 4 : 0x805faffc
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5c876
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6223 (xpsp_sp3_gdr.120504-1619)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c876
Stack Address 1 : ntoskrnl.exe+157149
Stack Address 2 : ntoskrnl.exe+123fba
Stack Address 3 : ntoskrnl.exe+77ec
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini093012-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 90,112
==================================================

==================================================
Dump File : Mini092812-01.dmp
Crash Time : 9/28/2012 6:21:16 PM
Bug Check String : CRITICAL_OBJECT_TERMINATION
Bug Check Code : 0x000000f4
Parameter 1 : 0x00000003
Parameter 2 : 0x89a91da0
Parameter 3 : 0x89a91f14
Parameter 4 : 0x805faffc
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5c876
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6223 (xpsp_sp3_gdr.120504-1619)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c876
Stack Address 1 : ntoskrnl.exe+157149
Stack Address 2 : ntoskrnl.exe+123fba
Stack Address 3 : ntoskrnl.exe+77ec
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini092812-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 90,112
==================================================

==================================================
Dump File : Mini090512-02.dmp
Crash Time : 9/5/2012 9:19:17 PM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x1000000a
Parameter 1 : 0x00000008
Parameter 2 : 0x00000002
Parameter 3 : 0x00000000
Parameter 4 : 0x804ea79a
Caused By Driver : atapi.sys
Caused By Address : atapi.sys+81dd
File Description : IDE/ATAPI Port Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2108)
Processor : 32-bit
Crash Address : ntoskrnl.exe+1379a
Stack Address 1 : atapi.sys+416c
Stack Address 2 : atapi.sys+6d4b
Stack Address 3 : aswMBR.sys+2c71
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini090512-02.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 90,112
==================================================

==================================================
Dump File : Mini090512-01.dmp
Crash Time : 9/5/2012 8:53:27 PM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x1000000a
Parameter 1 : 0x00000008
Parameter 2 : 0x00000002
Parameter 3 : 0x00000000
Parameter 4 : 0x804ea79a
Caused By Driver : atapi.sys
Caused By Address : atapi.sys+81dd
File Description : IDE/ATAPI Port Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2108)
Processor : 32-bit
Crash Address : ntoskrnl.exe+1379a
Stack Address 1 : atapi.sys+416c
Stack Address 2 : atapi.sys+6d4b
Stack Address 3 : aswMBR.sys+2c71
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini090512-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 98,304
==================================================

==================================================
Dump File : Mini090212-01.dmp
Crash Time : 9/2/2012 9:10:08 PM
Bug Check String : CRITICAL_OBJECT_TERMINATION
Bug Check Code : 0x000000f4
Parameter 1 : 0x00000003
Parameter 2 : 0x88f93020
Parameter 3 : 0x88f93194
Parameter 4 : 0x805faffc
Caused By Driver : WRkrn.sys
Caused By Address : WRkrn.sys+100a0
File Description :
Product Name :
Company :
File Version :
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c876
Stack Address 1 : ntoskrnl.exe+157149
Stack Address 2 : ntoskrnl.exe+123fba
Stack Address 3 : WRkrn.sys+100f2
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini090212-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 90,112
==================================================

==================================================
Dump File : Mini081212-01.dmp
Crash Time : 8/12/2012 1:41:44 PM
Bug Check String : KERNEL_STACK_INPAGE_ERROR
Bug Check Code : 0x00000077
Parameter 1 : 0xc000000e
Parameter 2 : 0xc000000e
Parameter 3 : 0x00000000
Parameter 4 : 0x015e4000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5c876
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6223 (xpsp_sp3_gdr.120504-1619)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c876
Stack Address 1 : ntoskrnl.exe+49e3a
Stack Address 2 : ntoskrnl.exe+110de
Stack Address 3 : ntoskrnl.exe+fb51
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini081212-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 90,112
==================================================

==================================================
Dump File : Mini080512-01.dmp
Crash Time : 8/5/2012 8:17:52 PM
Bug Check String : CRITICAL_OBJECT_TERMINATION
Bug Check Code : 0x000000f4
Parameter 1 : 0x00000003
Parameter 2 : 0x897fb880
Parameter 3 : 0x897fb9f4
Parameter 4 : 0x805faffc
Caused By Driver : WRkrn.sys
Caused By Address : WRkrn.sys+ffe0
File Description :
Product Name :
Company :
File Version :
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c876
Stack Address 1 : ntoskrnl.exe+157149
Stack Address 2 : ntoskrnl.exe+123fba
Stack Address 3 : WRkrn.sys+10032
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini080512-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 90,112
==================================================


spencer.gross.16

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2012-09-03
Operating System : Windows XP Tablet

View user profile

Back to top Go down

Re: New UPS infection - help needed

Post by DragonMaster Jay on Thu 04 Oct 2012, 4:25 am

Do you ever use Hibernate?

If the computer is slowing down often, then bad RAM is usually the issue.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: New UPS infection - help needed

Post by spencer.gross.16 on Fri 05 Oct 2012, 3:09 am

I never deliberately use Hibernate, but if I leave the computer on for a while, it automatically goes into Hibernate.
I'll try removing one and then the other RAM chip and see if it makes a difference.

spencer.gross.16

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2012-09-03
Operating System : Windows XP Tablet

View user profile

Back to top Go down

Re: New UPS infection - help needed

Post by DragonMaster Jay on Fri 05 Oct 2012, 7:32 am

Okay. Let me know.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: New UPS infection - help needed

Post by spencer.gross.16 on Fri 05 Oct 2012, 2:58 pm

Wow, you may be the Master! There are two 1G RAM chips in my system. When I took out one of them, after 20 minutes, the computer had still not finished booting. I replaced it with the other RAM chip, it booted very quickly and is now zipping along faster than I have seen it for a long time! So, I think the first chip has problems. I'm still afraid to trust that it will last!
Thank-you, Spencer Gross

spencer.gross.16

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2012-09-03
Operating System : Windows XP Tablet

View user profile

Back to top Go down

Re: New UPS infection - help needed

Post by DragonMaster Jay on Sat 06 Oct 2012, 3:30 am

You're welcome. Now, if you don't know what RAM replacement you need, you can go here to find out: [You must be registered and logged in to see this link.]

Otherwise, let's finish up so you can prevent malware in the future... (woo a long drag, a month so far in this topic):

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - [URL='http://www.majorgeeks.com/CCleaner_Slim_No_Toolbar_d4191.html']Alternate download link[/URL]

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or [URL='http://screen317.changelog.fr/SecurityCheck.exe']Changelog.fr[/URL].

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: New UPS infection - help needed

Post by Sponsored content Today at 4:15 pm


Sponsored content


Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum