Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Malware of sorts


  • This topic is locked This topic is locked
23 replies to this topic

#1 seanbateman7

seanbateman7

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester NY
  • Local time:01:47 PM

Posted 02 April 2012 - 01:32 PM

Hello today,

I've been here before and really liked who I was working with last time, hopefully we'll have a similar experience. Basically, its the same computer as before. Except it actually started working for a while, hard drive was replaced and windows was reinstalled I believe, I never saw any of the work done, and the computer didn't exactly come back happy. Our computer guy knows very little. Now that I've gotten to it, There are all sorts of popups, usually twitter.com or digg or something, at the login screen. Well today I sat down and looked at the comp wondering what was wrong, and I booted into safe mode and ran Rkill, I had one task that was killed : userinit.exe

I'm currently running malware bytes, and it has found one piece so far, so I'm going to wait for the full scan to complete, and then if that fixes it I'll let you know. I'll post my hijack log.

If you want me to do another log let me know.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:41 PM, on 4/2/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.endicia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3941 bytes

BC AdBot (Login to Remove)

 


#2 seanbateman7

seanbateman7
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester NY
  • Local time:01:47 PM

Posted 02 April 2012 - 01:42 PM

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.02.08

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
UPS :: UPS-BACKUP [administrator]

4/2/2012 14:04
mbam-log-2012-04-02 (14-04-50).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 278600
Time elapsed: 30 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\UPS\Local Settings\temp\arg249889.exe (Trojan.Tracur) -> Quarantined and deleted successfully.

(end)





ALSO Forgot to say this, windows xp sp3

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 08 April 2012 - 01:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/448580 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:47 PM

Posted 09 April 2012 - 06:43 AM

Hi,


Did the scan with malwarebytes help? Please run a scan with DDS:
Please run a scan with DDS:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
    DDS.scr
    DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.


Information on A/V control HERE

Hijackthis is no longer updated and not adequate to see current malware.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 seanbateman7

seanbateman7
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester NY
  • Local time:01:47 PM

Posted 09 April 2012 - 12:04 PM

I think I was informed about Hijack this, any other tools you recommend that I can just leave on my computer for that?

Also the DDS scan is freezing my computer every time, I did it in normal, safe with networking, and safe, I tried it in safe after running rkill but it didn't come up with anything. It gets like ############################################## that far ish and then whenever I check on it the computer is frozen and the caps lock num lock buttons aren't working. While in safe mode, I didn't see avast running, and in the normal mode it was having issues, but disabling it doesn't seem smart to me because I'm getting malware blocked warnings like 2 every five minutes. No web pages open.

Also no I didn't go through malware bytes team because I had a good experience here you know?

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:47 PM

Posted 09 April 2012 - 12:34 PM

Hi,

yes, please try using OTL instead:
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 seanbateman7

seanbateman7
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester NY
  • Local time:01:47 PM

Posted 09 April 2012 - 01:38 PM

OTL logfile created on: 4/9/2012 2:23:38 PM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\UPS\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

734.73 Mb Total Physical Memory | 567.13 Mb Available Physical Memory | 77.19% Memory free
1.76 Gb Paging File | 1.68 Gb Available in Paging File | 95.40% Paging File free
Paging file location(s): c:\pagefile.sys 1104 2208 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 53.39 Gb Free Space | 71.67% Space Free | Partition Type: NTFS

Computer Name: UPS-BACKUP | User Name: UPS | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/09 13:57:16 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\UPS\My Documents\Downloads\OTL.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2010/02/01 15:35:51 | 000,163,728 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/03/06 20:15:14 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2008/12/18 10:47:08 | 009,158,656 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -- (MSSQL$UPSWSDBSERVER)
SRV - [2005/05/03 21:42:56 | 000,323,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -- (SQLAgent$UPSWSDBSERVER)
SRV - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Stopped] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (93920964)
DRV - [2012/03/06 20:03:51 | 000,612,184 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/03/06 20:03:38 | 000,337,880 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/03/06 20:02:00 | 000,035,672 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2012/03/06 20:01:53 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/03/06 20:01:39 | 000,095,704 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/03/06 20:01:30 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/03/06 19:58:29 | 000,024,920 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2005/01/04 05:46:14 | 000,013,184 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2005/01/04 05:01:48 | 000,239,104 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2004/11/05 07:29:30 | 000,121,728 | R--- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SiSGbeXP.sys -- (SiSGbeXP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-1801674531-1677128483-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.endicia.com/
IE - HKU\S-1-5-21-1801674531-1677128483-839522115-1003\..\SearchScopes,DefaultScope = {1F41C34F-25E9-4840-B09E-E2F49ECD7F98}
IE - HKU\S-1-5-21-1801674531-1677128483-839522115-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1801674531-1677128483-839522115-1003\..\SearchScopes\{1F41C34F-25E9-4840-B09E-E2F49ECD7F98}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-1801674531-1677128483-839522115-1003\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
IE - HKU\S-1-5-21-1801674531-1677128483-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "sellercentral.com"
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\UPS\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\UPS\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\UPS\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\UPS\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/03/13 10:18:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/20 11:12:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/10/19 12:51:46 | 000,000,000 | ---D | M]

