Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

==Root Kit == DDS Crashes


  • This topic is locked This topic is locked
61 replies to this topic

#1 VcElder

VcElder

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 02 July 2013 - 03:52 PM

Hello,

 

Despite quite a bit of effort I have found myself fairly lost in the removal of something very nasty. I have done the following in attempts to remove the virus.

Symptoms: 

Sound is not functional regardless of driver re-load. 

Machine Startup is slow and shutdown doesn't occur, it stops on the "shutting down screen" (OS is windows xp)

Machine randomly crashes and freezes with no blue screen. Input becomes unresponsive

When the machine is responsive, I get browser redirects in chrome and IE. 

The system clock consistently changes. I would check the CMOS battery but with the other symptoms...

 

Being a computer guy, I did the following:

 

Ran ESET Online Scanner  - Nothing found.

 

Ran Malware antibytes - Nothing found 

 

Ran AdwCleaner - some minor cookies found and deleted. 

 

Ran DDS - Crashed and froze

 

Ran Combofix - Crashed and froze ( I know I shouldn't have undirected but it does the job for me 99% of the time, at worst I just have to restore the MBR and exe's etc.) Uninstalled combo fix using combofix /uninstall and then reloaded it just to be sure

 

Ran TDSSKILLER with loaded modules and it did find 5 threats, and removed them. 

 

Ran GMER and it found several root kit activities however the scan is unable to complete and crashes. I will take a screen shot of what it finds and post it. 

Ran aswMBR and found "unknown" MBR code, and rewrote the MBR. No longer states "unknown boot code. (See log file PRIOR to MBR rewrite)

Attached you will find RKILL log file, OTR logfile and Hijack this logfile. I will also run GMER again and take a screenshot of it before it crashes (or write it down)


Thank you for your assistance. 

 

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 PM

Posted 07 July 2013 - 03:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/499927 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 VcElder

VcElder
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 08 July 2013 - 09:45 AM

Hello in response, 

I am still unable to run DDS as it freezes the machine.  The system time is also consistently changing on reboot. (Which may indicate a battery however with the freezes of DDS, ComboFix and GMER, I wanted someone who knows more than I do. Please let me know if you need a new log file of any of the previous logfiles.  Malware and Eset turn up nil. 

 

The machine is older, XP pro SP 3 32 bits. 

Thanks
 



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:45 PM

Posted 08 July 2013 - 11:45 AM

Greetings VcElder and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided and I will reply as soon as possible.

While I am reviewing everything please run the following program for me.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Farbar log
  • Addition log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 VcElder

VcElder
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 08 July 2013 - 12:24 PM

Hello Gary, 

As per your instructions, I have copied and pasted the contents in the reply. Thank you for your assistance I am grateful.
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-07-2013
Ran by Bronwyn Norris (administrator) on 04-07-2013 13:26:42
Running from C:\Documents and Settings\Bronwyn Norris\desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Processes (Whitelisted) ===================
 
(brother Industries Ltd) C:\WINDOWS\system32\brsvc01a.exe
(brother Industries Ltd) C:\WINDOWS\system32\brss01a.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(InterVideo) C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(Skype Technologies S.A.) C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(Sierra Wireless, Inc.) C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(RealNetworks, Inc.) C:\program files\real\realplayer\update\realsched.exe
() C:\Program Files\Media Key\Versato.exe
(WayTech Development, Inc.) C:\Program Files\Media Key\OSD.EXE
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe" [131072 2007-01-13] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe" [163840 2007-01-13] (Intel Corporation)
HKLM\...\Run: [Persistence] "C:\WINDOWS\system32\igfxpers.exe" [135168 2007-01-13] (Intel Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-05-31] (Apple Inc.)
HKLM\...\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe"  -osboot [295512 2013-06-21] (RealNetworks, Inc.)
HKLM\...\Run: [Versato] C:\Program Files\Media Key\Versato.exe [733184 2002-12-25] ()
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
HKCU\...\Policies\system: [disableregistrytools] 0
MountPoints2: {2e506564-2f46-11e1-aa76-001125ba4a6d} - E:\WIN\setup.exe
MountPoints2: {3b431505-4c30-11e1-aa8d-00a0d5ffffae} - E:\LiteAuto.exe
HKU\Administrator\...\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe [x]
HKU\Administrator\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ 2008-04-13] (Microsoft Corporation)
HKU\Default User\...\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe [x]
HKU\Default User\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ 2008-04-13] (Microsoft Corporation)
HKU\Victor\...\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe [x]
HKU\Victor\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ 2008-04-13] (Microsoft Corporation)
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Program Files\Common Files\wruninstall.exe (Webroot Software, Inc.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?rd=1&ucc=CA&dcc=CA&opt=0&ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://ca.search.yahoo.com
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
HKCU SearchScopes: DefaultScope {A7831453-CC17-44C0-AAF6-5A9FC4735199} URL = http://search.yahoo.com/search?type=61107&fr=freecause&ei=utf-8&p={searchTerms}
SearchScopes: HKCU - {6F594CF1-C65C-4BF3-BCF0-83D21C013755} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7
SearchScopes: HKCU - {A7831453-CC17-44C0-AAF6-5A9FC4735199} URL = http://search.yahoo.com/search?type=61107&fr=freecause&ei=utf-8&p={searchTerms}
SearchScopes: HKCU - {BB5A7277-A010-4669-B7BE-97DD774E5A93} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://ca.search.yahoo.com/search?p={searchTerms}&fr=chr-linksys
BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - E:\skype\Toolbars\Internet Explorer\skypeieplugin.dll No File
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU -No Name - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -  No File
Toolbar: HKCU -No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ipp - No CLSID Value - 
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: msdaipp - No CLSID Value - 
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - E:\skype\Toolbars\Internet Explorer\skypeieplugin.dll No File
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.209.1
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Firefox\Profiles\56arxn4b.default
FF user.js: detected! => C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Firefox\Profiles\56arxn4b.default\user.js
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=10.17.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.17.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 - C:\Program Files\Yahoo!\Shared\npYState.dll No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeLive,version=1.3 - C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @pandonetworks.com/PandoWebPlugin - C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Plugin: @real.com/nppl3260;version=16.0.2.32 - c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.2 - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.2 - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.2 - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.5.109 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.5.109 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=16.0.2.32 - c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin: @realnetworks.com/npdlplugin;version=1 - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: pandonetworks.com/PandoWebPlugin - C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Extension: No Name - C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Extensions\mozswing@mozswing.org
FF Extension: No Name - C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Firefox\Profiles\56arxn4b.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF Extension: Yahoo! Toolbar - C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Firefox\Profiles\56arxn4b.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF Extension: Webroot - C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Firefox\Profiles\56arxn4b.default\Extensions\{7a2cadc6-0db8-43bb-a6e4-9d8bda6a254f}
FF Extension: Webroot - C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Firefox\Profiles\56arxn4b.default\Extensions\{8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda}
FF Extension: Greasemonkey - C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Firefox\Profiles\56arxn4b.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF Extension: artur.dubovoy - C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Firefox\Profiles\56arxn4b.default\Extensions\artur.dubovoy@gmail.com.xpi
FF Extension: firefox - C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Firefox\Profiles\56arxn4b.default\Extensions\firefox@red-cog.com.xpi
FF Extension: jsdeobfuscator - C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Firefox\Profiles\56arxn4b.default\Extensions\jsdeobfuscator@adblockplus.org.xpi
FF Extension: No Name - C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Firefox\Profiles\56arxn4b.default\Extensions\{891f0410-aaa2-11e0-9f1c-0800200c9a66}.xpi
FF Extension: No Name - C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Firefox\Profiles\56arxn4b.default\Extensions\{9051303c-7e41-4311-a783-d6fe5ef2832d}.xpi
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF Extension: Default - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [{FCE04E1F-9378-4f39-96F6-5689A9159E45}] C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com"
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\27.0.1453.116\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\27.0.1453.116\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.310.5) - C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U31) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll No File
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll No File
CHR Plugin: (RealPlayer™ HTML5VideoShim Plug-In (32-bit) ) - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll No File
CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll No File
CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (RealNetworks™ Chrome Background Extension Plug-In (32-bit) ) - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
CHR Plugin: (BrowserPlus (from Yahoo!) v2.9.8) - C:\Documents and Settings\Bronwyn Norris\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Microsoft Office Live Plug-in for Firefox) - C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
CHR Plugin: (Windows Live\u00AE Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave for Director) - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
 
