Ransomware vsdsrv32.exe

Hi,

My home computer haa been infected by the same virus as Mr Quasar
http://www.bleepingcomputer.com/forums/topic456569.html/page__pid__2726791#entry2726791
and oboe22 (topic 4569). In my case the id on the warning.txt message in each directory where files have been encrypted is 1372 and the message is:


YOUR ID: 1372

YOUR COMPUTER IS BLOCKED. All your documents, text files and databases
are securely encrypted.
You can unblock your computer by completing three easy steps.

STEP 1: Buy a MoneyPak in amount of $50 at the nearest store.

STEP2: Fill out the fields on the black screen on your cumputer. Otherwise
send as an e-mail at cryptdecrypt@yahoo.com. Indicate your ID in the message
title and provide MoneyPak number.

STEP 3: Check your e-mail. We will send you a program to remove the malware
and decrypt your files once payment is verified. Your computer will roll back
to the ordinary state.

Q: How I can make sure that you can really decipher my files?

A: You can send ONE any ciphered file on email cryptdecrypt@yahoo.com
(Indicate your ID and /test decrypt/ phrase in the message title), in the
response message you receive the deciphered file.

Q: Where can I purchase a MoneyPak?

A: MoneyPak can be purchased at thousands of stores nationwide, including
major retailers such as Walmart, Walgreens, CVS/pharmacy, Rite Aid, Kmart,
Kroger and Meijer.

Q: How do I buy a MoneyPak at the store?

A: Pick up a MoneyPak from the Prepaid Product Section or Green Dot display
and take it to the register. The cashier will collect your cash and load it onto
the MoneyPak.
https://www.moneypak.com/StoreLocator.aspx - here you find a store near .


Luckily, I was able to kill the virus before it had completed encrypting all my files. The virus blocked my attempts to open task manager and I was unable to reboot in safe mode using F8 but after switching off power during a boot I was able to enter a recovery mode and go to the command prompt. There, after running FRST.exe, I located the virus in \\Users\Richard\AppData\Roaming\vsdsrv32.exe and removed it. There was also a 32 bit file cconf.txt.enc which I believe may be related to the encryption key. I have saved both these files.

From the time that the infected files were encrypted, it is clear that the virus worked through all subdirectories of My Documents for first .txt files followed by .xls, .doc, .rtf, .htm, .chm, .ppt and .pdf files. I managed to kill it before it had finished encrypting the .pdf files.

I can recover most if not all of my encrypted files from my other machines. However, I am wondering whether the cconf.txt.enc and the exe file might be enough to help break the encryption key and reverse the encrytion process. If so this might be some help to other users infected by this virus.

Thanks,

Richard

Greetings Richard Pierse and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you!


===================================================


Ground Rules:

• First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
• Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
• Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
• Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  
• When you post your reply, do not use the button but use the button instead.
  
• In the upper right hand corner of the topic you will see the button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
• If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
• When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
• I would like to remind you to make no further changes to your computer unless I direct you to do so.
• Now let's get started

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Please copy and paste the contents of the FRST.txt file (should be on you USB device) in a reply.

Hi Oh My,

Thatnks very much for your help. I am pasting the FRST.TXT file as requested but stupidly I reran FRST after I had deleted the two files not realising it would overwrite the old one so this is the file after I had deleted \\Users\Richard\AppData\Roaming\vsdsrv32.exe and cconf.txt.enc.

###########################################################################################
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 16-06-2012
Ran by Richard at 17-06-2012 10:28:17
Running from D:\
Service Pack 1 (X64) OS Language: English(US)
Attention: Could not load system hive.The operation completed successfully.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.


