BleepingComputer.com: FAKE ACTION CENTER / WIN 7 ANTISPYWARE 2012

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

FAKE ACTION CENTER / WIN 7 ANTISPYWARE 2012 Trojan-BNK.Win32-Keylogger.gen > Ping.exe maxing out CPU

#1 User is offline   Paul J Richardson 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 27-December 11
  • Gender:Male
  • Location:Louisville, KY

Posted 28 December 2011 - 12:18 AM


PRIMARY SYMPTOM: FAKE ACTION CENTER / WIN 7 ANTISPYWARE 2012

SECONDARY SYMPTOMS FOUND:
  • AVG Free 2011, found Trojan-BNK.Win32-Keylogger.gen.
  • Ping.exe maxing out CPU, (iexplorer & list-C.bat console scripts)
  • process was attempting to ping tubeni.com/enterpoint.php?tsub=11
  • AVG Reported this as Exploit JavaScript Obfuscation (type 156)
  • Process Lasso & Process Hacker were used to investigate
  • Found PING.exe running under system32 with system credentials
  • And running this: C:\Windows\System32\ping.exe 127.0.0.1 -t
  • I also found and deleted this process:
  • C:\Users\Paul\AppData\Local\ioi.exe -dtm -a
  • ...because it was eating up the CPU also, and appeared to be malicious


---------------------------------------------------------------------------------------------


LAST SYMPTOM FOUND:

Strange DIR created as follows: C:\32788R22FWJFW\ ... VERY SIMILAR TO THESE 2 CASES:

http://www.threatexpert.com/report.aspx?md5=a62a74ed174bb46a7f8049a0f8635879

~AND~

http://www.threatexpert.com/report.aspx?md5=2643de5142ef5d68c1281c652cdfde97

(NirSoft tools were probably used by a malicious program that serendipitously found them on my drive)


---------------------------------------------------------------------------------------------

I was able to get the hash values off of the PING.exe that was executing

PING.EXE version 6.1.7600.16385
HASHES
CRC32: 93452AA1
MD5: 6242E3D67787CCBF4E06AD2982853144
SHA-1: 6AC7947207D999A65890AB25FE344955DA35028E

--------------------------------------------------------------


~~<< IMPORTANT >>~~

I took some screen captures of the processes and threads, and annotated some noteworthy observations on them. I will attach them as a zipped up folder of images. I also ran SysInternals Process Monitor for a few minutes, and a few other tools, including HijackThis, GMER 1.0.15.15641, aswMBR version 0.9.9.1120, and mbr (collected logs only).

--------------------------------------------------------------

IMAGES (SCREEN CAPTURES) WITH ANNOTATIONS

Google Chrome Infection (Picasa Web Album - ScreenCap)

Opera Browser Infection (Picasa Web Album - ScreenCap)


HERE IS A SLIDESHOW OF THE ANNOTATED SCREEN CAPS:
http://links.pjr.bz/ScreenCap-Slideshow



