infection redirecting web traffic

[Shuichiro]

Hi, I always get great results from this site and great help the few times I've needed it . Here's my hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:21 AM, on 1/21/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Users\Shuichiro\AppData\Local\Temp\mdm.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [sefjhf98jfoidsfoishgoiusgdgfgd] C:\Users\Shuichiro\AppData\Local\Temp\gfxwdd88jv.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\Users\Shuichiro\AppData\Local\Temp\mdm.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\Windows\system32\kbdsock.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - SOURCENEXT - C:\Windows\system32\bgsvcgen.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 5449 bytes

 

[Blade81]

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
• Click rootkit-tab and then scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

 

[Shuichiro]

Attached log files for DDS, Attach, and GMER.

Thanks for helping!

- Shuichiro

 

[Blade81]

Hi,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread.

Please go to Control Panel > Programs and Features and uninstall the programs listed above (in red).


Empty Recycle Bin.

After that:


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Download Combofix*from any of the links below. You must rename (i.e. Shuichiro.exe) it before saving it. Save it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------

Double click on Shuichiro.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt contents (don't use attachment if the contents fit in your post).

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

 

[Shuichiro]

ComboFix 10-01-26.01 - Shuichiro 01/26/2010 13:46:24.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2942.2015 [GMT -5:00]
Running from: c:\users\Shuichiro\Desktop\Shuichiro.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.
ADS - Windows: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\H8SRTvbejeetfsv.dll
c:\windows\system32\ndisdrv.sys
c:\windows\UA000106.DLL

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ndisdrv
-------\Service_ndisdrv