============ One Month Created Files and Folders ==============

2012-06-17 04:04 - 2012-06-17 04:06 - 00000000 ____D C:\protect
2012-06-17 03:25 - 2012-06-17 10:28 - 00000000 ____D C:\FRST
2012-06-17 02:23 - 2012-05-18 00:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-17 02:23 - 2012-05-18 00:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-17 02:23 - 2012-05-17 23:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-17 02:23 - 2012-05-17 23:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-17 02:23 - 2012-05-17 23:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-17 02:23 - 2012-05-17 23:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-17 02:23 - 2012-05-17 23:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-17 02:23 - 2012-05-17 23:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-17 02:23 - 2012-05-17 23:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-17 02:23 - 2012-05-17 23:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-17 02:23 - 2012-05-17 23:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-17 02:23 - 2012-05-17 23:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-17 02:23 - 2012-05-17 23:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-17 02:23 - 2012-05-17 23:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-17 02:23 - 2012-05-17 23:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-17 02:23 - 2012-05-17 23:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-17 02:23 - 2012-05-17 23:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-17 02:23 - 2012-05-17 23:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-17 02:23 - 2012-05-17 23:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-17 02:23 - 2012-05-17 23:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-17 02:23 - 2012-05-17 23:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-17 02:23 - 2012-05-17 23:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-17 02:23 - 2012-05-17 23:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-17 02:23 - 2012-05-17 23:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-17 02:23 - 2012-05-17 23:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-17 02:23 - 2012-05-17 23:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-17 02:23 - 2012-05-17 23:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-17 02:23 - 2012-05-17 23:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-17 01:36 - 2012-05-04 11:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-17 01:36 - 2012-05-04 11:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-06-17 01:36 - 2012-05-04 11:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-17 01:36 - 2012-05-04 11:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-17 01:34 - 2012-04-24 05:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-17 01:34 - 2012-04-24 05:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-17 01:34 - 2012-04-24 05:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-17 01:34 - 2012-04-24 05:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-17 01:34 - 2012-04-24 05:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-17 01:34 - 2012-04-24 05:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-17 01:34 - 2012-04-07 12:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-06-17 01:34 - 2012-04-07 12:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-16 20:21 - 2012-06-17 10:25 - 00000000 ____D C:\Users\Richard\Documents\BullGuard Backups
2012-06-16 19:08 - 2012-06-16 19:08 - 269852000 ____A C:\Windows\MEMORY.DMP
2012-06-16 19:08 - 2012-06-16 19:08 - 00275744 ____A C:\Windows\Minidump\061612-24523-01.dmp
2012-06-16 19:08 - 2012-06-16 19:08 - 00000000 ____D C:\Windows\Minidump
2012-06-16 13:21 - 2012-06-16 13:21 - 00127049 ____A C:\Users\Richard\Documents\feassign2012.pdf.crypt
2012-06-11 11:37 - 2012-06-11 11:37 - 00373268 ____A C:\Users\Richard\Downloads\Kerry Magazine Index.doc.crypt
2012-06-11 11:32 - 2012-06-16 13:21 - 00001408 ____A C:\Users\Richard\Documents\WARNING.txt
2012-06-11 11:32 - 2012-06-11 11:37 - 00001408 ____A C:\Users\Richard\Downloads\WARNING.txt
2012-06-11 11:32 - 2012-06-11 11:32 - 00235540 ____A C:\Users\Richard\Downloads\MSc Students 2011.xls.crypt
2012-06-11 11:32 - 2012-06-11 11:32 - 00101908 ____A C:\Users\Richard\Downloads\201151_9001333.xls.crypt
2012-06-11 11:32 - 2012-06-11 11:32 - 00101908 ____A C:\Users\Richard\Downloads\201147_9001333.xls.crypt
2012-06-11 11:32 - 2012-06-11 11:32 - 00000182 ____A C:\Users\Richard\Documents\~$nsolve_impact.doc.crypt
2012-06-11 11:26 - 2012-06-16 15:32 - 00032628 ____A C:\Windows\Tasks\SCHEDLGU.TXT.crypt
2012-06-11 11:26 - 2012-06-16 15:32 - 00001408 ____A C:\Windows\Tasks\WARNING.txt
2012-06-10 00:21 - 2012-06-10 00:21 - 00195072 ____A C:\Users\Richard\Downloads\Shortcut%20to%20ALL%20STUDENTS%20alphabetically%2011-12
2012-06-03 13:05 - 2012-06-03 13:05 - 00000000 ____D C:\Program Files (x86)\YouTube Downloader Toolbar
2012-06-03 13:05 - 2012-06-03 13:05 - 00000000 ____D C:\Program Files (x86)\Application Updater
2012-06-03 13:04 - 2012-06-03 13:04 - 00001399 ____A C:\Users\Public\Desktop\YTD YouTube Downloader & Converter.lnk
2012-06-03 13:04 - 2012-06-03 13:04 - 00000000 ____D C:\Users\All Users\YTD YouTube Downloader & Converter
2012-06-03 13:04 - 2012-06-03 13:04 - 00000000 ____D C:\Program Files (x86)\GreenTree Applications
2012-05-21 12:59 - 2012-05-21 12:59 - 00000000 ____D C:\Program Files (x86)\QuickTime
2012-05-21 01:04 - 2012-05-21 01:04 - 00000520 ____A C:\Users\Richard\AppData\Local\TempPSTEMPFILEon0809014012_1.tmp
2012-05-20 22:50 - 2012-05-20 22:50 - 00000520 ____A C:\Users\Richard\AppData\Local\TempPSTEMPFILEon0809013244_1.tmp
2012-05-19 16:45 - 2012-05-19 16:45 - 00000000 ____D C:\Users\Richard\VirtualBox VMs
2012-05-19 16:44 - 2012-05-19 17:29 - 00000000 ____D C:\Users\Richard\.VirtualBox
2012-05-19 16:43 - 2012-05-19 16:43 - 00001084 ____A C:\Users\Public\Desktop\Oracle VM VirtualBox.lnk
2012-05-19 16:43 - 2012-05-19 16:43 - 00000000 ____D C:\Program Files\Oracle
2012-05-19 16:28 - 2012-05-19 16:28 - 00002011 ____A C:\Users\Public\Desktop\PhotoStudio 6.lnk
2012-05-19 16:28 - 2012-05-19 16:28 - 00000000 ____D C:\Users\Richard\AppData\Local\ArcSoft
2012-05-19 16:28 - 2012-05-19 16:28 - 00000000 ____D C:\Users\All Users\ArcSoft