--------------------------------------------------------------

Here is the DDS log:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Paul at 18:54:43 on 2011-12-27
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2047.705 [GMT -5:00]
.
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spyware Doctor *Disabled/Outdated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files\COMODO\Unite\EzVpnSvc.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\DebugDiag\DbgSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthaudiosvc
C:\Windows\system32\IFXSPMGT.exe
C:\Windows\system32\IFXTCS.exe
C:\Windows\System32\svchost.exe -k ipripsvc
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Windows\system32\IfxPsdSv.exe
C:\Program Files\Process Blocker\Process Blocker.exe
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\System32\tcpsvcs.exe
C:\Program Files\TightVNC\tvnserver.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\COMODO\Unite\crdphService.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\COMODO\Unite\AppShare.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\inetsrv\wmsvc.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\AnVir Task Manager Free\AnVir.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
StartupFolder: c:\users\paul\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoru~1\zoomit~1.lnk - x:\_sw\_magnifiers\Zoomit.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: LocalAccountTokenFilterPolicy = 1 (0x1)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Local Website Archive - c:\users\paul\appdata\roaming\aignes\local website archive\config\iearc.htm
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download web site with Free Download Manager - file://c:\program files\free download manager\dlpage.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Grab &Image - c:\program files\cogitum\image co-tracker\grab.htm
IE: Grab &Selected Text... - c:\program files\cogitum co-citer\CogitumHelpers.dll/ctGrab.htm
IE: {7F17B2B0-A7EA-11d3-AA97-00C0F048995B} - c:\program files\cogitum\image co-tracker\app.hta
IE: {CDE56277-42BE-11d4-B79C-00C0F04903DC} - c:\program files\cogitum co-citer\Co-Citer.exe
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{2D6C3460-7CBB-4088-91F9-EB4FCC71BA06} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\9.0.1\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\paul\appdata\roaming\mozilla\firefox\profiles\0fvqn2w0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cba2a15&v=7.005.030.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - component: c:\users\paul\appdata\roaming\mozilla\firefox\profiles\0fvqn2w0.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprjplug.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\paul\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-12-25 64512]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2009-6-29 13120]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2011-12-26 3968]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-4 297168]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-12-19 491816]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-12-19 39640]
R1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\program files\hwinfo32\HWiNFO32.SYS [2011-12-27 21624]
R1 KProcessHacker2;KProcessHacker2;c:\program files\process hacker 2\kprocesshacker.sys [2011-7-8 32840]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-10-12 38952]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]
R2 DbgSvc;Debug Diagnostic Service;c:\program files\debugdiag\DbgSvc.exe [2011-1-17 221184]
R2 EzVpnSvc;COMODO Unite MultiLogin Service;c:\program files\comodo\unite\EzVpnSvc.exe [2011-8-22 360752]
R2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe -k bthaudiosvc [2009-7-13 20992]
R2 iprip;RIP Listener;c:\windows\system32\svchost.exe -k ipripsvc [2009-7-13 20992]
R2 Process Blocker;Process Blocker;c:\program files\process blocker\Process Blocker.exe [2010-4-22 106712]
R2 tvnserver;TightVNC Server;c:\program files\tightvnc\tvnserver.exe [2010-7-8 815704]
R2 WMSVC;Web Management Service;c:\windows\system32\inetsrv\WMSvc.exe [2009-7-13 9728]
R3 ATP;Comodo Unite Miniport Driver;c:\windows\system32\drivers\cmdatp.sys [2011-12-25 17816]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-5-27 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]