========================== Services (Whitelisted) =================
 
R2 Brother XP spl Service; C:\WINDOWS\system32\brsvc01a.exe [57344 2002-04-12] (brother Industries Ltd)
S2 PEVSystemStart; C:\ComboFix\SWREG.3XE [518144 2000-08-30] (SteelWerX)
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-04-16] ()
R2 Skype C2C Service; C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3289208 2013-05-14] (Skype Technologies S.A.)
R2 SwiCardDetectSvc; C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe [238960 2011-04-08] (Sierra Wireless, Inc.)
S3 getPlusHelper; C:\Program Files\NOS\bin\getPlus_Helper.dll [x]
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x]
S2 SkypeUpdate; E:\skype\Updater\Updater.exe [x]
S2 YahooAUService; "C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe" [x]
 
==================== Drivers (Whitelisted) ====================
 
S3 ac97intc; C:\Windows\System32\drivers\ac97intc.sys [96256 2001-08-17] (Intel Corporation)
R3 b57w2k; C:\Windows\System32\DRIVERS\b57xp32.sys [113664 2004-03-29] (Broadcom Corporation)
S3 BrScnUsb; C:\Windows\System32\Drivers\BrScnUsb.sys [15295 2004-10-15] (Brother Industries Ltd.)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R2 fssfltr; C:\Windows\System32\DRIVERS\fssfltr_tdi.sys [54760 2010-04-28] (Microsoft Corporation)
S3 NABTSFEC; C:\Windows\System32\DRIVERS\NABTSFEC.sys [85248 2008-04-13] (Microsoft Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R3 pelmouse; C:\Windows\System32\DRIVERS\pelmouse.sys [16384 2003-01-10] (Primax Electronics Ltd.)
S3 pelps2m; C:\Windows\System32\DRIVERS\pelps2m.sys [18048 2003-01-21] (Primax Electronics Ltd.)
R3 pelusblf; C:\Windows\System32\DRIVERS\pelusblf.sys [9216 2003-02-11] (Primax Electronics Ltd.)
S3 PID_PEPI; C:\Windows\System32\DRIVERS\LV302V32.SYS [2687512 2009-04-30] (Logitech Inc.)
S3 portio; C:\Windows\System32\DRIVERS\NscTpmDD.sys [14695 2004-04-27] (National Semiconductor Corp.)
S3 SLIP; C:\Windows\System32\DRIVERS\SLIP.sys [11136 2008-04-13] (Microsoft Corporation)
S3 streamip; C:\Windows\System32\DRIVERS\StreamIP.sys [15232 2008-04-13] (Microsoft Corporation)
S3 swg3kser00; C:\Windows\System32\DRIVERS\swg3kser00.sys [214400 2011-03-10] (Sierra Wireless Incorporated)
S3 swiwdmbus; C:\Windows\System32\DRIVERS\swiwdmbus.sys [83968 2011-04-05] (Sierra Wireless Inc.)
S3 SWNC8UA3; C:\Windows\System32\DRIVERS\swnc8ua3.sys [208128 2011-03-03] (Sierra Wireless Inc.)
S3 SWUMXA3; C:\Windows\System32\DRIVERS\swumxa3.sys [156672 2010-11-16] (Sierra Wireless Inc.)
R3 TPM; C:\Windows\System32\DRIVERS\tpm.sys [17792 2005-10-09] (Winbond Electronics Corp.)
S3 WSTCODEC; C:\Windows\System32\DRIVERS\WSTCODEC.SYS [19200 2008-04-13] (Microsoft Corporation)
S3 catchme; \??\C:\DOCUME~1\BRONWY~1\LOCALS~1\Temp\catchme.sys [x]
S2 PMEM; \??\C:\WINDOWS\system32\drivers\PMEMNT.SYS [x]
S3 SwiProcMonitorDrv; \??\C:\Program Files\Sierra Wireless Inc\Common\SwiProcMonitorDrv.sys [x]
S3 SWMX00; system32\DRIVERS\swmx00.sys [x]
S3 SWNC5E00; system32\DRIVERS\SWNC5E00.sys [x]
S3 SWUMX20; system32\DRIVERS\swumx20.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2041-06-30 18:44 - 2041-06-30 18:44 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Desktop\ProcessExplorer
2041-06-30 18:39 - 2041-06-30 18:39 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Local Settings\Application Data\Webroot
2041-06-30 18:21 - 2012-06-02 15:18 - 00214256 ____A (Microsoft Corporation) C:\Windows\System32\muweb.dll
2013-07-04 13:26 - 2013-07-04 13:26 - 00000000 ___DC C:\FRST
2013-07-04 13:25 - 2013-07-04 13:25 - 01373373 ____A (Farbar) C:\Documents and Settings\Bronwyn Norris\Desktop\FRST.exe
2013-07-04 12:40 - 2013-07-04 12:40 - 00003072 ____A C:\Windows\offitems.log
2013-07-02 10:39 - 2013-07-02 10:41 - 00001379 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\RKreport[0]_S_07022013_103927.txt
2013-07-02 10:20 - 2013-07-02 10:21 - 00088594 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\OTL.Txt
2013-07-02 10:12 - 2013-07-02 10:12 - 00000000 ___DC C:\Qoobox
2013-07-02 10:12 - 2013-07-02 10:03 - 00000000 __SDC C:\ComboFix
2013-07-02 10:12 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2013-07-02 10:12 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2013-07-02 10:12 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-07-02 10:12 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-07-02 10:12 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-07-02 10:12 - 2000-08-30 20:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
2013-07-02 10:12 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2013-07-02 10:12 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2013-07-02 10:12 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2013-07-02 10:10 - 2013-07-02 10:11 - 05085043 ____R (Swearware) C:\Documents and Settings\Bronwyn Norris\Desktop\ComboFix.exe
2013-07-02 03:12 - 2013-07-02 10:10 - 00000000 __SDC C:\fun
2013-07-01 14:23 - 2013-07-01 14:23 - 00000000 ___DC C:\TDSSKiller_Quarantine
2013-07-01 04:40 - 2013-07-01 04:40 - 00001935 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\aswMBR.txt
2013-07-01 04:40 - 2013-07-01 04:40 - 00000512 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\MBR.dat
2013-07-01 04:21 - 2013-07-01 04:21 - 04745728 ____A (AVAST Software) C:\Documents and Settings\Bronwyn Norris\Desktop\aswMBR.exe
2013-07-01 04:09 - 2013-07-01 04:09 - 00044034 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\Extras.Txt
2013-07-01 04:03 - 2013-07-01 04:03 - 00602112 ____A (OldTimer Tools) C:\Documents and Settings\Bronwyn Norris\Desktop\OTL.exe