((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-26 19:02 . 2010-01-26 19:02 -------- d-----w- C:\Device
2010-01-26 19:00 . 2010-01-26 19:04 -------- d-----w- c:\users\Shuichiro\AppData\Local\temp
2010-01-26 19:00 . 2010-01-26 19:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-21 21:13 . 2009-12-19 09:02 977920 ----a-w- c:\windows\system32\wininet.dll
2010-01-21 05:19 . 2010-01-21 05:20 -------- d-----w- c:\program files\ERUNT
2010-01-21 05:14 . 2010-01-21 05:14 -------- d-----w- c:\program files\Trend Micro
2010-01-21 04:50 . 2010-01-21 04:50 -------- dc----w- c:\windows\system32\DRVSTORE
2010-01-21 04:50 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-21 04:50 . 2010-01-21 04:50 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-21 04:50 . 2010-01-21 04:50 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-21 04:50 . 2010-01-21 04:50 390288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-21 04:50 . 2010-01-21 04:50 537576 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-21 04:45 . 2010-01-21 04:45 -------- d-----w- c:\program files\Lavasoft
2010-01-21 03:41 . 2010-01-21 03:41 18431 ----a-w- C:\lnfae.exe
2010-01-21 02:53 . 2010-01-21 02:53 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\AVS4YOU
2010-01-21 02:53 . 2010-01-21 02:53 -------- d-----w- c:\programdata\AVS4YOU
2010-01-21 02:46 . 2010-01-21 02:47 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-01-21 02:46 . 2008-08-13 16:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-01-21 02:46 . 2008-08-13 16:22 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-01-21 02:46 . 2008-08-13 16:22 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-01-21 02:46 . 2010-01-21 02:47 -------- d-----w- c:\program files\AVS4YOU
2010-01-21 02:46 . 2008-08-13 16:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-01-21 02:46 . 2008-08-13 16:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-01-20 07:23 . 2010-01-20 07:25 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Ulead Systems
2010-01-20 07:20 . 2010-01-20 07:20 -------- d-----w- c:\program files\Windows Media Components
2010-01-20 07:18 . 2010-01-20 07:41 -------- d-----w- c:\programdata\Ulead Systems
2010-01-20 07:15 . 2010-01-20 07:41 -------- d-----w- c:\program files\Corel
2010-01-20 07:15 . 2010-01-20 07:15 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\InstallShield
2010-01-13 00:24 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 00:24 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-11 04:22 . 2010-01-03 17:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-11 04:22 . 2007-11-29 17:52 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-01-06 05:03 . 2006-03-23 02:44 9728 ----a-w- c:\windows\system32\TCMSVR.dll
2010-01-06 05:03 . 2010-01-06 05:03 -------- d-----w- c:\program files\TOSHIBA
2010-01-06 05:03 . 2006-11-20 03:11 7168 ----a-w- c:\windows\system32\drivers\FwLnk.sys
2010-01-06 05:03 . 2010-01-06 05:03 -------- d-----w- c:\windows\Driver Cache
2010-01-06 03:30 . 2010-01-06 03:30 -------- d-----w- C:\GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
2010-01-03 03:36 . 2010-01-03 03:36 -------- d-----w- c:\users\Shuichiro\AppData\Local\Apple Computer
2009-12-28 02:44 . 2009-12-28 02:44 -------- d-----w- c:\users\Shuichiro\AppData\Local\http___www.julien-manici
2009-12-28 00:03 . 2009-12-29 03:31 -------- d-----w- c:\users\Shuichiro\AppData\Local\RB2_DLC_Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 18:51 . 2009-12-05 03:27 391716 ----a-w- c:\windows\system32\perfh011.dat
2010-01-26 18:51 . 2009-12-05 03:27 103702 ----a-w- c:\windows\system32\perfc011.dat
2010-01-26 18:38 . 2009-12-05 04:10 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\uTorrent
2010-01-21 04:50 . 2010-01-21 04:45 -------- d-----w- c:\programdata\Lavasoft
2010-01-21 04:50 . 2010-01-21 04:50 372280 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-21 04:50 . 2010-01-21 04:50 194104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-21 04:49 . 2010-01-21 04:49 6296864 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-21 04:48 . 2010-01-21 04:48 933120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-21 04:48 . 2010-01-21 04:48 3803208 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-21 04:48 . 2010-01-21 04:48 816272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-21 04:48 . 2010-01-21 04:48 823928 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-21 04:48 . 2010-01-21 04:48 1643272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-21 04:48 . 2010-01-21 04:48 788880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-21 04:48 . 2010-01-21 04:48 1181328 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-21 04:46 . 2010-01-21 04:46 -------- dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-21 03:31 . 2009-12-07 08:58 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\vlc
2010-01-21 02:53 . 2009-12-05 04:04 73496 ----a-w- c:\users\Shuichiro\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-20 08:06 . 2009-12-06 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-20 07:21 . 2009-12-06 06:20 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-20 06:39 . 2009-12-17 02:38 -------- d-----w- c:\program files\JDownloader
2010-01-20 06:02 . 2009-12-18 20:49 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Pegasys Inc
2010-01-20 06:02 . 2009-12-18 20:48 -------- d-----w- c:\program files\Pegasys Inc
2010-01-18 05:55 . 2009-12-05 05:43 -------- d-----w- c:\program files\Trillian
2010-01-16 05:19 . 2009-12-14 10:23 1 ----a-w- c:\users\Shuichiro\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-28 01:51 . 2009-12-05 19:38 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Auslogics
2009-12-24 06:14 . 2009-12-17 01:14 -------- d-----w- c:\program files\Google
2009-12-20 23:13 . 2009-12-20 23:15 59240 ----a-w- c:\windows\system32\GenSvcInst.exe
2009-12-20 23:13 . 2009-12-20 23:15 38944 ----a-w- c:\windows\system32\drivers\CDRBSDRV.SYS
2009-12-20 23:13 . 2009-12-20 23:15 139264 ----a-w- c:\windows\system32\bgsvcgen.exe
2009-12-18 22:03 . 2009-12-18 22:03 -------- d-----w- c:\program files\WBFS
2009-12-18 20:51 . 2009-12-18 20:51 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\LEAPS
2009-12-14 10:22 . 2009-12-14 10:22 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\OpenOffice.org
2009-12-13 20:15 . 2009-12-13 20:15 -------- d-----w- c:\program files\Alcohol Soft
2009-12-13 20:12 . 2009-12-13 20:12 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-13 19:16 . 2009-12-11 07:05 -------- d-----w- c:\program files\Common Files\PGP Corporation
2009-12-13 19:08 . 2009-12-13 19:08 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\PGP Corporation
2009-12-13 08:23 . 2009-12-13 08:06 -------- d-----w- c:\program files\osu!
2009-12-12 05:32 . 2009-12-12 05:23 -------- d-----w- c:\programdata\PopCap Games