[2010/04/17 09:46:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\UPS\Application Data\Mozilla\Extensions
[2012/01/28 10:50:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\UPS\Application Data\Mozilla\Firefox\Profiles\ypntd1x9.default\extensions
[2010/10/26 12:01:01 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\UPS\Application Data\Mozilla\Firefox\Profiles\ypntd1x9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/11/12 09:58:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\UPS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\YPNTD1X9.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2012/03/20 11:12:20 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/06/29 13:28:40 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/02/27 10:55:45 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/27 10:55:45 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/10 11:39:48 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe ()
O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1801674531-1677128483-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1801674531-1677128483-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1801674531-1677128483-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F7A5646E-47E7-479B-B230-889716CAC2D1}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/15 20:38:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/02 14:12:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\UPS\Desktop\asdfshdtj
[87 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/09 14:21:59 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/09 14:01:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/09 13:55:19 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2012/04/04 14:26:01 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1677128483-839522115-1003UA.job
[2012/04/03 17:26:04 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1677128483-839522115-1003Core.job
[2012/04/03 17:03:03 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/04/02 14:41:12 | 000,568,066 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/04/02 14:41:12 | 000,112,960 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/04/02 14:37:21 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/13 17:16:22 | 000,267,800 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/13 17:02:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/12 16:30:04 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[87 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/23 23:12:32 | 000,000,096 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2012/02/18 21:16:23 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/10 11:48:36 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/01/07 13:27:00 | 000,006,356 | -HS- | C] () -- C:\Documents and Settings\UPS\Local Settings\Application Data\bx3513lc2lsr38y11c131gl1u1p5mtijw547vyrd8o58ft
[2012/01/07 13:27:00 | 000,006,356 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\bx3513lc2lsr38y11c131gl1u1p5mtijw547vyrd8o58ft
[2011/10/06 15:11:49 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\UPS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/09 14:51:08 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\GetHostIP.exe
[2010/12/09 10:58:20 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\nssckbi.dll
[2010/09/28 09:25:17 | 000,000,199 | ---- | C] () -- C:\WINDOWS\wstdUPSWSHIP.INI
[2010/07/06 17:50:44 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/06 17:50:44 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/06 17:50:44 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/06 17:50:44 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/06 17:50:44 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/17 09:45:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

< End of report >


OTL Extras logfile created on: 4/9/2012 2:23:38 PM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\UPS\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

734.73 Mb Total Physical Memory | 567.13 Mb Available Physical Memory | 77.19% Memory free
1.76 Gb Paging File | 1.68 Gb Available in Paging File | 95.40% Paging File free
Paging file location(s): c:\pagefile.sys 1104 2208 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 53.39 Gb Free Space | 71.67% Space Free | Partition Type: NTFS

Computer Name: UPS-BACKUP | User Name: UPS | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1801674531-1677128483-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
FirstRunDisabled = 1
AntiVirusOverride = 0
FirewallOverride = 0
AntiVirusDisableNotify = 0
FirewallDisableNotify = 0
UpdatesDisableNotify = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
DisableSR = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
Start = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
Start = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
EnableFirewall = 0
DoNotAllowExceptions = 0
DisableNotifications = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
139:TCP = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
445:TCP = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
137:UDP = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
138:UDP = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
EnableFirewall = 1
DisableNotifications = 1
DoNotAllowExceptions = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
139:TCP = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
445:TCP = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
137:UDP = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
138:UDP = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
443:TCP = 443:TCP:*:Enabled:Dial-A-Zip