2013-07-01 03:49 - 2013-07-01 03:49 - 00000000 ____D C:\Program Files\ESET
2013-06-30 22:19 - 2013-06-30 22:19 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Documents and Settings\Bronwyn Norris\Desktop\mbam-setup-1.75.0.1300.exe
2013-06-30 16:27 - 2013-06-30 16:27 - 00000000 ___DC C:\Documents and Settings\Victor\Local Settings\Application Data\Google
2013-06-30 16:27 - 2013-06-30 16:27 - 00000000 ___DC C:\Documents and Settings\Victor\Application Data\Real
2013-06-30 16:26 - 2013-07-01 14:19 - 00000062 _ASHC C:\Documents and Settings\Victor\Local Settings\desktop.ini
2013-06-30 16:26 - 2013-06-30 16:26 - 00000643 ____A C:\Windows\wmsetup.log
2013-06-30 16:26 - 2013-06-30 16:26 - 00000000 _SHDC C:\Documents and Settings\Victor\IETldCache
2013-06-30 16:26 - 2013-06-30 16:26 - 00000000 ___DC C:\Documents and Settings\Victor\Application Data\Apple Computer
2013-06-30 16:26 - 2009-12-21 19:12 - 00000000 ___DC C:\Documents and Settings\Victor\Application Data\Macromedia
2013-06-30 16:26 - 2008-11-11 13:07 - 00000000 ___DC C:\Documents and Settings\Victor\Local Settings\Application Data\Microsoft Help
2013-06-30 16:26 - 2008-08-15 11:59 - 00000178 __SHC C:\Documents and Settings\Victor\ntuser.ini
2013-06-30 16:26 - 2008-08-15 11:46 - 00000000 ___DC C:\Documents and Settings\Victor\Application Data\Symantec
2013-06-30 16:26 - 2008-08-15 11:40 - 00001988 ___AC C:\Documents and Settings\Victor\Desktop\vitalsource KEY 3.lnk
2013-06-30 16:26 - 2008-08-15 11:40 - 00000000 ___DC C:\Documents and Settings\Victor\My Documents\vitalsource KEY Data
2013-06-30 16:26 - 2008-08-15 11:34 - 00013104 ___AC C:\Documents and Settings\Victor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-06-30 16:26 - 2003-02-19 16:19 - 00000062 _ASHC C:\Documents and Settings\Victor\Application Data\desktop.ini
2013-06-30 15:46 - 2013-06-30 22:21 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Desktop\RK_Quarantine
2013-06-30 15:33 - 2013-07-02 10:37 - 00914944 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\RogueKiller.exe
2013-06-30 15:32 - 2013-06-30 15:32 - 00688992 ____R (Swearware) C:\Documents and Settings\Bronwyn Norris\Desktop\dds.com
2013-06-30 15:25 - 2013-06-30 15:25 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Desktop\backups
2013-06-30 15:23 - 2013-07-02 10:48 - 00006600 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\hijackthis.log
2013-06-30 15:23 - 2013-06-30 15:23 - 00388608 ____A (Trend Micro Inc.) C:\Documents and Settings\Bronwyn Norris\Desktop\HijackThis.exe
2013-06-30 14:53 - 2013-07-04 11:48 - 00000161 ____A C:\Windows\setupact.log
2013-06-30 14:53 - 2013-06-30 14:53 - 00000000 ____A C:\Windows\setuperr.log
2013-06-30 02:05 - 2013-06-30 02:05 - 00000000 ____D C:\Windows\pss
2013-06-30 01:47 - 2013-06-30 01:47 - 00000000 ___DC C:\Documents and Settings\All Users\Application Data\ParetoLogic
2013-06-30 01:47 - 2013-06-30 01:47 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Application Data\ParetoLogic
2013-06-30 01:47 - 2013-06-30 01:47 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Application Data\DriverCure
2013-06-29 22:47 - 2013-06-29 22:47 - 00377856 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\7z5tpvqg.exe
2013-06-29 22:44 - 2013-06-29 22:44 - 02237968 ____A (Kaspersky Lab ZAO) C:\Documents and Settings\Bronwyn Norris\Desktop\tdsskiller.exe
2013-06-29 21:43 - 2013-07-01 03:45 - 00000000 __SHD C:\Windows\CSC
2013-06-29 21:14 - 2013-06-29 21:14 - 00000033 ___AC C:\nofile.txt
2013-06-29 21:13 - 2013-06-29 21:13 - 00000000 ____D C:\Windows\System32\save$$updater
2013-06-29 21:11 - 2013-06-29 21:11 - 00000000 ____D C:\Program Files\Media Key
2013-06-29 20:10 - 2013-06-29 20:11 - 00005529 ___AC C:\AdwCleaner[S1].txt
2013-06-29 20:10 - 2013-06-29 20:10 - 00005519 ___AC C:\AdwCleaner[R1].txt
2013-06-29 20:08 - 2013-07-02 10:05 - 00002718 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\Rkill.txt
2013-06-29 20:08 - 2013-06-29 20:08 - 01814144 ____A (Bleeping Computer, LLC) C:\Documents and Settings\Bronwyn Norris\Desktop\rkill.exe
2013-06-29 20:07 - 2013-06-29 20:07 - 00648201 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\AdwCleaner.exe
2013-06-28 09:42 - 2013-07-04 12:14 - 00036625 ____A C:\Windows\setupapi.log
2013-06-24 22:53 - 2013-06-24 22:53 - 00439704 ____A (Yahoo! Inc.) C:\Program Files\msgr11us.exe
2013-06-24 01:20 - 2013-06-24 01:20 - 00439264 ____A (Yahoo! Inc.) C:\Program Files\msgr11ca.exe
2013-06-21 18:42 - 2013-06-21 18:42 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Application Data\RealNetworks
2013-06-21 16:17 - 2013-06-21 16:17 - 00000000 ___DC C:\Documents and Settings\All Users\Application Data\RealNetworks
2013-06-21 16:17 - 2013-06-21 16:17 - 00000000 ____D C:\Program Files\RealNetworks
2013-06-15 19:34 - 2013-06-15 19:34 - 00001553 ____A C:\Documents and Settings\All Users\Desktop\iTunes.lnk
2013-06-15 19:33 - 2013-06-15 19:33 - 00000000 ____D C:\Program Files\iPod
2013-06-15 19:32 - 2013-06-15 19:34 - 00000000 ___DC C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-13 12:15 - 2013-06-13 12:16 - 41404760 ____A (Apple Inc.) C:\Program Files\QuickTimeInstaller.exe
2013-06-12 09:44 - 2013-06-12 09:44 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$
2013-06-11 15:19 - 2013-06-24 23:00 - 00000000 ___DC C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2013-06-05 07:39 - 2013-06-28 03:29 - 00000396 ____A C:\Windows\Tasks\Privacy Controls_{8D213BE4-CDD4-11E2-AB3B-001125BA4A6D}.job
 