R3 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R3 gbridge;Gbridge Virtual Miniport;c:\windows\system32\drivers\gbridge.sys [2009-5-10 41216]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-9-19 36608]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2007-3-7 2595840]
R3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2007-4-25 31232]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2011-1-4 37232]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-12-24 1153368]
S3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 167264]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BthAudioHF;BthAudioHF Service;c:\windows\system32\drivers\BthAudioHF.sys [2009-12-21 43008]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2009-8-13 22528]
S3 csr_a2dp;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys [2009-12-21 61952]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-1-11 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-12-8 30192]
S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-8 133104]
S3 hxctlflt;hxctlflt;c:\windows\system32\drivers\hxctlflt.sys [2010-10-17 99968]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-12 2152152]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2010-4-26 9040]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 sugarApache;sugarApache;c:\progra~1\sugarc~1.1\apache2\bin\Apache.exe [2011-12-22 24634]
S3 sugarMysql;sugarMysql;c:\progra~1\sugarc~1.1\mysql\bin\mysqld.exe --defaults-file=c:\progra~1\sugarc~1.1\mysql\my.ini sugarmysql --> c:\progra~1\sugarc~1.1\mysql\bin\mysqld.exe --defaults-file=c:\progra~1\sugarc~1.1\mysql\my.ini sugarMysql [?]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-12 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-12 1343400]
S4 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe -k ftpsvc [2009-7-13 20992]
S4 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2010-3-25 490280]
S4 uvnc_service_gs;uvnc_service_gs;c:\program files\gbridge llc\gbridge\gbwinvnc.exe [2009-9-3 1691416]
S4 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\9.0.1\ToolbarUpdater.exe [2011-12-14 855904]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== File Associations ===============
.
.txt=bftxtfile
.
=============== Created Last 30 ================
.
2011-12-27 23:49:04 -------- d-----w- c:\program files\AnVir Task Manager Free
2011-12-27 23:48:43 -------- d-----w- c:\users\paul\appdata\local\AnVir
2011-12-27 23:46:28 -------- d-----w- c:\program files\CodeStuff
2011-12-27 22:13:03 -------- d-----w- c:\program files\SIW
2011-12-27 21:33:49 -------- d-----w- c:\program files\HWiNFO32
2011-12-27 21:17:26 -------- d-----w- c:\users\paul\appdata\roaming\HelpSmith
2011-12-27 21:15:50 -------- d-----w- c:\programdata\Divcom Software
2011-12-27 21:15:49 -------- d-----w- c:\program files\HelpSmith
2011-12-27 21:13:59 -------- d-----w- c:\program files\HTML Help Workshop
2011-12-27 20:28:16 388096 ----a-r- c:\users\paul\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-27 20:28:16 -------- d-----w- c:\program files\Trend Micro
2011-12-27 19:52:00 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-12-27 09:47:18 -------- d-----w- c:\users\paul\appdata\roaming\PhraseExpress
2011-12-27 09:44:01 -------- d-----w- c:\programdata\PhraseExpress
2011-12-27 09:44:01 -------- d-----w- c:\program files\PhraseExpress
2011-12-27 06:37:42 -------- d-----w- c:\users\paul\appdata\local\Adobe
2011-12-27 00:52:27 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2011-12-25 20:49:46 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-25 13:25:05 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-12-25 13:13:40 -------- d-----w- c:\program files\MSXML 4.0
2011-12-25 11:49:47 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-25 11:45:58 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-25 11:45:26 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-12-25 11:45:25 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-12-25 11:43:50 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-12-25 11:43:12 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-12-25 11:42:44 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-12-25 11:42:44 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-12-25 11:42:44 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-12-25 11:42:43 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-12-25 11:42:42 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-12-25 11:42:42 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-12-25 11:42:42 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-12-25 11:42:26 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-12-25 11:40:59 393728 ----a-w- c:\windows\system32\drivers\bthport.sys