2009-12-12 04:55 . 2009-12-12 04:32 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-12 04:33 . 2009-12-12 04:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-12 04:13 . 2009-12-12 04:13 -------- d-----w- c:\programdata\PGP Corporation
2009-12-11 08:00 . 2009-12-11 08:00 -------- d-----w- c:\program files\MSXML 4.0
2009-12-11 07:05 . 2009-12-11 07:05 148416 ----a-w- c:\windows\system32\PGPlspRollback.reg
2009-12-11 05:30 . 2009-12-11 05:30 -------- d-----w- c:\programdata\SlySoft
2009-12-11 05:27 . 2009-12-11 05:27 -------- d-----w- c:\program files\SlySoft
2009-12-11 05:20 . 2009-12-11 05:15 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Nero
2009-12-11 05:07 . 2009-12-11 04:52 -------- d-----w- c:\program files\Common Files\Nero
2009-12-11 05:05 . 2009-12-11 04:53 -------- d-----w- c:\program files\Nero
2009-12-11 04:56 . 2009-12-11 02:05 -------- d-----w- c:\programdata\Nero
2009-12-10 19:20 . 2009-12-10 02:30 -------- d-----w- c:\programdata\NOS
2009-12-10 02:31 . 2009-12-10 02:31 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-10 02:30 . 2009-12-10 02:30 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-10 02:30 . 2009-12-10 02:30 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-12-10 00:09 . 2009-12-10 00:09 -------- d-----w- c:\programdata\Raxco
2009-12-10 00:09 . 2009-12-10 00:07 -------- d-----w- c:\program files\Raxco
2009-12-07 14:10 . 2010-01-21 04:46 2953352 -c--a-w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-12-07 08:57 . 2009-12-07 08:57 -------- d-----w- c:\program files\VideoLAN
2009-12-06 08:08 . 2009-12-06 08:07 -------- d-----w- c:\program files\QuickTime
2009-12-06 08:07 . 2009-12-06 08:07 -------- d-----w- c:\programdata\Apple Computer
2009-12-06 08:06 . 2009-12-06 08:06 -------- d-----w- c:\program files\Common Files\Apple
2009-12-06 08:06 . 2009-12-06 08:06 -------- d-----w- c:\program files\Apple Software Update
2009-12-06 08:06 . 2009-12-06 08:06 -------- d-----w- c:\programdata\Apple
2009-12-06 06:35 . 2009-12-06 06:35 -------- d-----w- c:\program files\MediaMonkey
2009-12-06 06:26 . 2009-12-06 06:26 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Creative
2009-12-06 06:22 . 2009-12-06 06:21 -------- d--h--w- c:\program files\Creative Installation Information
2009-12-06 06:22 . 2009-12-06 06:21 -------- d-----w- c:\program files\Creative
2009-12-06 06:21 . 2009-12-06 06:21 -------- d-----w- c:\programdata\Creative
2009-12-06 06:21 . 2009-12-06 06:21 -------- d-----w- c:\program files\Common Files\Creative
2009-12-06 05:59 . 2009-12-06 05:59 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-12-05 20:09 . 2009-12-05 19:01 -------- d-----w- c:\program files\Java
2009-12-05 19:33 . 2009-12-05 19:33 -------- d-----w- c:\program files\Auslogics
2009-12-05 19:02 . 2009-12-05 19:02 -------- d-----w- c:\program files\JRE
2009-12-05 19:02 . 2009-12-05 19:02 -------- d-----w- c:\program files\OpenOffice.org 3
2009-12-05 05:56 . 2009-12-05 05:56 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-05 05:44 . 2009-12-05 05:43 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Trillian
2009-12-05 05:42 . 2009-12-05 05:42 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-12-05 04:19 . 2009-12-05 04:17 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Move Networks
2009-12-05 04:17 . 2009-12-05 04:17 143976 ----a-w- c:\users\Shuichiro\AppData\Roaming\Move Networks\uninstall.exe
2009-12-05 04:17 . 2009-10-15 00:50 5642688 ----a-w- c:\users\Shuichiro\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2009-12-05 03:59 . 2009-12-05 03:54 -------- d-----w- c:\programdata\Comodo
2009-12-05 03:54 . 2009-12-05 03:54 74328 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-12-05 03:54 . 2009-12-05 03:54 29520 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-05 03:54 . 2009-12-05 03:54 171552 ----a-w- c:\windows\system32\guard32.dll
2009-12-05 03:54 . 2009-12-05 03:54 128376 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-05 03:54 . 2009-12-05 03:54 -------- d-----w- c:\program files\COMODO
2009-12-05 03:48 . 2009-12-05 03:48 -------- d-----w- c:\program files\Alwil Software
2009-12-05 03:43 . 2009-12-05 03:43 0 ----a-w- c:\windows\nsreg.dat
2009-12-05 03:25 . 2009-12-05 03:25 0 ----a-w- c:\windows\ativpsrm.bin
2009-12-05 03:23 . 2009-07-14 07:50 -------- d-----w- c:\program files\Windows Journal
2009-12-05 03:23 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Sidebar
2009-12-05 03:23 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Photo Viewer
2009-12-05 03:23 . 2009-07-14 04:52 -------- d-----w- c:\program files\DVD Maker
2009-12-05 03:23 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2009-12-05 03:23 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Defender
2009-12-05 03:21 . 2009-12-05 03:27 31548 ----a-w- c:\windows\system32\perfd011.dat
2009-12-05 03:21 . 2009-12-05 03:27 141988 ----a-w- c:\windows\system32\perfi011.dat
2009-12-05 03:21 . 2009-12-05 03:23 31548 ----a-w- c:\windows\inf\PERFLIB\0411\perfd.dat
2009-12-05 03:21 . 2009-12-05 03:23 31548 ----a-w- c:\windows\inf\PERFLIB\0411\perfc.dat
2009-12-05 03:21 . 2009-12-05 03:23 141988 ----a-w- c:\windows\inf\PERFLIB\0411\perfi.dat
2009-12-05 03:21 . 2009-12-05 03:23 141988 ----a-w- c:\windows\inf\PERFLIB\0411\perfh.dat
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-11-24 81000]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-12-05 1800464]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\users\Shuichiro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableStatusMessages"= 1 (0x1)
"DisableStartupSound"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [1/20/2010 11:50 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [12/4/2009 10:49 PM 114768]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [12/4/2009 10:54 PM 128376]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [12/4/2009 10:54 PM 29520]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [7/13/2009 6:52 PM 48128]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [12/4/2009 10:49 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [12/4/2009 10:48 PM 53328]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [12/11/2009 11:32 PM 1153368]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [1/6/2010 12:03 AM 7168]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\System32\drivers\Rt86win7.sys [11/5/2009 2:14 PM 230912]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 1:13 AM 135664]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [7/13/2009 7:18 PM 17920]
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 04:48]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 04:48]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 04:48]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 04:48]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 04:48]