==================== One Month Modified Files and Folders ========
 
2041-06-30 18:44 - 2041-06-30 18:44 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Desktop\ProcessExplorer
2041-06-30 18:39 - 2041-06-30 18:39 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Local Settings\Application Data\Webroot
2041-06-30 18:39 - 2011-03-17 20:12 - 00000000 ____D C:\Program Files\Mozilla Firefox
2041-06-30 18:23 - 2009-07-14 00:10 - 00000440 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{03E2D6A8-AC6B-4A93-B808-5E60ED19E5B8}.job
2013-07-04 13:27 - 2009-08-18 17:12 - 00000414 ____A C:\Windows\Tasks\Symantec NetDetect.job
2013-07-04 13:26 - 2013-07-04 13:26 - 00000000 ___DC C:\FRST
2013-07-04 13:25 - 2013-07-04 13:25 - 01373373 ____A (Farbar) C:\Documents and Settings\Bronwyn Norris\Desktop\FRST.exe
2013-07-04 13:20 - 2013-02-22 13:04 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-04 13:20 - 2003-02-19 16:34 - 00032546 ____A C:\Windows\SchedLgU.Txt
2013-07-04 12:58 - 2008-08-15 11:33 - 01830377 ____A C:\Windows\WindowsUpdate.log
2013-07-04 12:54 - 2011-11-27 21:09 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-04 12:40 - 2013-07-04 12:40 - 00003072 ____A C:\Windows\offitems.log
2013-07-04 12:35 - 2008-10-08 17:56 - 00000178 ___SH C:\Documents and Settings\Bronwyn Norris\ntuser.ini
2013-07-04 12:32 - 2013-03-28 07:59 - 00000488 ____A C:\Windows\Tasks\ParetoLogic Update Version3 Startup Task.job
2013-07-04 12:32 - 2013-02-20 13:51 - 00000304 ____A C:\Windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2922885259-231727885-1496983037-1005.job
2013-07-04 12:32 - 2013-02-20 13:51 - 00000296 ____A C:\Windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2922885259-231727885-1496983037-1005.job
2013-07-04 12:32 - 2011-11-27 21:09 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-04 12:32 - 2011-09-20 02:06 - 00000280 ____A C:\Windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
2013-07-04 12:32 - 2011-08-31 19:07 - 00000296 ____A C:\Windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2922885259-231727885-1496983037-1005.job
2013-07-04 12:32 - 2008-10-08 17:56 - 00000062 __ASH C:\Documents and Settings\Bronwyn Norris\Local Settings\desktop.ini
2013-07-04 12:31 - 2003-02-19 16:34 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-07-04 12:31 - 2003-02-19 16:34 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-07-04 12:31 - 2003-02-19 16:28 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-04 12:31 - 2003-02-19 16:21 - 00000159 ____A C:\Windows\wiadebug.log
2013-07-04 12:31 - 2003-02-19 16:21 - 00000048 ____A C:\Windows\wiaservc.log
2013-07-04 12:31 - 1980-01-01 03:00 - 00002278 ____A C:\Windows\System32\wpa.dbl
2013-07-04 12:14 - 2013-06-28 09:42 - 00036625 ____A C:\Windows\setupapi.log
2013-07-04 11:48 - 2013-06-30 14:53 - 00000161 ____A C:\Windows\setupact.log
2013-07-02 10:48 - 2013-06-30 15:23 - 00006600 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\hijackthis.log
2013-07-02 10:41 - 2013-07-02 10:39 - 00001379 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\RKreport[0]_S_07022013_103927.txt
2013-07-02 10:37 - 2013-06-30 15:33 - 00914944 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\RogueKiller.exe
2013-07-02 10:21 - 2013-07-02 10:20 - 00088594 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\OTL.Txt
2013-07-02 10:12 - 2013-07-02 10:12 - 00000000 ___DC C:\Qoobox
2013-07-02 10:11 - 2013-07-02 10:10 - 05085043 ____R (Swearware) C:\Documents and Settings\Bronwyn Norris\Desktop\ComboFix.exe
2013-07-02 10:11 - 2013-05-12 13:11 - 00000000 ____D C:\Windows\erdnt
2013-07-02 10:10 - 2013-07-02 03:12 - 00000000 __SDC C:\fun
2013-07-02 10:05 - 2013-06-29 20:08 - 00002718 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\Rkill.txt
2013-07-02 10:03 - 2013-07-02 10:12 - 00000000 __SDC C:\ComboFix
2013-07-02 10:03 - 2003-02-19 16:25 - 00000000 ____D C:\Windows\System32\Restore
2013-07-01 14:31 - 2008-08-15 11:37 - 00000000 ____D C:\Program Files\IBM
2013-07-01 14:31 - 2008-08-14 18:58 - 00000000 ____D C:\IBMTOOLS
2013-07-01 14:31 - 2003-02-19 16:16 - 00000000 ____D C:\Windows\Help
2013-07-01 14:29 - 2008-08-15 11:52 - 00053248 ____N C:\Windows\System32\pxhpinst.exe
2013-07-01 14:23 - 2013-07-01 14:23 - 00000000 ___DC C:\TDSSKiller_Quarantine
2013-07-01 14:19 - 2013-06-30 16:26 - 00000062 _ASHC C:\Documents and Settings\Victor\Local Settings\desktop.ini
2013-07-01 04:40 - 2013-07-01 04:40 - 00001935 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\aswMBR.txt
2013-07-01 04:40 - 2013-07-01 04:40 - 00000512 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\MBR.dat
2013-07-01 04:21 - 2013-07-01 04:21 - 04745728 ____A (AVAST Software) C:\Documents and Settings\Bronwyn Norris\Desktop\aswMBR.exe
2013-07-01 04:09 - 2013-07-01 04:09 - 00044034 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\Extras.Txt
2013-07-01 04:03 - 2013-07-01 04:03 - 00602112 ____A (OldTimer Tools) C:\Documents and Settings\Bronwyn Norris\Desktop\OTL.exe
2013-07-01 03:49 - 2013-07-01 03:49 - 00000000 ____D C:\Program Files\ESET
2013-07-01 03:45 - 2013-06-29 21:43 - 00000000 __SHD C:\Windows\CSC
2013-06-30 22:21 - 2013-06-30 15:46 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Desktop\RK_Quarantine
2013-06-30 22:19 - 2013-06-30 22:19 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Documents and Settings\Bronwyn Norris\Desktop\mbam-setup-1.75.0.1300.exe
2013-06-30 17:14 - 2010-04-27 19:53 - 00001100 ____A C:\Windows\System32\d3d8caps.dat
2013-06-30 16:27 - 2013-06-30 16:27 - 00000000 ___DC C:\Documents and Settings\Victor\Local Settings\Application Data\Google
2013-06-30 16:27 - 2013-06-30 16:27 - 00000000 ___DC C:\Documents and Settings\Victor\Application Data\Real
2013-06-30 16:26 - 2013-06-30 16:26 - 00000643 ____A C:\Windows\wmsetup.log
2013-06-30 16:26 - 2013-06-30 16:26 - 00000000 _SHDC C:\Documents and Settings\Victor\IETldCache
2013-06-30 16:26 - 2013-06-30 16:26 - 00000000 ___DC C:\Documents and Settings\Victor\Application Data\Apple Computer
2013-06-30 15:32 - 2013-06-30 15:32 - 00688992 ____R (Swearware) C:\Documents and Settings\Bronwyn Norris\Desktop\dds.com
2013-06-30 15:26 - 2010-07-11 20:31 - 00000000 ____D C:\Program Files\WebEx
2013-06-30 15:25 - 2013-06-30 15:25 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Desktop\backups
2013-06-30 15:23 - 2013-06-30 15:23 - 00388608 ____A (Trend Micro Inc.) C:\Documents and Settings\Bronwyn Norris\Desktop\HijackThis.exe
2013-06-30 15:10 - 2012-02-19 13:19 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\WRData
2013-06-30 15:04 - 2013-05-13 20:46 - 09842040 ____A (Webroot Software, Inc.) C:\Program Files\Common Files\wruninstall.exe