2011-12-25 11:40:58 60416 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS
2011-12-25 11:40:37 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-12-25 11:40:31 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-12-25 11:39:46 319488 ----a-w- c:\windows\system32\odbcjt32.dll
2011-12-25 11:39:45 81920 ----a-w- c:\windows\system32\odbccr32.dll
2011-12-25 11:39:32 94208 ----a-w- c:\program files\common files\system\ole db\msdaosp.dll
2011-12-25 11:39:32 86016 ----a-w- c:\windows\system32\odbccu32.dll
2011-12-25 11:39:32 163840 ----a-w- c:\windows\system32\odbctrac.dll
2011-12-25 11:39:32 122880 ----a-w- c:\windows\system32\odbccp32.dll
2011-12-25 11:38:45 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-25 11:35:06 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-12-25 11:29:15 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-25 11:29:04 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-25 11:28:01 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-25 08:30:35 -------- d-----w- c:\users\paul\appdata\local\SolarWinds
2011-12-25 08:24:08 -------- d-----w- c:\program files\SolarWinds
2011-12-25 07:17:46 17816 ----a-w- c:\windows\system32\drivers\cmdatp.sys
2011-12-25 07:16:01 -------- d-----w- c:\program files\COMODO
2011-12-25 07:15:59 -------- d-----w- c:\users\paul\appdata\roaming\COMODO
2011-12-25 07:11:47 -------- d-----w- c:\programdata\COMODO
2011-12-25 07:09:03 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-25 06:49:25 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-12-25 06:13:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-25 05:33:51 -------- d-----w- c:\users\paul\appdata\roaming\WinPatrol
2011-12-24 21:08:45 -------- d-----w- c:\windows\Content.IE5
2011-12-24 17:07:17 102400 ----a-w- c:\windows\RegBootClean.exe
2011-12-24 10:57:17 -------- d-----w- c:\program files\BillP Studios
2011-12-24 10:57:15 -------- d-----w- c:\programdata\InstallMate
2011-12-24 10:55:02 -------- d-----w- c:\program files\Lavasoft
2011-12-24 10:45:36 -------- d--h--w- c:\windows\PIF
2011-12-24 10:27:04 -------- d-----w- c:\program files\SpywareBlaster
2011-12-24 10:25:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-24 10:25:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-24 09:53:04 -------- d-----w- c:\users\paul\appdata\roaming\Malwarebytes
2011-12-24 09:52:55 -------- d-----w- c:\programdata\Malwarebytes
2011-12-24 09:52:52 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-24 09:52:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-24 09:51:46 -------- d-----w- c:\users\paul\appdata\roaming\SUPERAntiSpyware.com
2011-12-24 09:51:46 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-12-24 09:48:02 -------- d-----w- c:\users\paul\Pavark
2011-12-24 07:30:28 -------- d-----w- c:\program files\Wolfenstein - Enemy Territory
2011-12-24 05:55:54 -------- d-----w- c:\users\paul\appdata\roaming\Software Informer
2011-12-24 05:55:53 -------- d-----w- c:\program files\Software Informer
2011-12-24 05:55:41 -------- d-----w- c:\users\paul\appdata\roaming\Free Download Manager
2011-12-24 05:55:25 -------- d-----w- c:\program files\Free Download Manager
2011-12-24 01:54:42 -------- d-----w- c:\program files\VideoLAN
2011-12-23 05:11:19 -------- d-----w- c:\program files\Edisonweb
2011-12-23 05:08:50 -------- d-----w- c:\users\paul\appdata\local\License__Freeware
2011-12-23 05:06:11 -------- d-----w- c:\users\paul\appdata\roaming\E-Z Contact Book
2011-12-23 05:05:59 -------- d-----w- c:\program files\E-Z Contact Book
2011-12-23 05:04:11 -------- d-----w- c:\programdata\SearchOnline
2011-12-23 05:04:10 -------- d-----w- c:\program files\AB-Tools.com
2011-12-23 05:01:39 -------- d-----w- c:\program files\GNU
2011-12-22 22:41:39 -------- d-----w- c:\users\paul\appdata\roaming\Broadlook Technologies
2011-12-22 22:41:39 -------- d-----w- c:\programdata\Broadlook Technologies
2011-12-22 22:41:19 167936 ----a-w- c:\windows\system32\axcws32.dll
2011-12-22 22:41:19 1236992 ----a-w- c:\windows\system32\adsloc32.dll
2011-12-22 22:41:19 1003568 ----a-w- c:\windows\system32\ace32.dll
2011-12-22 22:41:18 223744 ----a-w- c:\windows\system32\ODA323x.dll
2011-12-22 22:41:10 24576 ----a-w- c:\windows\system32\bltKeyHook32.dll
2011-12-22 22:41:08 -------- d-----w- c:\program files\common files\Broadlook Technologies
2011-12-22 22:41:08 -------- d-----w- c:\program files\Broadlook Technologies