2010-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 06:13]

2010-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 06:13]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\Shuichiro\AppData\Roaming\Mozilla\Firefox\Profiles\jl7epwdi.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\Shuichiro\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86486856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x856d3810
QueryNameProcedure -> 0x856d39a0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\H8SRTd.sys]
"imagepath"="\systemroot\system32\drivers\H8SRThkvgrcqyop.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\H8SRTd.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\H8SRThkvgrcqyop.sys"
"group"="file system"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Raxco\PerfectDisk10\PDEngine.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Raxco\PerfectDisk10\PDAgentS1.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2010-01-26 14:10:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-26 19:10

Pre-Run: 63,197,593,600 bytes free
Post-Run: 62,922,899,456 bytes free

- - End Of File - - CF8BA98E55E7C1B57882E7770DABE2DA

 

[Blade81]

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

http://forums.spybot.info/showthread.php?p=357346#post357346
Collect::
C:\lnfae.exe
Folder::
c:\users\Shuichiro\AppData\Roaming\uTorrent
File::
c:\windows\system32\drivers\H8SRThkvgrcqyop.sys
RegLockDel::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\H8SRTd.sys]

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.3) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

 

[Shuichiro]

ComboFix 10-01-26.01 - Shuichiro 01/26/2010 15:07:27.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2942.2114 [GMT -5:00]
Running from: c:\users\Shuichiro\Desktop\Shuichiro.exe
Command switches used :: c:\users\Shuichiro\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

FILE ::
"c:\windows\system32\drivers\H8SRThkvgrcqyop.sys"

file zipped: C:\lnfae.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\lnfae.exe
c:\users\Shuichiro\AppData\Roaming\uTorrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\[Ayako-Himatsubushi]_Needless_-_01_[400p][XVID][C299D094].avi.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\[Live-eviL]_Queen_Millennia_(TV)_-_01_[1CE2479A].mkv.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\2009 NFL WK 15 Dallas Cowboys at New Orleans Saints.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\After School Nightmare.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Akane-chan overdrive.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Artificial Maiden.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Castlevania The Adventure ReBirth NTSC-U.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\CFW_5_50_GEN_D3.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Dark Shadows The Beginning 1.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\dht.dat
c:\users\Shuichiro\AppData\Roaming\uTorrent\dht.dat.old
c:\users\Shuichiro\AppData\Roaming\uTorrent\Dragon Naturally Speaking V10 Preferred.rar.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Fatal Frame IV English Translation.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Hellsing Ultimate OVA - 07 RAW (704x396 XviD).avi.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Higurashi_Daybrake_Portable_Mega_Edition_JPN_PSP-Caravan.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Imagine - John Lennon.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Just.Dance.PAL.Wii-GLoBAL.1.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Just.Dance.PAL.Wii-GLoBAL.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Kidou_Senshi_Gundam_-_Gundam_vs_Gundam_Next_Plus_JPN_PSP-iND.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Lady.Gaga.-.The.Fame.Monster.(Deluxe.Edition).2009.LanzaMp3.CoM.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Mario.Golf.N64.USA.VC.Wii-DiPLODOCUS.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Neo-Geo Arcade Perfect Set (20080101) [Misc. Genres1990].torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\NINTENDO 64 COMPLETE (U) [!] ROMSET.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Nintendo Wii (Virtual Console).torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\NMH2.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\resume.dat
c:\users\Shuichiro\AppData\Roaming\uTorrent\resume.dat.old
c:\users\Shuichiro\AppData\Roaming\uTorrent\rss.dat
c:\users\Shuichiro\AppData\Roaming\uTorrent\rss.dat.old
c:\users\Shuichiro\AppData\Roaming\uTorrent\settings.dat
c:\users\Shuichiro\AppData\Roaming\uTorrent\settings.dat.old
c:\users\Shuichiro\AppData\Roaming\uTorrent\Super.Smash.Bros.USA.VC.N64.Wii-BITE_Mii.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\The Carpenters Discography.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\The_Legend_of_Zelda_Spirit_Tracks_USA_CRACK_NDS-XPA.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\The_Legend_of_Zelda_Spirit_Tracks_USA_READNFO_NDS-XPA.torrent
c:\users\Shuichiro\AppData\Roaming\uTorrent\Thirst.2009.SUBBED.NTSC.DVDR-DPiMP.torrent