2013-06-30 14:53 - 2013-06-30 14:53 - 00000000 ____A C:\Windows\setuperr.log
2013-06-30 02:05 - 2013-06-30 02:05 - 00000000 ____D C:\Windows\pss
2013-06-30 02:05 - 2001-09-17 16:02 - 00000310 _ASHC C:\BOOT.INI
2013-06-30 02:05 - 1980-01-01 03:00 - 00000862 ____A C:\Windows\win.ini
2013-06-30 02:05 - 1980-01-01 03:00 - 00000227 ____A C:\Windows\system.ini
2013-06-30 02:03 - 2013-03-28 07:59 - 00000336 ____A C:\Windows\Tasks\RegCure Pro.job
2013-06-30 01:47 - 2013-06-30 01:47 - 00000000 ___DC C:\Documents and Settings\All Users\Application Data\ParetoLogic
2013-06-30 01:47 - 2013-06-30 01:47 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Application Data\ParetoLogic
2013-06-30 01:47 - 2013-06-30 01:47 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Application Data\DriverCure
2013-06-30 01:47 - 2008-08-15 11:34 - 00074504 ___AC C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-06-29 22:47 - 2013-06-29 22:47 - 00377856 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\7z5tpvqg.exe
2013-06-29 22:44 - 2013-06-29 22:44 - 02237968 ____A (Kaspersky Lab ZAO) C:\Documents and Settings\Bronwyn Norris\Desktop\tdsskiller.exe
2013-06-29 21:43 - 2003-02-19 16:18 - 00290888 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-29 21:20 - 2008-08-15 11:35 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2013-06-29 21:16 - 2008-08-15 11:44 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\IBM
2013-06-29 21:15 - 2008-10-09 10:46 - 00000000 ____D C:\Program Files\NOS
2013-06-29 21:15 - 2008-10-09 10:46 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\NOS
2013-06-29 21:14 - 2013-06-29 21:14 - 00000033 ___AC C:\nofile.txt
2013-06-29 21:13 - 2013-06-29 21:13 - 00000000 ____D C:\Windows\System32\save$$updater
2013-06-29 21:13 - 2013-04-16 19:58 - 00000000 ____D C:\Program Files\Citrix
2013-06-29 21:11 - 2013-06-29 21:11 - 00000000 ____D C:\Program Files\Media Key
2013-06-29 20:11 - 2013-06-29 20:10 - 00005529 ___AC C:\AdwCleaner[S1].txt
2013-06-29 20:10 - 2013-06-29 20:10 - 00005519 ___AC C:\AdwCleaner[R1].txt
2013-06-29 20:08 - 2013-06-29 20:08 - 01814144 ____A (Bleeping Computer, LLC) C:\Documents and Settings\Bronwyn Norris\Desktop\rkill.exe
2013-06-29 20:07 - 2013-06-29 20:07 - 00648201 ____A C:\Documents and Settings\Bronwyn Norris\Desktop\AdwCleaner.exe
2013-06-29 18:00 - 2013-03-28 08:00 - 00000462 ____A C:\Windows\Tasks\ParetoLogic Registration3.job
2013-06-29 10:29 - 2011-08-01 17:49 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job
2013-06-28 09:29 - 2011-11-02 11:25 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
2013-06-28 03:29 - 2013-06-05 07:39 - 00000396 ____A C:\Windows\Tasks\Privacy Controls_{8D213BE4-CDD4-11E2-AB3B-001125BA4A6D}.job
2013-06-28 03:28 - 2009-08-24 00:30 - 00000000 ____D C:\Program Files\Yahoo!
2013-06-26 13:24 - 2013-03-28 07:59 - 00000436 ____A C:\Windows\Tasks\ParetoLogic Update Version3.job
2013-06-26 12:24 - 2010-03-17 09:27 - 00000304 ____A C:\Windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2922885259-231727885-1496983037-1005.job
2013-06-25 18:04 - 2013-06-01 10:33 - 00001615 ____A C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
2013-06-25 18:04 - 2013-06-01 10:32 - 00000000 ____D C:\Program Files\QuickTime
2013-06-25 02:06 - 2011-09-20 02:06 - 00000288 ____A C:\Windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
2013-06-24 23:00 - 2013-06-11 15:19 - 00000000 ___DC C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2013-06-24 22:53 - 2013-06-24 22:53 - 00439704 ____A (Yahoo! Inc.) C:\Program Files\msgr11us.exe
2013-06-24 18:05 - 2012-03-28 23:28 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-06-24 18:05 - 2008-08-15 11:46 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-06-24 01:20 - 2013-06-24 01:20 - 00439264 ____A (Yahoo! Inc.) C:\Program Files\msgr11ca.exe
2013-06-21 18:42 - 2013-06-21 18:42 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Application Data\RealNetworks
2013-06-21 16:17 - 2013-06-21 16:17 - 00000000 ___DC C:\Documents and Settings\All Users\Application Data\RealNetworks
2013-06-21 16:17 - 2013-06-21 16:17 - 00000000 ____D C:\Program Files\RealNetworks
2013-06-21 16:15 - 2013-02-20 13:36 - 00201872 ____A (RealNetworks, Inc.) C:\Windows\System32\rmoc3260.dll
2013-06-21 16:15 - 2009-11-21 11:27 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Real
2013-06-21 16:15 - 2009-08-18 21:54 - 00000000 ____D C:\Program Files\Real
2013-06-21 16:14 - 2013-02-20 13:35 - 00272896 ____A (Progressive Networks) C:\Windows\System32\pncrt.dll
2013-06-21 16:14 - 2013-02-20 13:35 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll
2013-06-21 16:14 - 2013-02-20 13:35 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll
2013-06-21 16:13 - 2008-10-10 21:34 - 00499712 ____A (Microsoft Corporation) C:\Windows\System32\msvcp71.dll
2013-06-21 16:13 - 2008-10-10 21:34 - 00348160 ____A (Microsoft Corporation) C:\Windows\System32\msvcr71.dll
2013-06-19 09:00 - 2011-11-27 21:11 - 00001824 ____A C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2013-06-15 19:34 - 2013-06-15 19:34 - 00001553 ____A C:\Documents and Settings\All Users\Desktop\iTunes.lnk
2013-06-15 19:34 - 2013-06-15 19:32 - 00000000 ___DC C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-15 19:34 - 2010-04-30 16:27 - 00000000 ____D C:\Program Files\iTunes
2013-06-15 19:33 - 2013-06-15 19:33 - 00000000 ____D C:\Program Files\iPod
2013-06-15 19:32 - 2009-09-21 13:33 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-06-13 12:38 - 2013-05-27 21:15 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Application Data\Skype
2013-06-13 12:16 - 2013-06-13 12:15 - 41404760 ____A (Apple Inc.) C:\Program Files\QuickTimeInstaller.exe
2013-06-12 09:44 - 2013-06-12 09:44 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$
2013-06-12 09:35 - 2008-10-08 21:33 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-11 19:20 - 2013-02-22 13:04 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-11 19:20 - 2011-05-24 01:33 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-11 15:19 - 2009-08-24 00:32 - 00000000 ____D C:\Documents and Settings\Bronwyn Norris\Application Data\Yahoo!
2013-06-09 20:01 - 2013-05-27 21:14 - 00002073 ____A C:\Documents and Settings\All Users\Desktop\Skype.lnk
2013-06-07 03:28 - 2009-12-21 19:12 - 00000000 ____D C:\Program Files\Common Files\Adobe AIR
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== End Of Log ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 04-07-2013
Ran by Bronwyn Norris at 2013-07-04 13:27:42
Running from C:\Documents and Settings\Bronwyn Norris\desktop
Boot Mode: Normal
==========================================================
 