2011-12-22 22:10:50 -------- d-----w- c:\program files\sugarcrm-6.3.1
2011-12-22 22:00:20 -------- d-----w- c:\program files\VCardExportTool
2011-12-22 21:55:17 -------- d-----w- c:\programdata\Files To Phones
2011-12-22 21:55:11 -------- d-----w- c:\program files\PromoToMobile
2011-12-22 21:11:21 -------- d-----w- c:\programdata\vsosdk
2011-12-21 18:45:09 -------- d-----w- c:\program files\Z-Cron
2011-12-21 18:37:48 -------- d-----w- c:\users\paul\appdata\local\Childhoodcoder.com
2011-12-21 17:58:38 -------- d-----w- c:\program files\Childhoodcoder.com
2011-12-21 17:22:15 -------- d-----w- c:\program files\TweakUAC
2011-12-21 08:14:36 -------- d-----w- c:\users\paul\appdata\roaming\LockHunter
2011-12-21 07:43:57 -------- d-----w- c:\users\paul\appdata\roaming\TaskmgrPro
2011-12-21 07:33:12 -------- d-----w- c:\program files\WinMend
2011-12-21 07:21:41 -------- d-----w- c:\program files\SystemScheduler
2011-12-21 07:19:10 -------- d-----w- c:\users\paul\appdata\local\By_Extension_Software
2011-12-21 07:15:57 -------- d-----w- c:\programdata\Z-Manufaktur
2011-12-21 07:10:40 -------- d-----w- c:\program files\TaskmgrPro
2011-12-21 06:18:46 -------- d-----w- c:\users\paul\appdata\local\Karen's Power Tools
2011-12-21 06:18:40 -------- d-----w- c:\program files\Karen's Power Tools
2011-12-21 06:18:30 -------- d-----w- c:\programdata\Karen's Power Tools
2011-12-21 05:13:18 -------- d-----w- c:\program files\DiskPie
2011-12-21 05:10:00 -------- d-----w- c:\program files\Devfarm Software
2011-12-21 05:08:53 49152 ----a-w- c:\program files\mozilla firefox\plugins\np32dsw.dll
2011-12-21 05:07:05 -------- d-----w- c:\program files\Security Process Explorer
2011-12-21 05:06:49 -------- d-----w- C:\Python31
2011-12-21 05:05:57 -------- d-----w- c:\program files\Process Blocker
2011-12-21 05:03:43 -------- d-----w- c:\program files\adma
2011-12-21 05:01:08 -------- d-----w- c:\program files\AutoHotkey
2011-12-21 04:59:03 -------- d-----w- c:\windows\Downloaded Installations
2011-12-21 01:41:09 -------- d-----w- c:\users\paul\appdata\roaming\JGoodies
2011-12-21 01:33:34 32824 ----a-w- c:\windows\system32\rrMon.sys
2011-12-21 01:33:30 -------- d-----w- c:\program files\Registrar Registry Manager
2011-12-21 01:32:27 -------- d-----w- c:\program files\VS Revo Group
2011-12-21 01:31:53 -------- d-----w- c:\program files\SEPY ActionScript Editor
2011-12-21 01:31:18 -------- d-----w- c:\program files\SDP Multimedia
2011-12-21 01:30:35 -------- d-----w- c:\program files\FSL
2011-12-21 01:30:11 -------- d-----w- c:\users\paul\appdata\roaming\SlickRun
2011-12-21 01:30:10 -------- d-----w- c:\program files\SlickRun
2011-12-21 01:28:41 -------- d-----w- c:\users\paul\appdata\roaming\gtopala
2011-12-21 01:28:00 -------- d-----w- c:\users\paul\appdata\roaming\XMind
2011-12-21 01:27:52 -------- d-----w- c:\program files\Xiao Stenography
2011-12-21 01:27:32 -------- d-----w- c:\program files\XMind
2011-12-21 01:26:10 1060864 ----a-w- c:\windows\system32\mfc71.dll
2011-12-21 01:25:27 -------- d-----w- c:\program files\VUE
2011-12-21 01:24:28 -------- d-----w- c:\program files\Unlocker
2011-12-21 01:24:01 -------- d-----w- c:\users\paul\vw
2011-12-21 01:24:01 -------- d-----w- c:\users\paul\VisualRoute
2011-12-21 01:23:50 -------- d-----w- c:\program files\VisualRoute Lite Edition
2011-12-21 01:21:52 -------- d-----w- c:\program files\Paros
2011-12-21 01:20:31 -------- d-----w- c:\program files\LockHunter
2011-12-21 01:17:57 -------- d-----w- c:\programdata\PlotSoft
2011-12-21 01:17:57 -------- d-----w- c:\program files\PlotSoft
2011-12-21 01:17:18 -------- d-----w- c:\users\paul\appdata\roaming\PHP Designer 2007
2011-12-21 01:17:11 -------- d-----w- c:\program files\PHP Designer 2007 - Personal
2011-12-21 01:14:56 -------- d-----w- c:\program files\Safer Networking
2011-12-21 01:14:22 -------- d-----w- c:\program files\Data Catalogue
2011-12-21 01:13:39 -------- d-----w- c:\program files\Defraggler
2011-12-21 01:12:12 -------- d-----w- c:\programdata\DLA Storage
2011-12-21 01:12:12 -------- d-----w- c:\programdata\DLA
2011-12-21 01:12:12 -------- d-----w- c:\program files\Deep Log Analyzer
2011-12-21 01:09:35 -------- d-----w- c:\program files\Xenu
2011-12-21 01:06:20 -------- d-----w- c:\users\paul\appdata\roaming\GlarySoft
2011-12-21 01:06:19 -------- d-----w- c:\program files\Quick Startup
2011-12-21 01:03:08 -------- d-----w- c:\program files\WinImage
2011-12-21 00:54:26 -------- d-----w- c:\program files\SequoiaView