============ 3 Months Modified Files and Folders ===============

2012-06-17 10:28 - 2012-06-17 03:25 - 00000000 ____D C:\FRST
2012-06-17 10:27 - 2010-04-26 03:07 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-17 10:25 - 2012-06-16 20:21 - 00000000 ____D C:\Users\Richard\Documents\BullGuard Backups
2012-06-17 10:09 - 2009-12-09 17:00 - 00000000 ____D C:\Users\All Users\BullGuard
2012-06-17 10:07 - 2010-04-26 03:07 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-17 10:07 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-17 10:07 - 2009-07-14 05:51 - 00078796 ____A C:\Windows\setupact.log
2012-06-17 04:06 - 2012-06-17 04:04 - 00000000 ____D C:\protect
2012-06-17 02:42 - 2009-12-09 16:54 - 02084098 ____A C:\Windows\WindowsUpdate.log
2012-06-17 02:41 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\Microsoft.NET
2012-06-17 02:32 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\SysWOW64
2012-06-17 02:31 - 2009-12-11 14:24 - 00015660 ____A C:\Windows\PFRO.log
2012-06-17 02:30 - 2009-12-09 18:12 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-17 02:21 - 2009-12-12 13:41 - 00000000 ____D C:\Users\Richard\Documents\personal
2012-06-17 02:05 - 2012-05-12 11:11 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-17 01:18 - 2012-01-06 21:01 - 00000000 ____D C:\Users\Richard\AppData\Roaming\vlc
2012-06-17 00:34 - 2009-12-12 13:40 - 00000000 ____D C:\Users\Richard\Documents\ccbs
2012-06-17 00:26 - 2009-12-12 13:40 - 00000000 ____D C:\Users\Richard\Documents\beqm
2012-06-16 20:32 - 2009-12-11 13:22 - 00000000 ____D C:\Users\Richard\AppData\Roaming\BullGuard
2012-06-16 19:08 - 2012-06-16 19:08 - 269852000 ____A C:\Windows\MEMORY.DMP
2012-06-16 19:08 - 2012-06-16 19:08 - 00275744 ____A C:\Windows\Minidump\061612-24523-01.dmp
2012-06-16 19:08 - 2012-06-16 19:08 - 00000000 ____D C:\Windows\Minidump
2012-06-16 15:32 - 2012-06-11 11:26 - 00032628 ____A C:\Windows\Tasks\SCHEDLGU.TXT.crypt
2012-06-16 15:32 - 2012-06-11 11:26 - 00001408 ____A C:\Windows\Tasks\WARNING.txt
2012-06-16 15:22 - 2012-04-12 18:57 - 00000000 ____D C:\Program Files\Bonjour
2012-06-16 15:21 - 2009-12-11 13:21 - 00000000 ____D C:\users\Richard
2012-06-16 15:21 - 2009-07-14 08:45 - 00000000 ___RD C:\Users\Public\Recorded TV
2012-06-16 15:21 - 2009-07-14 04:20 - 00000000 __RSD C:\Windows\Media
2012-06-16 15:21 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\registration
2012-06-16 15:19 - 2011-05-21 20:00 - 00000000 ____D C:\Users\All Users\Real
2012-06-16 15:19 - 2009-12-12 16:40 - 00000000 ____D C:\Users\Richard\Documents\WinSolve
2012-06-16 15:19 - 2009-12-12 16:38 - 00000000 ____D C:\Users\Richard\Documents\wsdocs
2012-06-16 15:19 - 2009-12-12 16:34 - 00000000 ____D C:\Users\Richard\Documents\web
2012-06-16 15:19 - 2009-12-12 13:40 - 00000000 ____D C:\Users\Richard\Documents\latex
2012-06-16 15:19 - 2009-12-11 18:30 - 00000000 ____D C:\Users\Richard\Documents\cpp
2012-06-16 13:43 - 2009-12-12 13:42 - 00000000 ____D C:\Users\Richard\Documents\piersebook
2012-06-16 13:41 - 2009-12-12 13:41 - 00000000 ____D C:\Users\Richard\Documents\papers
2012-06-16 13:21 - 2012-06-16 13:21 - 00127049 ____A C:\Users\Richard\Documents\feassign2012.pdf.crypt
2012-06-16 13:21 - 2012-06-11 11:32 - 00001408 ____A C:\Users\Richard\Documents\WARNING.txt
2012-06-16 13:21 - 2011-10-10 23:02 - 00000000 ____D C:\Users\Richard\Documents\archive
2012-06-11 11:37 - 2012-06-11 11:37 - 00373268 ____A C:\Users\Richard\Downloads\Kerry Magazine Index.doc.crypt
2012-06-11 11:37 - 2012-06-11 11:32 - 00001408 ____A C:\Users\Richard\Downloads\WARNING.txt
2012-06-11 11:36 - 2010-12-06 23:19 - 00000000 ____D C:\Users\Richard\Documents\WPDOCS
2012-06-11 11:35 - 2010-01-29 11:36 - 00000000 ____D C:\Users\Richard\Documents\word
2012-06-11 11:34 - 2009-12-18 13:24 - 00000000 ____D C:\Users\Richard\Documents\swp
2012-06-11 11:34 - 2009-12-12 13:44 - 00000000 ____D C:\Users\Richard\Documents\teaching
2012-06-11 11:33 - 2009-12-12 16:31 - 00000000 ____D C:\Users\Richard\Documents\solve
2012-06-11 11:33 - 2009-12-12 13:44 - 00000000 ____D C:\Users\Richard\Documents\surrey
2012-06-11 11:32 - 2012-06-11 11:32 - 00235540 ____A C:\Users\Richard\Downloads\MSc Students 2011.xls.crypt
2012-06-11 11:32 - 2012-06-11 11:32 - 00101908 ____A C:\Users\Richard\Downloads\201151_9001333.xls.crypt
2012-06-11 11:32 - 2012-06-11 11:32 - 00101908 ____A C:\Users\Richard\Downloads\201147_9001333.xls.crypt
2012-06-11 11:32 - 2012-06-11 11:32 - 00000182 ____A C:\Users\Richard\Documents\~$nsolve_impact.doc.crypt
2012-06-11 11:26 - 2011-11-04 23:46 - 00000000 ____D C:\Users\Richard\Downloads\8000fvst8120a_xpen
2012-06-11 11:22 - 2010-11-13 19:47 - 00000000 ____D C:\Users\Richard\Documents\dynare-4.1.3
2012-06-11 11:22 - 2010-03-05 12:10 - 00000000 ____D C:\Program Files (x86)\Autoruns
2012-06-11 11:20 - 2009-12-11 17:17 - 00000000 ____D C:\BC5
2012-06-10 00:21 - 2012-06-10 00:21 - 00195072 ____A C:\Users\Richard\Downloads\Shortcut%20to%20ALL%20STUDENTS%20alphabetically%2011-12
2012-06-09 10:50 - 2012-05-12 11:11 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-09 10:50 - 2012-05-12 11:11 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-09 10:50 - 2011-05-15 11:27 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-09 10:50 - 2011-05-15 11:27 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-03 13:05 - 2012-06-03 13:05 - 00000000 ____D C:\Program Files (x86)\YouTube Downloader Toolbar
2012-06-03 13:05 - 2012-06-03 13:05 - 00000000 ____D C:\Program Files (x86)\Application Updater
2012-06-03 13:05 - 2009-12-11 13:21 - 00000000 ____D C:\Users\Richard\AppData\LocalLow
2012-06-03 13:05 - 2009-07-14 04:20 - 00000000 ___RD C:\Program Files (x86)
2012-06-03 13:04 - 2012-06-03 13:04 - 00001399 ____A C:\Users\Public\Desktop\YTD YouTube Downloader & Converter.lnk
2012-06-03 13:04 - 2012-06-03 13:04 - 00000000 ____D C:\Users\All Users\YTD YouTube Downloader & Converter
2012-06-03 13:04 - 2012-06-03 13:04 - 00000000 ____D C:\Program Files (x86)\GreenTree Applications
2012-05-21 13:03 - 2009-07-14 04:20 - 00000000 __RHD C:\Users\Public\Libraries
2012-05-21 12:59 - 2012-05-21 12:59 - 00000000 ____D C:\Program Files (x86)\QuickTime