.
((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-26 20:21 . 2010-01-26 20:22 -------- d-----w- c:\users\Shuichiro\AppData\Local\temp
2010-01-26 20:21 . 2010-01-26 20:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-26 20:21 . 2010-01-26 20:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-26 19:02 . 2010-01-26 19:02 -------- d-----w- C:\Device
2010-01-21 21:13 . 2009-12-19 09:02 977920 ----a-w- c:\windows\system32\wininet.dll
2010-01-21 05:19 . 2010-01-21 05:20 -------- d-----w- c:\program files\ERUNT
2010-01-21 05:14 . 2010-01-21 05:14 -------- d-----w- c:\program files\Trend Micro
2010-01-21 04:50 . 2010-01-21 04:50 -------- dc----w- c:\windows\system32\DRVSTORE
2010-01-21 04:50 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-21 04:50 . 2010-01-21 04:50 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-21 04:50 . 2010-01-21 04:50 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-21 04:50 . 2010-01-21 04:50 390288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-21 04:50 . 2010-01-21 04:50 537576 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-21 04:45 . 2010-01-21 04:45 -------- d-----w- c:\program files\Lavasoft
2010-01-21 02:53 . 2010-01-21 02:53 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\AVS4YOU
2010-01-21 02:53 . 2010-01-21 02:53 -------- d-----w- c:\programdata\AVS4YOU
2010-01-21 02:46 . 2010-01-21 02:47 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-01-21 02:46 . 2008-08-13 16:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-01-21 02:46 . 2008-08-13 16:22 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-01-21 02:46 . 2008-08-13 16:22 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-01-21 02:46 . 2010-01-21 02:47 -------- d-----w- c:\program files\AVS4YOU
2010-01-21 02:46 . 2008-08-13 16:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-01-21 02:46 . 2008-08-13 16:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-01-20 07:23 . 2010-01-20 07:25 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Ulead Systems
2010-01-20 07:20 . 2010-01-20 07:20 -------- d-----w- c:\program files\Windows Media Components
2010-01-20 07:18 . 2010-01-20 07:41 -------- d-----w- c:\programdata\Ulead Systems
2010-01-20 07:15 . 2010-01-20 07:41 -------- d-----w- c:\program files\Corel
2010-01-20 07:15 . 2010-01-20 07:15 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\InstallShield
2010-01-13 00:24 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 00:24 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-11 04:22 . 2010-01-03 17:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-11 04:22 . 2007-11-29 17:52 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-01-06 05:03 . 2006-03-23 02:44 9728 ----a-w- c:\windows\system32\TCMSVR.dll
2010-01-06 05:03 . 2010-01-06 05:03 -------- d-----w- c:\program files\TOSHIBA
2010-01-06 05:03 . 2006-11-20 03:11 7168 ----a-w- c:\windows\system32\drivers\FwLnk.sys
2010-01-06 05:03 . 2010-01-06 05:03 -------- d-----w- c:\windows\Driver Cache
2010-01-06 03:30 . 2010-01-06 03:30 -------- d-----w- C:\GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
2010-01-03 03:36 . 2010-01-03 03:36 -------- d-----w- c:\users\Shuichiro\AppData\Local\Apple Computer
2009-12-28 02:44 . 2009-12-28 02:44 -------- d-----w- c:\users\Shuichiro\AppData\Local\http___www.julien-manici
2009-12-28 00:03 . 2009-12-29 03:31 -------- d-----w- c:\users\Shuichiro\AppData\Local\RB2_DLC_Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 20:11 . 2009-12-05 03:27 391716 ----a-w- c:\windows\system32\perfh011.dat
2010-01-26 20:11 . 2009-12-05 03:27 103702 ----a-w- c:\windows\system32\perfc011.dat
2010-01-21 04:50 . 2010-01-21 04:45 -------- d-----w- c:\programdata\Lavasoft
2010-01-21 04:50 . 2010-01-21 04:50 372280 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-21 04:50 . 2010-01-21 04:50 194104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-21 04:49 . 2010-01-21 04:49 6296864 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-21 04:48 . 2010-01-21 04:48 933120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-21 04:48 . 2010-01-21 04:48 3803208 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-21 04:48 . 2010-01-21 04:48 816272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-21 04:48 . 2010-01-21 04:48 823928 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-21 04:48 . 2010-01-21 04:48 1643272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-21 04:48 . 2010-01-21 04:48 788880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-21 04:48 . 2010-01-21 04:48 1181328 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-21 04:46 . 2010-01-21 04:46 -------- dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-21 03:31 . 2009-12-07 08:58 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\vlc
2010-01-21 02:53 . 2009-12-05 04:04 73496 ----a-w- c:\users\Shuichiro\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-20 08:06 . 2009-12-06 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-20 07:21 . 2009-12-06 06:20 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-20 06:39 . 2009-12-17 02:38 -------- d-----w- c:\program files\JDownloader
2010-01-20 06:02 . 2009-12-18 20:49 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Pegasys Inc
2010-01-20 06:02 . 2009-12-18 20:48 -------- d-----w- c:\program files\Pegasys Inc
2010-01-18 05:55 . 2009-12-05 05:43 -------- d-----w- c:\program files\Trillian
2010-01-16 05:19 . 2009-12-14 10:23 1 ----a-w- c:\users\Shuichiro\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-28 01:51 . 2009-12-05 19:38 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Auslogics
2009-12-24 06:14 . 2009-12-17 01:14 -------- d-----w- c:\program files\Google