 
==================== Installed Programs =======================
 
Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.1.377)
Adobe AIR (Version: 1.5.3.9120)
Adobe Flash Player 11 ActiveX (Version: 11.7.700.224)
Adobe Flash Player 11 Plugin (Version: 11.7.700.224)
Adobe Reader XI (11.0.03) (Version: 11.0.03)
Adobe Shockwave Player 11.6 (Version: 11.6.4.634)
Apple Application Support (Version: 2.3.4)
Apple Mobile Device Support (Version: 6.1.0.13)
Apple Software Update (Version: 2.1.3.127)
ArcSoft PhotoImpression 6
Bonjour (Version: 3.0.0.10)
Canon MG4100 series MP Drivers
Critical Update for Windows Media Player 11 (KB959772)
ESET Online Scanner v3
Google Chrome (Version: 27.0.1453.116)
Google Update Helper (Version: 1.3.21.145)
IBM Themes (Version: 1.00.0000)
IBM ThinkVantage Technologies Welcome Message (Version: 1.05)
Intel® Graphics Media Accelerator Driver
InterVideo Register Manager (Version: 1.0.4.0)
InterVideo WinDVD (Version: 5.0-B11.1295)
iPhone Configuration Utility (Version: 2.1.0.163)
iTunes (Version: 11.0.4.4)
Java 7 Update 17 (Version: 7.0.170)
Java Auto Updater (Version: 2.1.9.0)
Java™ 6 Update 18 (Version: 6.0.180)
Junk Mail filter update (Version: 14.0.8117.416)
League of Legends (Version: 3.0.0)
Media Key Uninstaller
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Standard Edition
Microsoft Office Live Add-in 1.3 (Version: 2.0.2313.0)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
MobileMe Control Panel (Version: 3.1.8.0)
Mouse Suite
Mozilla Firefox 7.0.1 (x86 en-US) (Version: 7.0.1)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 and SOAP Toolkit 3.0 (Version: 1.0.0.0)
Pando Media Booster (Version: 2.6.0.7)
ParetoLogic Privacy Controls (Version: 3.2.0.0)
QuickTime (Version: 7.74.80.86)
RealDownloader (Version: 1.3.2)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0)
RealPlayer (Version: 16.0.2)
RealUpgrade 1.1 (Version: 1.1.0)
Segoe UI (Version: 14.0.4327.805)
Sierra Wireless Card Detection Service (Version: 1.0.2972.2  )
Skype Click to Call (Version: 6.9.12585)
Skype™ 6.3 (Version: 6.3.107)
swMSM (Version: 12.0.0.1)
ThinkCentre Wallpaper (Version: 1.00.0000)
Uninstall Helper (Version: 2.0.1.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Windows Internet Explorer 8 (KB2447568) (Version: 1)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows Internet Explorer 8 (KB2632503) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB961503) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
vitalsource KEY 3 (Version: 1.0.0)
WebEx Support Manager for Internet Explorer (Version: 6.5.4917)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Family Safety (Version: 14.0.8118.427)
Windows Live Mail (Version: 14.0.8117.0416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Photo Gallery (Version: 14.0.8117.416)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Sync (Version: 14.0.8117.416)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8117.0416)
Windows Media Format 11 runtime
Windows XP Service Pack 3 (Version: 20080414.031525)
 
==================== Restore Points  =========================
 
04-07-2013 15:51:35 System Checkpoint
04-07-2013 15:50:28 System Checkpoint
04-07-2013 16:06:28 Software Distribution Service 3.0
04-07-2013 16:01:51 System Checkpoint
04-07-2013 16:35:43 Software Distribution Service 3.0
04-07-2013 16:35:33 System Checkpoint
 