2012-05-21 11:56 - 2009-07-14 06:08 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-21 01:04 - 2012-05-21 01:04 - 00000520 ____A C:\Users\Richard\AppData\Local\TempPSTEMPFILEon0809014012_1.tmp
2012-05-20 22:50 - 2012-05-20 22:50 - 00000520 ____A C:\Users\Richard\AppData\Local\TempPSTEMPFILEon0809013244_1.tmp
2012-05-19 17:29 - 2012-05-19 16:44 - 00000000 ____D C:\Users\Richard\.VirtualBox
2012-05-19 16:45 - 2012-05-19 16:45 - 00000000 ____D C:\Users\Richard\VirtualBox VMs
2012-05-19 16:43 - 2012-05-19 16:43 - 00001084 ____A C:\Users\Public\Desktop\Oracle VM VirtualBox.lnk
2012-05-19 16:43 - 2012-05-19 16:43 - 00000000 ____D C:\Program Files\Oracle
2012-05-19 16:28 - 2012-05-19 16:28 - 00002011 ____A C:\Users\Public\Desktop\PhotoStudio 6.lnk
2012-05-19 16:28 - 2012-05-19 16:28 - 00000000 ____D C:\Users\Richard\AppData\Local\ArcSoft
2012-05-19 16:28 - 2012-05-19 16:28 - 00000000 ____D C:\Users\All Users\ArcSoft
2012-05-19 16:28 - 2010-02-14 13:22 - 00000000 ____D C:\Users\Richard\AppData\Roaming\ArcSoft
2012-05-19 16:27 - 2010-02-14 13:20 - 00000000 ____D C:\Program Files (x86)\ArcSoft
2012-05-19 16:27 - 2009-12-09 16:56 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-05-19 16:06 - 2009-12-18 22:09 - 00000000 ____D C:\Program Files (x86)\Canon
2012-05-18 00:11 - 2012-06-17 02:23 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-18 00:11 - 2012-06-17 02:23 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 23:48 - 2012-06-17 02:23 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 23:48 - 2012-06-17 02:23 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 23:45 - 2012-06-17 02:23 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 23:45 - 2012-06-17 02:23 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 23:36 - 2012-06-17 02:23 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 23:36 - 2012-06-17 02:23 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 23:35 - 2012-06-17 02:23 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 23:35 - 2012-06-17 02:23 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 23:35 - 2012-06-17 02:23 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 23:35 - 2012-06-17 02:23 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 23:33 - 2012-06-17 02:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 23:33 - 2012-06-17 02:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 23:31 - 2012-06-17 02:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 23:31 - 2012-06-17 02:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 23:29 - 2012-06-17 02:23 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 23:29 - 2012-06-17 02:23 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 23:29 - 2012-06-17 02:23 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 23:29 - 2012-06-17 02:23 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 23:27 - 2012-06-17 02:23 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 23:27 - 2012-06-17 02:23 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 23:25 - 2012-06-17 02:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 23:25 - 2012-06-17 02:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 23:24 - 2012-06-17 02:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 23:24 - 2012-06-17 02:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 23:20 - 2012-06-17 02:23 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-17 23:20 - 2012-06-17 02:23 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-15 14:28 - 2012-05-15 14:28 - 00009611 ____A C:\Users\Richard\Documents\access.20120414.gz
2012-05-12 00:13 - 2009-12-09 16:55 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-12 00:13 - 2009-07-14 08:47 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-04 11:03 - 2012-06-17 01:36 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 11:03 - 2012-06-17 01:36 - 03968368 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-05-04 11:03 - 2012-06-17 01:36 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-04 11:03 - 2012-06-17 01:36 - 03913072 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-24 05:36 - 2012-06-17 01:34 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-24 05:36 - 2012-06-17 01:34 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-24 05:36 - 2012-06-17 01:34 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-24 05:36 - 2012-06-17 01:34 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-24 05:36 - 2012-06-17 01:34 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-24 05:36 - 2012-06-17 01:34 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-19 15:13 - 2012-04-19 15:13 - 00000000 ____D C:\Program Files\DirectVobSub
2012-04-18 20:56 - 2012-04-18 20:56 - 00094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx
2012-04-18 20:56 - 2012-04-18 20:56 - 00094208 ____A (Apple Inc.) C:\Windows\System32\QuickTimeVR.qtx
2012-04-18 20:56 - 2012-04-18 20:56 - 00069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts
2012-04-18 20:56 - 2012-04-18 20:56 - 00069632 ____A (Apple Inc.) C:\Windows\System32\QuickTime.qts
2012-04-13 10:31 - 2009-12-11 16:07 - 00000000 ____D C:\Users\Richard\AppData\Roaming\Apple Computer
2012-04-12 19:26 - 2012-04-12 19:26 - 00001791 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-04-12 19:26 - 2012-04-12 19:26 - 00000000 ____D C:\Program Files\iTunes
2012-04-12 19:26 - 2012-04-12 19:26 - 00000000 ____D C:\Program Files\iPod
2012-04-12 19:26 - 2012-04-12 19:26 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-04-12 19:23 - 2009-12-11 16:06 - 00000000 ____D C:\Users\All Users\Apple
2012-04-12 19:00 - 2009-12-11 16:07 - 00000000 ____D C:\Users\Richard\AppData\Local\Apple Computer
2012-04-12 18:59 - 2009-12-11 16:06 - 00000000 ____D C:\Program Files\Common Files\Apple
2012-04-12 18:57 - 2012-04-12 18:57 - 00000000 ____D C:\Program Files (x86)\Bonjour
2012-04-12 18:57 - 2012-04-12 18:57 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2012-04-07 12:26 - 2012-06-17 01:34 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-04-07 12:26 - 2012-06-17 01:34 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-03-20 11:18 - 2010-09-27 10:48 - 00857790 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-03-20 11:18 - 2010-09-27 10:48 - 00857790 ____A C:\Windows\System32\PerfStringBackup.INI