2009-12-20 23:13 . 2009-12-20 23:15 59240 ----a-w- c:\windows\system32\GenSvcInst.exe
2009-12-20 23:13 . 2009-12-20 23:15 38944 ----a-w- c:\windows\system32\drivers\CDRBSDRV.SYS
2009-12-20 23:13 . 2009-12-20 23:15 139264 ----a-w- c:\windows\system32\bgsvcgen.exe
2009-12-18 22:03 . 2009-12-18 22:03 -------- d-----w- c:\program files\WBFS
2009-12-18 20:51 . 2009-12-18 20:51 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\LEAPS
2009-12-14 10:22 . 2009-12-14 10:22 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\OpenOffice.org
2009-12-13 20:15 . 2009-12-13 20:15 -------- d-----w- c:\program files\Alcohol Soft
2009-12-13 20:12 . 2009-12-13 20:12 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-13 19:16 . 2009-12-11 07:05 -------- d-----w- c:\program files\Common Files\PGP Corporation
2009-12-13 19:08 . 2009-12-13 19:08 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\PGP Corporation
2009-12-13 08:23 . 2009-12-13 08:06 -------- d-----w- c:\program files\osu!
2009-12-12 05:32 . 2009-12-12 05:23 -------- d-----w- c:\programdata\PopCap Games
2009-12-12 04:55 . 2009-12-12 04:32 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-12 04:33 . 2009-12-12 04:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-12 04:13 . 2009-12-12 04:13 -------- d-----w- c:\programdata\PGP Corporation
2009-12-11 08:00 . 2009-12-11 08:00 -------- d-----w- c:\program files\MSXML 4.0
2009-12-11 07:05 . 2009-12-11 07:05 148416 ----a-w- c:\windows\system32\PGPlspRollback.reg
2009-12-11 05:30 . 2009-12-11 05:30 -------- d-----w- c:\programdata\SlySoft
2009-12-11 05:27 . 2009-12-11 05:27 -------- d-----w- c:\program files\SlySoft
2009-12-11 05:20 . 2009-12-11 05:15 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Nero
2009-12-11 05:07 . 2009-12-11 04:52 -------- d-----w- c:\program files\Common Files\Nero
2009-12-11 05:05 . 2009-12-11 04:53 -------- d-----w- c:\program files\Nero
2009-12-11 04:56 . 2009-12-11 02:05 -------- d-----w- c:\programdata\Nero
2009-12-10 19:20 . 2009-12-10 02:30 -------- d-----w- c:\programdata\NOS
2009-12-10 02:31 . 2009-12-10 02:31 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-10 02:30 . 2009-12-10 02:30 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-10 02:30 . 2009-12-10 02:30 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-12-10 00:09 . 2009-12-10 00:09 -------- d-----w- c:\programdata\Raxco
2009-12-10 00:09 . 2009-12-10 00:07 -------- d-----w- c:\program files\Raxco
2009-12-07 14:10 . 2010-01-21 04:46 2953352 -c--a-w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-12-07 08:57 . 2009-12-07 08:57 -------- d-----w- c:\program files\VideoLAN
2009-12-06 08:08 . 2009-12-06 08:07 -------- d-----w- c:\program files\QuickTime
2009-12-06 08:07 . 2009-12-06 08:07 -------- d-----w- c:\programdata\Apple Computer
2009-12-06 08:06 . 2009-12-06 08:06 -------- d-----w- c:\program files\Common Files\Apple
2009-12-06 08:06 . 2009-12-06 08:06 -------- d-----w- c:\program files\Apple Software Update
2009-12-06 08:06 . 2009-12-06 08:06 -------- d-----w- c:\programdata\Apple
2009-12-06 06:35 . 2009-12-06 06:35 -------- d-----w- c:\program files\MediaMonkey
2009-12-06 06:26 . 2009-12-06 06:26 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Creative
2009-12-06 06:22 . 2009-12-06 06:21 -------- d--h--w- c:\program files\Creative Installation Information
2009-12-06 06:22 . 2009-12-06 06:21 -------- d-----w- c:\program files\Creative
2009-12-06 06:21 . 2009-12-06 06:21 -------- d-----w- c:\programdata\Creative
2009-12-06 06:21 . 2009-12-06 06:21 -------- d-----w- c:\program files\Common Files\Creative
2009-12-06 05:59 . 2009-12-06 05:59 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-12-05 20:09 . 2009-12-05 19:01 -------- d-----w- c:\program files\Java
2009-12-05 19:33 . 2009-12-05 19:33 -------- d-----w- c:\program files\Auslogics
2009-12-05 19:02 . 2009-12-05 19:02 -------- d-----w- c:\program files\JRE
2009-12-05 19:02 . 2009-12-05 19:02 -------- d-----w- c:\program files\OpenOffice.org 3
2009-12-05 05:56 . 2009-12-05 05:56 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-05 05:44 . 2009-12-05 05:43 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Trillian
2009-12-05 05:42 . 2009-12-05 05:42 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-12-05 04:19 . 2009-12-05 04:17 -------- d-----w- c:\users\Shuichiro\AppData\Roaming\Move Networks
2009-12-05 04:17 . 2009-12-05 04:17 143976 ----a-w- c:\users\Shuichiro\AppData\Roaming\Move Networks\uninstall.exe
2009-12-05 04:17 . 2009-10-15 00:50 5642688 ----a-w- c:\users\Shuichiro\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2009-12-05 03:59 . 2009-12-05 03:54 -------- d-----w- c:\programdata\Comodo
2009-12-05 03:54 . 2009-12-05 03:54 74328 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-12-05 03:54 . 2009-12-05 03:54 29520 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-05 03:54 . 2009-12-05 03:54 171552 ----a-w- c:\windows\system32\guard32.dll
2009-12-05 03:54 . 2009-12-05 03:54 128376 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-05 03:54 . 2009-12-05 03:54 -------- d-----w- c:\program files\COMODO
2009-12-05 03:48 . 2009-12-05 03:48 -------- d-----w- c:\program files\Alwil Software
2009-12-05 03:43 . 2009-12-05 03:43 0 ----a-w- c:\windows\nsreg.dat
2009-12-05 03:25 . 2009-12-05 03:25 0 ----a-w- c:\windows\ativpsrm.bin
2009-12-05 03:23 . 2009-07-14 07:50 -------- d-----w- c:\program files\Windows Journal
2009-12-05 03:23 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Sidebar
2009-12-05 03:23 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Photo Viewer
2009-12-05 03:23 . 2009-07-14 04:52 -------- d-----w- c:\program files\DVD Maker