2011-12-21 00:52:59 -------- d-----w- c:\program files\MeinPlatz
2011-12-21 00:48:17 -------- d-----w- c:\program files\Simpli-File
2011-12-21 00:47:49 -------- d-----w- c:\users\paul\.mucommander
2011-12-21 00:47:39 -------- d-----w- c:\program files\muCommander
2011-12-21 00:32:29 -------- d-----w- c:\program files\JGoodies
2011-12-21 00:31:58 -------- d-----w- c:\program files\Double Commander
2011-12-21 00:03:29 -------- d-----w- c:\users\paul\appdata\roaming\Microsoft Robocopy GUI
2011-12-20 23:40:40 -------- d-----w- c:\program files\Glary Utilities
2011-12-20 23:37:32 -------- d-----w- c:\program files\PC Magazine Utilities
2011-12-20 23:36:51 -------- d-----w- c:\program files\Remove Empty Directories
2011-12-20 23:33:37 -------- d-----w- c:\program files\Reasonable
2011-12-20 23:31:34 -------- d-----w- c:\program files\HCC Lite
2011-12-20 23:17:15 -------- d-----w- c:\program files\Glarysoft
2011-12-20 23:16:49 -------- d-----w- c:\users\paul\appdata\roaming\Locate32
2011-12-20 23:16:21 -------- d-----w- c:\program files\Locate
2011-12-20 23:13:44 -------- d-----w- c:\program files\Everything
2011-12-20 22:01:42 -------- d-----w- c:\program files\Mythicsoft
2011-12-20 21:59:11 -------- d-----w- c:\program files\common files\EZB Systems
2011-12-20 21:59:10 -------- d-----w- c:\program files\UltraISO
2011-12-20 21:58:00 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2011-12-20 21:57:59 -------- d-----w- c:\program files\MagicDisc
2011-12-20 21:13:47 -------- d-----w- c:\program files\Windows Resource Kits
2011-12-20 21:13:08 -------- d-----w- c:\users\paul\appdata\roaming\EMCO
2011-12-20 21:12:32 -------- d-----w- c:\program files\EMCO
2011-12-20 20:57:48 -------- d-----w- c:\program files\NirSoft
2011-12-20 20:56:56 -------- d-----w- c:\program files\Fiddler2
2011-12-20 20:56:15 -------- d-----w- c:\program files\DebugDiag
2011-12-20 20:55:00 -------- d-----w- c:\program files\BugDump LLC
2011-12-20 20:47:34 -------- d-----w- c:\program files\DirPrintOK
2011-12-20 20:42:26 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2011-12-20 20:42:25 -------- d-----w- c:\program files\CPUID
2011-12-20 11:49:29 -------- d-----w- c:\program files\CCleaner
2011-12-20 11:35:05 -------- d-----w- c:\program files\FileZilla Server
2011-12-20 10:40:50 266360 ----a-w- c:\windows\system32\TweakUI.exe
2011-12-20 10:39:54 -------- d-----w- c:\program files\PCForrest
2011-12-20 10:39:53 -------- d-----w- c:\program files\common files\PCForrest
2011-12-20 10:24:18 -------- d-----w- c:\users\paul\appdata\roaming\EurekaLog
2011-12-20 08:56:27 -------- d-----w- c:\windows\system32\directx
2011-12-20 03:20:37 -------- d-----w- c:\users\paul\appdata\roaming\getleft
2011-12-20 03:12:21 -------- d-----w- c:\program files\Getleft
2011-12-19 23:59:14 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 23:59:14 39640 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 23:59:12 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 23:58:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 23:58:56 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-19 21:19:35 -------- d-----w- c:\users\paul\appdata\roaming\WebStripper
2011-12-19 21:19:34 -------- d-----w- c:\users\paul\appdata\local\TempDIR
2011-12-19 21:19:32 -------- d-----w- c:\program files\Solent
2011-12-19 21:13:44 -------- d-----w- c:\users\paul\appdata\roaming\aignes
2011-12-19 21:13:36 -------- d-----w- c:\program files\Local Website Archive
2011-12-19 21:12:35 -------- d-----w- c:\program files\WinHTTrack
2011-12-19 02:15:50 -------- d-----w- c:\program files\ZSNES
2011-12-19 01:50:14 -------- d-----w- c:\users\paul\appdata\roaming\LibreOffice
2011-12-19 01:37:58 -------- d-----w- c:\program files\HashCalc
2011-12-19 01:37:35 -------- d-----w- c:\program files\HashTab Shell Extension
2011-12-18 23:57:33 -------- d-----w- c:\users\paul\appdata\roaming\NeroDigital™
2011-12-18 23:54:51 -------- d-----w- c:\users\paul\appdata\local\Nero_AG
2011-12-18 23:41:04 87608 ----a-w- c:\users\paul\appdata\roaming\inst.exe
2011-12-18 23:41:04 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2011-12-18 23:41:04 47360 ----a-w- c:\users\paul\appdata\roaming\pcouffin.sys
2011-12-18 23:40:55 65602 ----a-w- c:\windows\system32\cook3260.dll
2011-12-18 23:40:55 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2011-12-18 23:40:55 217127 ----a-w- c:\windows\system32\drv43260.dll
2011-12-18 23:40:55 208935 ----a-w- c:\windows\system32\drv33260.dll
2011-12-18 23:40:55 176165 ----a-w- c:\windows\system32\drv23260.dll