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2011-05-07 20:56] - [2011-02-25 07:19] - 2871808 ____A (Microsoft Corporation) 332FEAB1435662FC6C672E25BEB37BE3

C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll
[2011-06-25 01:16] - [2010-11-20 13:08] - 0833024 ____A (Microsoft Corporation) 5E0DB2D8B2750543CD2EBB9EA8E6CDD3

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

========================= Memory info ======================

Percentage of memory in use: 36%
Total physical RAM: 4095.18 MB
Available physical RAM: 2611.27 MB
Total Pagefile: 8188.54 MB
Available Pagefile: 6505.34 MB
Total Virtual: 4095.88 MB
Available Virtual: 4002.65 MB

======================= Partitions =========================

1 Drive c: (Windows7) (Fixed) (Total:911.98 GB) (Free:791.35 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: () (Removable) (Total:3.81 GB) (Free:0.26 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 1024 KB
Disk 1 Online 3919 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 19 GB 1024 KB
Partition 2 Primary 911 GB 19 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Win_RE NTFS Partition 19 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Windows7 NTFS Partition 911 GB Healthy System (partition with boot components)

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3901 MB 96 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D FAT32 Removable 3901 MB Healthy

======================================================================================================
======================= End Of Log ==========================

The virus started working on the morning of June 11 but was interupted when I switched of my computer and went away for a few days. I next used the computer on my return on June 16 and the virus resumed working. It was then that I noticed that an .xls file I wanted to use had been renamed. I tried to open Task Manager but it wouldn'r open. I did a search for .crypt files which was when I realised the virus was still encrypting files. I tried rebooting in safe mode but F8 didn't seem to work. I finally managed to reboot in recovery mode and removed the virus about 15.32 on June 16.

Do you need any more information? I tried to attach the file cconf.txt.enc to my original post but it wouldn't allow me to. This file is 31 bits long.

Thanks very much for your help.