2009-12-05 03:23 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2009-12-05 03:23 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Defender
2009-12-05 03:21 . 2009-12-05 03:27 31548 ----a-w- c:\windows\system32\perfd011.dat
2009-12-05 03:21 . 2009-12-05 03:27 141988 ----a-w- c:\windows\system32\perfi011.dat
2009-12-05 03:21 . 2009-12-05 03:23 31548 ----a-w- c:\windows\inf\PERFLIB\0411\perfd.dat
2009-12-05 03:21 . 2009-12-05 03:23 31548 ----a-w- c:\windows\inf\PERFLIB\0411\perfc.dat
2009-12-05 03:21 . 2009-12-05 03:23 141988 ----a-w- c:\windows\inf\PERFLIB\0411\perfi.dat
2009-12-05 03:21 . 2009-12-05 03:23 141988 ----a-w- c:\windows\inf\PERFLIB\0411\perfh.dat
2009-12-05 03:17 . 2009-12-05 03:17 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-01-26_19.04.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-05 03:30 . 2010-01-26 20:06 25344 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-01-26 20:06 37738 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-12-05 06:00 . 2010-01-26 19:04 49152 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-05 06:00 . 2010-01-26 20:03 49152 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:41 . 2010-01-26 19:04 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2010-01-26 20:03 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-05 03:09 . 2010-01-26 19:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-05 03:09 . 2010-01-26 20:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-05 03:09 . 2010-01-26 20:06 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-05 03:09 . 2010-01-26 19:04 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-05 03:09 . 2010-01-26 19:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-05 03:09 . 2010-01-26 20:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-05 03:09 . 2010-01-26 20:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-05 03:09 . 2010-01-26 19:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-05 17:51 . 2010-01-26 18:06 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-05 17:51 . 2010-01-26 20:07 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-05 17:51 . 2010-01-26 18:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-12-05 17:51 . 2010-01-26 20:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-12-05 17:51 . 2010-01-26 20:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-12-05 17:51 . 2010-01-26 18:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-12-05 03:09 . 2010-01-26 19:03 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-05 03:09 . 2010-01-26 20:07 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-05 03:09 . 2010-01-26 20:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-05 03:09 . 2010-01-26 19:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-05 03:10 . 2010-01-26 20:06 5824 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2198427036-1155312072-2344750315-1001_UserData.bin
- 2010-01-26 18:43 . 2010-01-26 19:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-01-26 20:04 . 2010-01-26 20:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-01-26 20:04 . 2010-01-26 20:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-01-26 18:43 . 2010-01-26 19:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:05 . 2010-01-26 20:11 615360 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-01-26 18:51 615360 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2010-01-26 20:11 103702 c:\windows\System32\perfc009.dat
- 2009-07-14 02:05 . 2010-01-26 18:51 103702 c:\windows\System32\perfc009.dat
- 2009-12-05 03:11 . 2010-01-26 18:43 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-12-05 03:11 . 2010-01-26 20:03 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-12-05 06:00 . 2010-01-26 19:04 442368 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-05 06:00 . 2010-01-26 20:03 442368 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 02:03 . 2010-01-26 18:53 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:03 . 2010-01-26 20:14 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-11-24 81000]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-12-05 1800464]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\users\Shuichiro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableStatusMessages"= 1 (0x1)
"DisableStartupSound"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [1/20/2010 11:50 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [12/4/2009 10:49 PM 114768]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [12/4/2009 10:54 PM 128376]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [12/4/2009 10:54 PM 29520]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [7/13/2009 6:52 PM 48128]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [12/4/2009 10:49 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [12/4/2009 10:48 PM 53328]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [12/11/2009 11:32 PM 1153368]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [1/6/2010 12:03 AM 7168]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\System32\drivers\Rt86win7.sys [11/5/2009 2:14 PM 230912]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [12/13/2009 3:12 PM 721904]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 1:13 AM 135664]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [7/13/2009 7:18 PM 17920]
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 04:48]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 04:48]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 04:48]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 04:48]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 04:48]