==================== Hosts content: ==========================
 
1980-01-01 03:00 - 2013-05-13 20:02 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\ParetoLogic Registration3.job => C:\WINDOWS\system32\rundll32.exe
Task: C:\WINDOWS\Tasks\ParetoLogic Update Version3 Startup Task.job => C:\Program Files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe
Task: C:\WINDOWS\Tasks\ParetoLogic Update Version3.job => C:\Program Files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe
Task: C:\WINDOWS\Tasks\Privacy Controls_{8D213BE4-CDD4-11E2-AB3B-001125BA4A6D}.job => E:\Programs\Privacy Controls\Pareto_PC.exe
Task: C:\WINDOWS\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2922885259-231727885-1496983037-1005.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2922885259-231727885-1496983037-1005.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-18.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-2922885259-231727885-1496983037-1005.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-18.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-2922885259-231727885-1496983037-1005.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RegCure Pro.job => E:\Programs\RegCure Pro\RegCurePro.exe
Task: C:\WINDOWS\Tasks\Symantec NetDetect.job => C:\Program Files\Symantec\LiveUpdate\NDetect.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{03E2D6A8-AC6B-4A93-B808-5E60ED19E5B8}.job => C:\WINDOWS\system32\msfeedssync.exe
 
==================== Faulty Device Manager Devices =============
 
Name: TSSTcorp CDDVDW SH-S202J
Description: CD-ROM Drive
Class Guid: {4D36E965-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard CD-ROM drives)
Service: cdrom
Problem: : Windows successfully loaded the device driver for this hardware but cannot find the hardware device. (Code 41)
Resolution: A driver was loaded but Windows cannot find the device. This happens when Windows does not detect a non-Plug and Play device.
If the device was removed, uninstall the driver, install the device, and then click "Scan for hardware changes" to reinstall the driver. If the hardware was not removed, obtain a new or updated driver for the device.
If the device is a non-Plug and Play device, a newer version of the driver might be needed. To install non-Plug and Play devices, use the Add Hardware wizard.
Click "Performance and Maintenance" on "Control Panel", click "System", and on the "Hardware" tab, click "Add Hardware Wizard".
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/04/2013 11:45:19 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 11688
 
Error: (07/04/2013 11:45:19 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 11688
 
Error: (07/04/2013 11:45:19 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (07/04/2013 00:07:25 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4547
 
Error: (07/04/2013 00:07:25 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4547
 
Error: (07/04/2013 00:07:25 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (07/04/2013 00:07:23 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 2391
 
Error: (07/04/2013 00:07:23 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 2391
 
Error: (07/04/2013 00:07:23 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (07/01/2013 03:14:28 PM) (Source: Application Hang) (User: )
Description: Hanging application 7z5tpvqg.exe, version 2.1.19163.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
 
System errors:
=============
Error: (07/04/2013 00:31:48 PM) (Source: Service Control Manager) (User: )
Description: The Yahoo! Updater service failed to start due to the following error: 
%%2
 
Error: (07/04/2013 00:31:48 PM) (Source: Service Control Manager) (User: )
Description: The PMEM service failed to start due to the following error: 
%%2
 
Error: (07/04/2013 00:36:39 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Skype 5.10 for Windows (KB2727727).
 
Error: (07/04/2013 01:10:29 PM) (Source: 0) (User: )
Description: 192.168.1.10200:26:B0:6C:95:41
 
Error: (07/04/2013 11:46:46 AM) (Source: Service Control Manager) (User: )
Description: The Yahoo! Updater service failed to start due to the following error: 
%%2
 
Error: (07/04/2013 11:46:46 AM) (Source: Service Control Manager) (User: )
Description: The PMEM service failed to start due to the following error: 
%%2
 
Error: (07/04/2013 11:46:30 AM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.101 for the Network Card with network address 001125BA4A6D has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
 
Error: (07/04/2013 00:07:18 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Skype 5.10 for Windows (KB2727727).
 
Error: (07/04/2013 11:46:42 AM) (Source: Service Control Manager) (User: )
Description: The Yahoo! Updater service failed to start due to the following error: 
%%2
 
Error: (07/04/2013 11:46:42 AM) (Source: Service Control Manager) (User: )
Description: The PMEM service failed to start due to the following error: 
%%2
 
 
Microsoft Office Sessions:
=========================
Error: (07/08/2009 09:25:13 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: 6Microsoft Office Outlook12.0.6504.500012.0.6215.100090
 
Error: (07/08/2009 09:24:48 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: 6Microsoft Office Outlook12.0.6504.500012.0.6215.1000190
 
Error: (07/08/2009 09:24:06 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: 6Microsoft Office Outlook12.0.6504.500012.0.6215.1000210
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 36%
Total physical RAM: 1014.48 MB
Available physical RAM: 645.04 MB
Total Pagefile: 1675.43 MB
Available Pagefile: 1434 MB
Total Virtual: 2047.88 MB
Available Virtual: 1955.57 MB
 
==================== Drives ================================
 
Drive c: (IBM_PRELOAD) (Fixed) (Total:31.97 GB) (Free:8.01 GB) NTFS ==>[Drive with boot components (Windows XP)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 37 GB) (Disk ID: CCCDCCCD)
Partition 1: (Active) - (Size=32 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=5 GB) - (Type=12)
 
==================== End Of Log ============================

 



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:45 PM

Posted 08 July 2013 - 12:30 PM

Excellent!

Thanks for the quick response. Let me sift through all the information and see where we stand. Will post back relatively soon.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:45 PM

Posted 08 July 2013 - 12:50 PM

Greetings,

Looks like you have run quite a few things already. I would like to rerun AdwCleaner and 2 other programs please.

===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt
===================================================

Junkware Removal Tool by thisisu

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:dir
C:\Windows\System32\save$$updater /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • AdwCleaner log
  • Junkware log
  • SystemLook log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 VcElder

VcElder
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 08 July 2013 - 01:29 PM

Log files copied and pasted as requested. Please be advised after running the systemlook program, I opened chrome to make this post, and chrome and explorer crashed. I was unable to kill the chrome process nor was I able to reboot the machine. When I restarted the machine it just hung in "shutting down". Also in regards to the system time stamps, the system time is inaccurate as July 4th. Funny enough, The clock jumps around times so, please don't mind the time stamps. Thanks again Gary, I work for an MSP and have cleaned hundreds of machines but have never seen something like thiss

Adware:
 
# AdwCleaner v2.304 - Logfile created 07/04/2013 at 13:09:31
# Updated 03/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Bronwyn Norris - IBM-B0B900C698D
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Bronwyn Norris\desktop\AdwCleaner.exe
# Option [Search]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Folder Found : C:\Documents and Settings\All Users\Application Data\ParetoLogic
Folder Found : C:\Documents and Settings\Bronwyn Norris\Application Data\DriverCure
Folder Found : C:\Documents and Settings\Bronwyn Norris\Application Data\ParetoLogic
 
***** [Registry] *****
 
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v7.0.1 (en-US)
 
File : C:\Documents and Settings\Bronwyn Norris\Application Data\Mozilla\Firefox\Profiles\56arxn4b.default\prefs.js
 
[OK] File is clean.
 