Richard

Greetings Richard Pierse,

Thank you for the information. Please allow me some time to review the state of your computer.

Greetings Richard Pierse,


Please perform the following for me which will give us additional information about your computer. What would also help is to know the types of files that are being encrypted, if any. Can you identify the names or file extensions? If so, please provide that information.


===================================================


DDS by sUBs

--------------------

• Please download DDS by sUBs from one of the following links. Save it to your desktop.
  
  

  * DDS.scr
  * DDS.pif

• Double click on the icon
  
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Two Notepad documents will open - DDS.txt and Attach.txt. Please copy and paste the results in your reply
• Close the program window, and delete the program from your desktop

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment.

• Otl.txt
• Attach.txt
• Encrypted file information

Hi Oh My,

I am away from home now until Saturday so I won't be able to run DDS until then. The files that were affected were:
.txt, .xls, .doc, .rtf, .htm, .chm, .ppt and .pdf files. I assume if I hadn't stopped the thing it would have gone on to encrypt .jpg files as well.

When I run DDS, it will produce a file attach.txt which I will paste in but where do I find otl.txt and what encrypted file information do you want me to send?

Thanks again for your help.

Richard

Greetings Richard Pierse,

My error, wrong program in my head! You will not be presented with OTL.txt but rather DDS.txt. The information you provided about file extensions is helpful and sufficient at this point. When I review the DDS information that may fill in the rest for me.

Thank you for letting me know of the delay. I will await your next post.

Greetings Richard Pierse,

There, after running FRST.exe, I located the virus in \\Users\Richard\AppData\Roaming\vsdsrv32.exe and removed it. There was also a 32 bit file cconf.txt.enc which I believe may be related to the encryption key. I have saved both these files.

Could you please upload these two files as well as one of the encrypted files here (this may help finding the decryption key): http://www.bleepingcomputer.com/mrc/index.php?a=submission&channel=140

You could upload an encrypted standard windows picture/file so you won't have to upload a personal file.

Hi Oh My,

Thanks again for your help. I will send the files you request on Saturday when I get back home. I can send an encrypted file along with the plain text if that helps. I did try and send cconf.txt.enc with my original post but it said it didn't allow that type of file. Do I need to do anything special to attach it e.g. Zip it up?

Richard

Hi Oh My,

I've just realised I can send you some encrypted files and the virus files vsdrv32.exe and cconf.txt.enc now as they are on my memory stick. However, when I tried to follow the link you gave me to mrc/index.php, it said the page does not exist. Any advice?

Thanks again,

Richard

Greetings Richard Pierse,

Try this, I just tested it and it works on my end.

http://www.bleepingcomputer.com/submit-malware.php?channel=140

Hi Oh My,

Thanks for the new link. I have sent you the virus exe file, the cconf.txt.enc file and an encrypted txt file. On Saturday I will be able to send you the DDS.txt file and a few more encrypted files with plain text.

Thanks again for your help,

Richard

Greetings Richard Pierse,

First, I am sure you would join me in thanking Fabian who has graciously offered to assist us with this complicated infection. His time and expertise is invaluable in helping us to address the encrytption mess malware has inflicted upon your computer.

Please apply the fruits of his labor in the following manner:


===================================================


Running decrypt_birele by Fabian

--------------------

• Right click on your desktop, select New, then click on Folder
• Name the folder Fabian and press Enter
• Place a copy of cconf.txt.enc in the Fabian folder
• Please download decrypt_birele.zip and save it to your desktop
• Right click the decrypt_birele.zip folder and select Extract All...
• Select Next, then Browse
• Select the Fabian folder, OK, then Next
• Leave a check mark next to Show extracted files, and select Finish
• Double click then select Run
• Please post the results

Hi Oh My,

Thanks again for your help. I tried Fabian's decrypt program but unfortunately it didn't work. I am pasting an example of the output it produced:

An error occurred when trying to decrypt file C:\Windows\Temp\IE97731.tmp\IE9-ne
utral.Downloaded\Windows6.1-KB982861-x64-pkgProperties.txt.crypt to C:\Windows\T
emp\IE97731.tmp\IE9-neutral.Downloaded\Windows6.1-KB982861-x64-pkgProperties.txt
!
An error occurred when trying to decrypt file C:\Windows\Temp\IE97731.tmp\IE9-su
pport\NrPolicy.txt.crypt to C:\Windows\Temp\IE97731.tmp\IE9-support\NrPolicy.txt
!
An error occurred when trying to decrypt file C:\Windows\Temp\KB2160841_20101016
_020328922-Microsoft .NET Framework 4 Client Profile-MSP0.txt.crypt to C:\Window
s\Temp\KB2160841_20101016_020328922-Microsoft .NET Framework 4 Client Profile-MS
P0.txt!
An error occurred when trying to decrypt file C:\Windows\Temp\KB2160841_20101016
_020328922.html.crypt to C:\Windows\Temp\KB2160841_20101016_020328922.html!
An error occurred when trying to decrypt file C:\Windows\Temp\KB2251489_20110615
_010558025-Microsoft Visual C++ 2010 Express - ENU-MSP0.txt.crypt to C:\Windows\
Temp\KB2251489_20110615_010558025-Microsoft Visual C++ 2010 Express - ENU-MSP0.t
xt!
An error occurred when trying to decrypt file C:\Windows\Temp\KB2251489_20110615
_010558025.html.crypt to C:\Windows\Temp\KB2251489_20110615_010558025.html!
An error occurred when trying to decrypt file C:\Windows\Temp\KB2416472_20101010
_004441156-Microsoft .NET Framework 4 Extended-MSP0.txt.crypt to C:\Windows\Temp
\KB2416472_20101010_004441156-Microsoft .NET Framework 4 Extended-MSP0.txt!
An error occurred when trying to decrypt file C:\Windows\Temp\KB2416472_20101010
_004441156.html.crypt to C:\Windows\Temp\KB2416472_20101010_004441156.html!
An error occurred when trying to decrypt file C:\Windows\Temp\KB2446708_20110417
_022252926-Microsoft .NET Framework 4 Client Profile-MSP0.txt.crypt to C:\Window
s\Temp\KB2446708_20110417_022252926-Microsoft .NET Framework 4 Client Profile-MS
P0.txt!