2011-12-18 23:40:55 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2011-12-18 23:40:55 102439 ----a-w- c:\windows\system32\sipr3260.dll
2011-12-18 23:40:53 -------- d-----w- c:\program files\VSO
2011-12-18 23:10:10 -------- d-----w- c:\programdata\Nero
2011-12-18 23:09:13 -------- d-----w- c:\program files\Nero
2011-12-18 22:46:26 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2011-12-18 22:46:23 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2011-12-18 22:46:20 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2011-12-18 22:46:16 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2011-12-18 22:46:12 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2011-12-18 22:30:21 -------- d-----w- c:\program files\QuickPar
2011-12-18 22:29:51 -------- d-----w- c:\program files\MSECache
2011-12-18 22:04:37 -------- d-----w- c:\program files\Cogitum
2011-12-18 22:03:59 -------- d-----w- c:\users\paul\appdata\roaming\Q-Dir
2011-12-18 22:03:56 -------- d-----w- c:\program files\Q-Dir
2011-12-18 22:00:31 40960 ----a-r- c:\users\paul\appdata\roaming\microsoft\installer\{9559f7ca-5e34-4237-a2d9-d856464ad727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2011-12-18 22:00:31 40960 ----a-r- c:\users\paul\appdata\roaming\microsoft\installer\{9559f7ca-5e34-4237-a2d9-d856464ad727}\ARPPRODUCTICON.exe
2011-12-18 22:00:30 -------- d-----w- c:\program files\Project64 1.6
2011-12-18 21:59:54 -------- d-----w- c:\program files\XdN Software
2011-12-18 21:40:12 -------- d-----w- c:\program files\LibreOffice 3.4
2011-12-18 21:05:24 98192 ----a-w- c:\windows\system32\vjreg.exe
2011-12-18 21:05:24 345604 ----a-w- c:\windows\system32\msinfhlp.exe
2011-12-18 21:05:24 -------- d-----w- c:\program files\Cogitum Co-Citer
2011-12-18 05:37:16 -------- d-----w- c:\users\paul\appdata\roaming\OnLive App
2011-12-18 05:36:57 -------- d-----w- c:\program files\OnLive
2011-12-16 18:41:43 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-16 18:41:41 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-12-16 18:41:41 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-12-16 18:41:41 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-12-16 18:41:41 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-12-16 18:41:41 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-16 18:41:41 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-12-16 18:41:41 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-12-16 18:41:41 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-12-16 18:41:41 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-12-16 18:22:48 -------- d-----w- c:\program files\POWERISO
2011-12-16 18:21:32 -------- d-----w- c:\program files\DAMN NFO Viewer
2011-12-16 09:29:07 -------- d-----w- c:\users\paul\appdata\roaming\Final Countdown
2011-12-16 09:20:13 -------- d-----w- c:\program files\BitTorrent
2011-12-16 09:19:45 -------- d-----w- c:\users\paul\appdata\roaming\BitTorrent
2011-12-16 06:55:29 -------- d-----w- c:\users\paul\appdata\roaming\KeePass
2011-12-16 06:32:27 -------- d-----w- c:\program files\KeePass Password Safe 2
2011-12-16 01:15:35 465408 ----a-w- c:\windows\system32\sqlite3.exe
2011-12-16 01:15:14 573100 ----a-w- c:\windows\system32\sqlite3.dll
2011-12-16 00:53:18 -------- d-----w- c:\program files\Gchip
2011-12-16 00:44:38 640512 ----a-w- c:\windows\SciLexer.dll
2011-12-16 00:44:38 1288192 ----a-w- c:\windows\sqliteodbc2010.dll
2011-12-16 00:44:37 -------- d-----w- c:\windows\SQLite2009Pro
2011-12-16 00:44:37 -------- d-----w- c:\program files\Osen Kusnadi
2011-12-16 00:43:15 -------- d-----w- c:\users\paul\appdata\roaming\sqlitestudio
2011-12-16 00:23:25 -------- d-----w- c:\users\paul\appdata\roaming\enchant
2011-12-16 00:23:17 -------- d-----w- c:\users\paul\.bluefish
2011-12-16 00:18:08 -------- d-----w- c:\program files\common files\GTK
2011-12-16 00:17:13 -------- d-----w- c:\program files\Bluefish
2011-12-14 12:06:23 -------- d-----w- c:\programdata\AVG Secure Search
2011-12-14 12:06:20 -------- d-----w- c:\program files\common files\AVG Secure Search
2011-12-14 12:06:19 -------- d-----w- c:\program files\AVG Secure Search
2011-12-13 08:51:32 2948312 ----a-w- C:\Toolbar_production_100639.exe
2011-12-13 08:50:56 437224 ----a-w- C:\Toolbar_production_100639.ffbho.exe
.
==================== Find3M ====================
.
2011-11-14 22:10:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-24 18:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 18:57:06.18 ===============