-\\ Google Chrome v27.0.1453.116
 
File : C:\Documents and Settings\Bronwyn Norris\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
File : C:\Documents and Settings\Victor\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R5].txt - [1315 octets] - [04/07/2013 13:09:31]
 
########## EOF - C:\AdwCleaner[R5].txt - [1375 octets] ##########
 

JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.7 (07.08.2013:2)
OS: Microsoft Windows XP x86
Ran by Bronwyn Norris on Thu 07/04/2013 at 13:11:28.18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin.1
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A7831453-CC17-44C0-AAF6-5A9FC4735199}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\w3i"
Successfully deleted: [Folder] "C:\Documents and Settings\Bronwyn Norris\Application Data\drivercure"
Successfully deleted: [Folder] "C:\Program Files\w3i"
Successfully deleted: [Folder] "C:\WINDOWS\system32\ai_recyclebin"
 
 
 
~~~ FireFox
 
Successfully deleted: [File] C:\Documents and Settings\Bronwyn Norris\Application Data\mozilla\firefox\profiles\56arxn4b.default\user.js
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 07/04/2013 at 13:15:23.46
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
SystemLook 30.07.11 by jpshortstuff
Log created at 13:21 on 04/07/2013 by Bronwyn Norris
Administrator - Elevation successful
 
========== dir ==========
 
C:\Windows\System32\save$$updater - Parameters: "/s"
 
---Files---
network.defaults --a---- 94 bytes [01:13 30/06/2013] [23:57 17/10/2002]
network.properties --a---- 262 bytes [01:13 30/06/2013] [15:43 15/08/2008]
uc.defaults --a---- 217 bytes [01:13 30/06/2013] [23:57 17/10/2002]
 
C:\Windows\System32\save$$updater\session d------ [01:13 30/06/2013]
system.properties --a---- 160 bytes [01:13 30/06/2013] [17:46 20/08/2010]
 
-= EOF =-

Edited by VcElder, 08 July 2013 - 01:37 PM.


#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:45 PM

Posted 08 July 2013 - 01:45 PM

Greetings,

Yes, this seems to be a strange one. Something tells me we are going to have to go toe to toe with it! I am anticipating having to go deeper into your computer but let's try this anyway. You never know.......

I can't say I ever recall seeing a save$$updater directory, let alone those files inside the directory. We are going to take a deeper look at the files.

Additionally, let's see if we can catch what is hanging up on shutdown.

Please do this for me.

===================================================

Virustotal Online Virus Scanner

--------------------
  • Please go to Virustotal
  • Select Choose File
  • Navigate to the following file (if multiple files then one at a time), double click on it so the file name is populated, then click Scan it!
  • IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.

C:\Windows\System32\save$$updater\session\system.properties
C:\Windows\System32\save$$updater\network.defaults
C:\Windows\System32\save$$updater\network.properties
C:\Windows\System32\save$$updater\uc.defaults

  • Once completed, highlight the information in the address bar and copy then paste the link in your reply
virustotal.jpg

===================================================

WhatIsHang by NirSoft (for 32 bit computers only)

--------------------
  • Download WhatIsHang and save it to your desktop
  • Unzip the folder to your desktop
  • Right click on the icon, select Run as Administrator (XP simply double click icon) and a WhatIsHang window will appear on the desktop
  • Attempt to shut down your computer
  • If any error information is populated select Edit, then Copy Entire Report
  • Include that information in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Virustotal links
  • WhatIsHang report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 VcElder

VcElder
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 08 July 2013 - 02:04 PM

Hi Gary,

Thank you for your prompt replies, I am near my machine at your convenience for the rest of the afternoon.

 

Here is the requested information.
 

network.defaults

https://www.virustotal.com/en/file/9bb52aad1601c9b4d27c32553365874cd48b8d517ae783897cab6e5dc2de5680/analysis/1373309842/

 

network.defaults

https://www.virustotal.com/en/file/6e8fd9c0916faac78d023867422b3a5ab28e4ab93779877e5af34f24d1b653fc/analysis/1373309974/

 

uc.defaults

https://www.virustotal.com/en/file/419ac8a659b932420c945b609311d688a8ab30c690ff0ca175e431f9a6fd013c/analysis/1373310082/

 

\session\system.properties

https://www.virustotal.com/en/file/c87517d2cb494c1be740601a08ca57bded4a7129476e0f16cfbf0361902c8d26/analysis/1373310149/

What is hanging information:

No error reported and the shutdown was successful. What I do know is that when the computer does hang it is because of browser use over 2 hours and the chrome.exe process will be stuck at 50%, never changing steady despite having shut all browsers. When this freezing occurs, it also kills the explorer process and I have to hard shut the machine. 

Hope this helps :/


Edited by VcElder, 08 July 2013 - 02:14 PM.


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:45 PM

Posted 08 July 2013 - 02:46 PM

Thanks,

Just so I don't miss your posts, rather than edit to include additional information just go ahead and post a new entry. That way I am notified there is something new.

Even though those files came back "clean" I am still not comfortable with them. When I check the md5 there is no record of it. They may very well be fine but let's take them out of the mix and see if anything changes.

Please do this. Your computer will reboot automatically and I would like you to check your system after the files are renamed and your system is restarted.

===================================================

Batch Script to Rename Files

--------------------
  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type Notepad and press enter
  • Copy and paste the following into the Notepad document:
@echo off
ren C:\Windows\System32\save$$updater\session\system.properties system.properties.old
ren C:\Windows\System32\save$$updater\network.defaults network.defaults.old
ren C:\Windows\System32\save$$updater\network.properties network.properties.old
ren C:\Windows\System32\save$$updater\uc.defaults uc.defaults.old
shutdown -r -t 10
del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input renfile.bat.
  • Click Save
  • Close the Notepad
  • Locate and double-click delfile.bat on the desktop
  • A black CMD window will flash, then disappear
  • If successful the "renfile.bat" file will be deleted from your desktop
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • How is your computer behaving?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 VcElder

VcElder
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 08 July 2013 - 03:07 PM

Acknowledged on posting new reply.

 

The batch successfully renamed the files in question. I have adjusted the system time and stuff appears to be working but until some prolonged use OR running DDS, Combofix or GMER, I really won't know. When I ran the batch script, the machine hung and I had to hard kill it but I didn't have what is hanging up.

My thoughts are to maybe do another batch script and try to recreate the hang with What is hanging?

Perhaps run DDS as it is non-intrusive?
Reboot the machine a few times to see if the system time is affected?

Thank you,
V


 



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:45 PM

Posted 08 July 2013 - 03:11 PM

Go ahead and launch WhatIsHang then run DDS and see what we come up with. Play with the computer however you'd like (restarts or whatever) and see how it performs.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 VcElder

VcElder
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 08 July 2013 - 03:18 PM

I will do so and post within the next 4 hours, I have to attend to a few things that are critical. Thank you for your assistance. 



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:45 PM

Posted 08 July 2013 - 03:19 PM

Take your time my friend. See you when you get back.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users