I ran dds.scr as you asked and this produced the following:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.0
Run by Richard at 20:58:04 on 2012-06-23
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.4095.1717 [GMT 1:00]
.
AV: BullGuard Antivirus *Enabled/Updated* {504FFF66-3028-EB7E-2E60-62B19ADD791C}
SP: BullGuard Antispyware *Enabled/Updated* {EB2E1E82-1612-E4F0-14D0-59C3E15A33A1}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: BullGuard Firewall *Enabled* {68747E43-7A47-EA26-053F-CB84640E3E67}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files (x86)\Virgin Mobile Broadband\ModemListener.exe
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngrUI.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Windows\System32\svchost.exe -k BullGuard
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Common Files\DeviceHelper\DeviceManager.exe
C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Windows\system32\prevhost.exe
C:\PROGRA~2\MIF5BA~1\Office12\WINWORD.EXE
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\splwow64.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
uDefault_Page_URL = hxxp://www.meshcomputersownersclub.com
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.9\youtubedownloaderToolbarIE.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll
BHO: DataMngr: {9d717f81-9148-4f12-8568-69135f087db0} - C:\PROGRA~2\WI3C8A~1\Datamngr\BROWSE~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.9\youtubedownloaderToolbarIE.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - C:\Program Files (x86)\Canon\Easy-WebPrint\Toolband.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.9\youtubedownloaderToolbarIE.dll
uRun: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe"
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [vsdsrv] "C:\Users\Richard\AppData\Roaming\vsdsrv32.exe"
mRun: [ModemListener] C:\Program Files (x86)\Virgin Mobile Broadband\ModemListener.exe start
mRun: [DATAMNGR] C:\PROGRA~2\WI3C8A~1\Datamngr\DATAMN~1.EXE
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [<NO NAME>]
mRun: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - C:\Program Files (x86)\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - C:\Program Files (x86)\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - C:\Program Files (x86)\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - C:\Program Files (x86)\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MIF5BA~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\Office12\REFIEBAR.DLL
LSP: C:\Windows\system32\BGLsp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.surrey.ac.uk/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{60DA209E-4819-49BF-8834-73DF2CD589DE} : DhcpNameServer = 194.168.4.100 194.168.8.100
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\datamngr.dll C:\PROGRA~2\WI3C8A~1\Datamngr\IEBHO.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Babylon toolbar helper: {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll
BHO-X64: Babylon toolbar helper - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll
BHO-X64: Searchqu Toolbar - No File
BHO-X64: DataMngr: {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~2\WI3C8A~1\Datamngr\BROWSE~1.DLL
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO-X64: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.9\youtubedownloaderToolbarIE.dll
TB-X64: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files (x86)\Canon\Easy-WebPrint\Toolband.dll
TB-X64: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll
TB-X64: Babylon Toolbar: {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.9\youtubedownloaderToolbarIE.dll
mRun-x64: [ModemListener] C:\Program Files (x86)\Virgin Mobile Broadband\ModemListener.exe start
mRun-x64: [DATAMNGR] C:\PROGRA~2\WI3C8A~1\Datamngr\DATAMN~1.EXE
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [(Default)]
mRun-x64: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
AppInit_DLLs-X64: C:\PROGRA~2\WI3C8A~1\Datamngr\datamngr.dll C:\PROGRA~2\WI3C8A~1\Datamngr\IEBHO.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Richard\AppData\Roaming\Mozilla\Firefox\Profiles\r8vikylq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=937811&ilc=12&p=
FF - component: C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll
FF - component: C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF3.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: C:\Users\Richard\AppData\Roaming\Mozilla\Firefox\Profiles\r8vikylq.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\components\dtTransparency.dll
FF - component: C:\Users\Richard\AppData\Roaming\Mozilla\Firefox\Profiles\r8vikylq.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\components\dtTransparency3.5.dll
FF - component: C:\Users\Richard\AppData\Roaming\Mozilla\Firefox\Profiles\r8vikylq.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\components\dtTransparency3.6.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Canon\MyCamera Download Plugin\NPCIG.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\npjpi170_05.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\npoji610.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Babylon: ffxtlbr@babylon.com - %profile%\extensions\ffxtlbr@babylon.com
FF - Ext: SearchquToolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - %profile%\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.id - 18471ea500000000000000ff10607705
FF - user.js: extensions.BabylonToolbar_i.hardId - 18471ea500000000000000ff10607705
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15341
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1721:28:14
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100888