Malwarebytes, SuperAntispyware, AVG, & Adaware (most recent versions) have not rid me of this. I also ran various antirootkits, including Kaspersky TDSSKiller, sophos, housecall, etc. and I still have to the PING from hell. I'm ready to run combofix (all A/V is disabled, CD emulators disabled, etc.).

Attached File(s)


#2 User is offline   Paul J Richardson 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 27-December 11
  • Gender:Male
  • Location:Louisville, KY

Posted 30 December 2011 - 01:27 AM

I'm very sorry, but I broke the rules, sort of. I am simply so desperate to move forward quickly if possible,, and so I ran combofix, which froze after all 50 stages, and after deleting some files and folders. I took a photo with my Android, and uploaded it to the shared album (with the link to the SLIDE-SHOW) in my original post above. Anyhow, you can see in the photo how far it got.

I combofix sit there frozen for several hours before closing it and rebooting. I'm guessing at this point, I may simply need to run AppRemover (for the AV, etc.), then try Combofix again. I'm just in such a dire hurry to get this done, and back to work on this laptop. Someone is really nagging me about it. Anyhow. I'll try to wait another day or two.

Considering that Malwarebytes, SuperAntiSpyware, lotty-dotty-everything-else, PLUS Combofix, didn't completely fix me up (yes, I'm still haviing to block the PING.exe command with 'Process Blocker', should I now run Rkill and or OTM, as per the instructions here: http://forums.malwarebytes.org/index.php?showtopic=83543 ??

PLEASE let me know. I guess one more day, and I hit the 3 day mark when I WOULD get to post (per the forum policy), a link for help, if I was posting this in the "am I infected, what do I do" forum. The problem is that I've posted here in the logs forum, as I should have. So that policy doesn't apply, right? I guess I'll just have to wait and see.

#3 User is offline   Paul J Richardson 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 27-December 11
  • Gender:Male
  • Location:Louisville, KY

Posted 01 January 2012 - 10:11 PM

Greetz Hakker Lads, Lassies, and Swaggardly Heroes,

Right then, let's begin. I'll endeavorly belabour erudition tonight, by quoting from: http://www.bleepingcomputer.com/forums/topic273628.html

Quote

"...However, if you ran ComboFix on your own due to malware infection, please ... post the required logs to include your ComboFix log in that forum..." (in reference to the "Virus, Trojan, Spyware, and Malware Removal Logs" forum here: http://www.bleepingcomputer.com/forums/forum22.html)"


Bigfoot hums his favorite tune, itches his belly...then proceeds...

and also quoting from: http://www.bleepingcomputer.com/forums/topic114269.html

Quote

"...However, if someone needs help after using ComboFix on their own, we try to provide that assistance including how to uninstall it."


Since the post I made that originally started this thread, I've spent a few additional hours reading other threads at this domain. Bigfoot isn't autistic, he's just introspective. In one forum, one of the staff from your team, suggested combo fix has no installer, and therefor does not need to be uninstalled. Yet, another thread (here: http://www.bleepingcomputer.com/forums/topic141870.html) indicates that it might be uninstalled (at least in SOME scenario or version of the code), as such:

Combofix /u
When shown the disclaimer, Select "2"

... I would think that, IF I had not gotten antzie, AGAIN, ye and lo unto a fortnight, thy tools were used again, without thy fatherly blessing --- I ran rkill and OTM (please, forgive me I'm jes in a real big hurry to proceed with life and such.

Word is born gdawg! Anyhow, I noticed that at the end of OTM, there twas as it were, a bunch of combo fix objects that deleted by OTM. These magical words I've copied into a text document, and attached for thine eyes to see, if that be your wish.

Finally, quoting from: http://www.bleepingcomputer.com/forums/topic273628.html
Item #5:

Quote

"I used ComboFix on my own and encountered problems. What should I do?"


I have read all of this holy item # 5, with great savour, and the only part I cannot do (cursed fortune) is post the combofix logs -- please recall, combo fix hung (I added a photograph of the icey freeze of the great combofix to the fancy slide-show, linked to in my original post). I have since this time, also run several other tools (while in safe mode), and thus it is possible (remotely), that one of those tools deleted the combofix logs, if they ever existed, and I don't think they did -- evil epistemology. The additional tools that I ran were Lavasoft adaware (now uninstalled), another full scan of Malwarebytes Antimalware, SuperAntiSpyware, and (after uninstalling LavaSoft), Spybot S&D, and of course, sfc

Lavasoft thought it found Trojan.Win32.Generic!BT here:
c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_626c324d55864070\netbt.sys
(it's gone now, peer to nothingness-becoming-meaninglessness-in-forumthreads).

Pills seem to help more thus far, but dost thou recommend some medicine further, whose PC hath suffered thusly? Well, maybe just one more.. gonna run Blacklight now...

Ado.

Attached File(s)


#4 User is offline   HelpBot 

  • Bleepin' Binary Bot
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Bots
  • Posts: 5,607
  • Joined: 05-October 07
  • Gender:Male

Posted 03 January 2012 - 04:10 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434908 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.

  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.


Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,538
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 04 January 2012 - 04:41 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#6 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,538
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 07 January 2012 - 12:03 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#7 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,538
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 10 January 2012 - 12:23 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users