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\Documents and Settings\UPS\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe = C:\Documents and Settings\UPS\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
C:\Program Files\Envelope Manager\DAZzle\DAZZLE.EXE = C:\Program Files\Envelope Manager\DAZzle\DAZZLE.EXE:*:Enabled:DAZzle -- (DYMO Endicia)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C} = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
{08498FF9-6C9B-4FC2-8DE1-BD98C89CC220} = SiSRaidPackage
{1F1C2DFC-2D24-3E06-BCB8-725134ADF989} = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
{26A24AE4-039D-4CA4-87B4-2F83216026FF} = Java™ 6 Update 26
{2A033A00-FE0D-4609-B0E8-2C49CC494FC8} = WorldShip
{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F} = Microsoft SQL Server 2005 Express Edition (ACT7)
{33035862-543C-4405-9CC6-08593CF2C25F} = ReportServer
{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227} = WebFldrs XP
{390160B4-D276-4A04-8002-8D3101A0D367} = UPSICC
{3C3901C5-3455-3E0A-A214-0B093A5070A6} = Microsoft .NET Framework 4 Client Profile
{4A03706F-666A-4037-7777-5F2748764D10} = Java Auto Updater
{4AE3EAC8-FAD9-4ECC-A339-BBAD8C72DE71} = UPSDB
{53F5C3EE-05ED-4830-994B-50B2F0D50FCE} = Microsoft SQL Server Setup Support Files (English)
{56B59C2A-EFB8-44AC-88F5-3280171E4522} = PolicyManager
{5AE59A84-B2F3-42CC-A246-5AF80F6EE770} = Reconciler
{68A35043-C55A-4237-88C9-37EE1C63ED71} = Microsoft Visual J# 2.0 Redistributable Package
{68AF09E3-1167-4771-903C-CCCDCF7E171C} = NRF
{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} = Microsoft Visual C++ 2005 Redistributable
{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686} = Microsoft SQL Server Native Client
{770657D0-A123-3C07-8E44-1C83EC895118} = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
{86CE85E6-DBAC-3FFD-B977-E4B79F83C909} = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} = Microsoft Silverlight
{8C5BD501-AD5D-4A75-9321-076509B438FC} = WebHelp
{90110409-6000-11D3-8CFE-0150048383C9} = Microsoft Office Professional Edition 2003
{90120000-0020-0409-0000-0000000FF1CE} = Compatibility Pack for the 2007 Office system
{926933C7-B2B4-4CF9-8659-7026913FC032} = QBXMLRP2
{95749C5B-BC37-41E3-8D39-EEF4C21A2825} = CCC
{95BFC573-7D09-46C9-B458-A75BA947FFCB} = UPSVC2008MM
{9BE518E6-ECC6-35A9-88E4-87755C07200F} = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
{a0fe116e-9a8a-466f-aee0-625cb7c207e3} = Microsoft Visual C++ 2005 Redistributable - KB2467175
{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7} = Microsoft .NET Framework 3.0 Service Pack 2
{A5763105-D1D5-4862-A3FE-EC058F9AA73E} = ICCHelp
{AC76BA86-7AD7-1033-7B44-A83000000003} = Adobe Reader 8.3.1
{B2544A03-10D0-4E5E-BA69-0362FFC20D18} = OGA Notifier 2.0.0048.0
{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE} = Microsoft XML Parser
{BC728F95-2D3F-4D05-9E1E-F2A3CEBF3FE8} = FormsComponent
{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} = Microsoft .NET Framework 2.0 Service Pack 2
{C23415D8-FE94-4F52-B5C4-0FFA2202C6D9} = UPSVCMM
{C30E30A6-0AB5-470A-AB67-D322938F5429} = SupportUtility
{C9D43B38-34AD-4EC2-B696-46F42D49D174} = MSIChecker
{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} = Microsoft .NET Framework 1.1
{CCF13D13-A87B-34E8-B689-1896D0C2DBA2} = Google Talk Plugin
{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} = Microsoft .NET Framework 3.5 SP1
{CF2962CB-E3E7-4AA5-B6CE-EE59A600ECBE} = UnifiedPrinting
{D44E7219-947E-4F1B-830E-66EF11ACC543} = NA1Messenger
{DB2C58E0-6284-4B48-97F2-22A980B6360B} = System
{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} = Ad-Aware
{E09B48B5-E141-427A-AB0C-D3605127224A} = Microsoft SQL Server Desktop Engine (UPSWSDBSERVER)
{E358CC1E-4953-4E27-ADEB-8B27D8BBC20E} = UPSlinkHTTP
{E7084B89-69E0-46B3-A118-8F99D06988CD} = Microsoft SQL Server VSS Writer
{EA9629DA-5715-48BA-B054-28169702B176} = FOSS
{F0A37341-D692-11D4-A984-009027EC0A9C} = SoundMAX
{F0FD4BDB-F28E-48A1-936E-6E47AD6D3DE1} = FedEx Ship Manager
{F333A33D-125C-32A2-8DCE-5C5D14231E27} = Visual C++ 2008 x86 Runtime - (v9.0.30729)
{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01 = Visual C++ 2008 x86 Runtime - v9.0.30729.01
{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4} = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Ad-Aware = Ad-Aware
Adobe Flash Player ActiveX = Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin = Adobe Flash Player 11 Plugin
avast = avast! Free Antivirus
DAZzle = DAZzle
HijackThis = HijackThis 2.0.2
ie8 = Windows Internet Explorer 8
Malwarebytes' Anti-Malware_is1 = Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 1.1 (1033) = Microsoft .NET Framework 1.1
Microsoft .NET Framework 3.5 SP1 = Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile = Microsoft .NET Framework 4 Client Profile
Microsoft SQL Server 2005 = Microsoft SQL Server 2005
Microsoft Visual J# 2.0 Redistributable Package = Microsoft Visual J# 2.0 Redistributable Package
Mozilla Firefox 11.0 (x86 en-US) = Mozilla Firefox 11.0 (x86 en-US)
MSCompPackV1 = Microsoft Compression Client Pack 1.0 for Windows XP
MSNINST = MSN
PrimoPDF4.1.0.9 = PrimoPDF
SiS VGA Driver = SiS VGA Utilities
UPS WorldShip = UPS WorldShip
Windows Media Format Runtime = Windows Media Format 11 runtime
Windows Media Player = Windows Media Player 11
Windows Script = Microsoft Windows Script 5.7
Windows XP Service Pack = Windows XP Service Pack 3
WMFDist11 = Windows Media Format 11 runtime
wmp11 = Windows Media Player 11
Wudf01000 = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >


There you are, the scan was run in safe mode as I couldn't get it running normal.

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:47 PM

Posted 09 April 2012 - 01:52 PM

Hi,

when did the PC supposedly get reinstalled? I'm seeing traces of malware going back to january this year. When did it slow down? Was that progressively or suddenly?

Do you know this folder: C:\Documents and Settings\UPS\Desktop\asdfshdtj

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Also I would like to point out all the risks of cleaning such a machine if it's a coroprate one and why I (normally) strongly recommend you to ask your IT suppport/network Administrator to fix this. After all they are paid to do so.

I ask this for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 seanbateman7

seanbateman7
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester NY
  • Local time:01:47 PM

Posted 09 April 2012 - 02:09 PM

Yes, the folder with the random characters was me, I created it and was frustrated so i just hit some keys lol. As for this computer, I'm not totally sure when it happened, It started slowing down a while back, and I came here for help, we got to a point where I needed an XP disc because it was caught in a boot loop. Then the Boss like man who doesn't know anything called his computer guy who also knows little and he took the computer from me in the middle of cleaning it, supposedly did windows recovery, and stated he installed a new hard drive because after the recovery it was still slow (obviously meaning he didn't fix it!) When I get the next step started, I'll post a URL or something to the old thread I was at, I thought it was Root key issues, but I don't know because it was taken while I was fixing it!!

Also I don't work at a corporation, I'm technically the IT guy, and my boss is an old man not intelligent about computers, extremely ignorant really... However there are no personal files on that computer, there is no information that can be damaging if it got out (to the company) to my knowledge, and this machine is usually only used for web browsing (looking up products) and product formatting in excel. The reason we get malware and stuff like this - nobody listens to me. plain and simple. first facebook causes these problems, I tried explaining its third party material on facebook, not facebook, and now whenever a computer gets any sort of virus, malware, or issue its now always facebooks fault. LOVE WORKING HERE (not really)

#10 seanbateman7

seanbateman7
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester NY
  • Local time:01:47 PM

Posted 09 April 2012 - 02:35 PM

http://www.bleepingcomputer.com/forums/topic441820.html/page__st__15__p__2598285#entry2598285

#11 seanbateman7

seanbateman7
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester NY
  • Local time:01:47 PM

Posted 09 April 2012 - 02:54 PM

Well I ran the scan, saw a buncha things maybe 5, and then I messed up and restarted the scan without grabbing the log file, and now its not finding anything, hopefully a reboot will fix it, if it doesn't I 'll try and reinstall

#12 seanbateman7

seanbateman7
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester NY
  • Local time:01:47 PM

Posted 09 April 2012 - 03:01 PM

error message when I open:
LoadDriver("C:\DOCUME~1\UPS\LOCALS~1\TEMP\kwtoikow.sys") error 0xc000010E

Cannot create a stable subkey under a volatile parent key.

#13 seanbateman7

seanbateman7
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester NY
  • Local time:01:47 PM

Posted 09 April 2012 - 03:45 PM

Ok, so either it found something, and took care of it when I accidentally scanned again, or it gliched with those lines, but I'm pretty sure it wasn't a glitch. So the first time it ran about 5 things popped up, what should I do?

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:47 PM

Posted 10 April 2012 - 07:46 AM

Hi,

gmer does not remove anything. It is possible though that the lines came from a program you had still opened?

Did you get the message about the volatile key again?

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 seanbateman7

seanbateman7
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester NY
  • Local time:01:47 PM

Posted 10 April 2012 - 10:30 AM

The computer refused to open the aswMBR.exe after the download, and it was the same in safe mode, and regular, I checked the task manager when opening it and it would ping up for a short time maybe a half second with 2% on the cpu and then go away. I'm running the Root Repeal scan now and so far its working.

I got that error message everytime I opened it I think, I don't really recall the first time though.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users