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R1 afw;Agnitum Firewall Driver;C:\Windows\system32\DRIVERS\afw.sys --> C:\Windows\system32\DRIVERS\afw.sys [?]
R2 ADExchange;ArcSoft Exchange Service;C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe [2012-2-16 43112]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 Application Updater;Application Updater;C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe [2012-6-13 792512]
R2 BdFileSpy;BullGuard File Monitor Driver;\??\C:\Windows\system32\drivers\BdFileSpy.sys --> C:\Windows\system32\drivers\BdFileSpy.sys [?]
R2 BsFileScan;BullGuard File Scan Service;C:\Windows\System32\svchost.exe -k BullGuard [2009-7-14 20992]
R2 BsFire;BullGuard Firewall Service;C:\Windows\System32\svchost.exe -k BullGuard [2009-7-14 20992]
R2 BsMailProxy;BullGuard Email Monitoring Service;C:\Windows\System32\svchost.exe -k BullGuard [2009-7-14 20992]
R2 DeviceManager;DeviceManager;C:\Program Files (x86)\Common Files\DeviceHelper\DeviceManager.exe -start --> C:\Program Files (x86)\Common Files\DeviceHelper\DeviceManager.exe -start [?]
R3 afwcore;afwcore;C:\Windows\system32\DRIVERS\afwcore.sys --> C:\Windows\system32\DRIVERS\afwcore.sys [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-4-26 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-12 257224]
S3 BgRaSvc;BgRaSvc;C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe [2010-2-13 101712]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-4-26 136176]
S3 qcusbser;Mobile Connector USB Device for Legacy Serial Communication;C:\Windows\system32\DRIVERS\qcusbser.sys --> C:\Windows\system32\DRIVERS\qcusbser.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 VBoxUSB;VirtualBox USB;C:\Windows\system32\Drivers\VBoxUSB.sys --> C:\Windows\system32\Drivers\VBoxUSB.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
S4 RsFx0103;RsFx0103 Driver;C:\Windows\system32\DRIVERS\RsFx0103.sys --> C:\Windows\system32\DRIVERS\RsFx0103.sys [?]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 427880]
.
=============== Created Last 30 ================
.
2012-06-23 18:34:11 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{72D96254-B9FC-4BE7-9CEA-36AA2C3552B4}\mpengine.dll
2012-06-23 18:26:58 -------- d-----w- C:\Program Files (x86)\Application Updater
2012-06-23 18:26:54 -------- d-----w- C:\Program Files (x86)\YouTube Downloader Toolbar
2012-06-23 18:26:54 -------- d-----w- C:\Program Files (x86)\Common Files\Spigot
2012-06-17 11:50:54 772592 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-06-17 03:04:49 -------- d-----w- C:\protect
2012-06-17 02:25:28 -------- d-----w- C:\FRST
2012-06-17 00:39:24 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-06-17 00:39:24 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-06-17 00:39:24 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-06-17 00:37:32 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-06-17 00:36:58 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-06-17 00:36:55 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-06-17 00:36:54 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-06-17 00:35:44 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-06-17 00:35:06 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-06-17 00:34:31 3216384 ----a-w- C:\Windows\System32\msi.dll
2012-06-17 00:34:30 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-06-17 00:34:14 1462272 ----a-w- C:\Windows\System32\crypt32.dll
2012-06-17 00:34:13 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-06-17 00:34:13 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-06-17 00:34:13 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-06-17 00:34:13 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-06-17 00:34:13 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-06-08 23:34:17 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-08 23:34:07 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-08 23:32:58 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-08 23:32:57 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-03 12:04:28 -------- d-----w- C:\ProgramData\YTD YouTube Downloader & Converter
2012-06-03 12:04:22 -------- d-----w- C:\Program Files (x86)\GreenTree Applications
.
==================== Find3M ====================
.
2012-06-17 11:50:40 687600 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-06-09 09:50:45 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-09 09:50:45 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-04-18 19:56:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2012-04-18 19:56:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2012-04-12 17:12:56 147248 ----a-w- C:\Windows\System32\drivers\VBoxNetAdp.sys
2012-04-12 17:12:54 224048 ----a-w- C:\Windows\System32\drivers\VBoxDrv.sys
2012-04-12 17:12:54 166192 ----a-w- C:\Windows\System32\drivers\VBoxNetFlt.sys
2012-04-12 17:12:54 130864 ----a-w- C:\Windows\System32\drivers\VBoxUSBMon.sys
2012-04-12 17:12:54 117040 ----a-w- C:\Windows\System32\drivers\VBoxUSB.sys
2012-04-12 17:12:52 320816 ----a-w- C:\Windows\System32\VBoxNetFltNobj.dll
2012-03-30 11:35:47 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 21:07:00.55 ===============


I am uploading two more encrypted files togather with their plaintext versions to the link I used before.

Thanks to you and Fabian for all your help.

Richard

Greetings Richard Pierse,


I would like you to upload 2 or 3 files again. Only select files which failed to decrypt after running decrypt_birele.zip. Please put the files into a folder then zip the folder.

When you ran the program were any of the files successfully decrypted or did it fail on all of the encrypted files?