2010-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 06:13]

2010-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 06:13]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\Shuichiro\AppData\Roaming\Mozilla\Firefox\Profiles\jl7epwdi.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\Shuichiro\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86402856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xe5726854
SecurityProcedure -> 0x1
QueryNameProcedure -> 0x8bc05cf6
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-01-26 15:25:50
ComboFix-quarantined-files.txt 2010-01-26 20:25
ComboFix2.txt 2010-01-26 19:11

Pre-Run: 62,993,788,928 bytes free
Post-Run: 62,925,180,928 bytes free

- - End Of File - - 81838BDB4A35555EEE9A1C3F6C51DF62
Upload was successful

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, January 26, 2010
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, January 26, 2010 20:24:32
Records in database: 3373978
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Objects scanned: 115485
Threats found: 8
Infected objects found: 16
Suspicious objects found: 0
Scan duration: 01:54:57


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\H8SRTvbejeetfsv.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\Windows\System32\ndisdrv.sys.vir Infected: Rootkit.Win32.Tiny.hm 1
C:\Users\Shuichiro\AppData\Roaming\Auslogics\Rescue\One Button Checkup\100120233401613.rsc Infected: Trojan.Win32.Cosmu.kju 2
C:\Users\Shuichiro\AppData\Roaming\Auslogics\Rescue\One Button Checkup\100120233401613.rsc Infected: Packed.Win32.TDSS.aa 1
C:\Users\Shuichiro\AppData\Roaming\Auslogics\Rescue\One Button Checkup\100120233401613.rsc Infected: Trojan-Downloader.Win32.Agent.dabu 2
C:\Users\Shuichiro\AppData\Roaming\Auslogics\Rescue\One Button Checkup\100120233401613.rsc Infected: Trojan.Win32.Vilsel.rdh 6
C:\Users\Shuichiro\AppData\Roaming\Auslogics\Rescue\One Button Checkup\100120233401613.rsc Infected: Trojan-Dropper.Win32.Drooptroop.bk 1
C:\Users\Shuichiro\AppData\Roaming\Auslogics\Rescue\One Button Checkup\100120233401613.rsc Infected: Packed.Win32.Krap.x 1
C:\Users\Shuichiro\Desktop\Corel_Video_Studio_Pro_X2_v12.0.98.0_www.AsanDownload.com\Crack\Patch.exe Infected: Trojan-Spy.Win32.Ardamax.cve 1

Selected area has been scanned.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Shuichiro at 18:10:45.63 on Tue 01/26/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2942.1423 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\bgsvcgen.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Windows\system32\conhost.exe
C:\Users\Shuichiro\AppData\Local\temp\jkos-Shuichiro\binaries\ScanningProcess.exe
C:\Users\Shuichiro\AppData\Local\temp\jkos-Shuichiro\binaries\ScanningProcess.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Shuichiro\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\users\shuich~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: DisableStatusMessages = 1 (0x1)
mPolicies-system: DisableStartupSound = 1 (0x1)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\shuich~1\appdata\roaming\mozilla\firefox\profiles\jl7epwdi.default\
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\shuichiro\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\shuichiro\appdata\roaming\mozilla\firefox\profiles\jl7epwdi.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-20 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-4 114768]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-12-4 128376]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-12-4 29520]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-4 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-12-4 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-4 138680]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-12-11 1153368]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-4 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-4 352920]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2010-1-6 7168]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-11-5 230912]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]

=============== Created Last 30 ================

2010-01-26 20:26:53 0 d-sh--w- C:\$RECYCLE.BIN
2010-01-26 19:02:26 0 d-----w- C:\Device
2010-01-26 18:44:17 77312 ----a-w- c:\windows\MBR.exe
2010-01-26 18:44:16 98816 ----a-w- c:\windows\sed.exe
2010-01-26 18:44:16 261632 ----a-w- c:\windows\PEV.exe
2010-01-26 18:44:16 161792 ----a-w- c:\windows\SWREG.exe
2010-01-21 21:13:25 977920 ----a-w- c:\windows\system32\wininet.dll
2010-01-21 05:14:37 0 d-----w- c:\program files\Trend Micro
2010-01-21 04:50:22 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-21 04:46:14 0 dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-21 04:45:43 0 d-----w- c:\programdata\Lavasoft
2010-01-21 04:45:43 0 d-----w- c:\program files\Lavasoft
2010-01-21 02:53:35 0 d-----w- c:\users\shuich~1\appdata\roaming\AVS4YOU
2010-01-21 02:53:34 0 d-----w- c:\programdata\AVS4YOU
2010-01-21 02:46:14 0 d-----w- c:\program files\common files\AVSMedia
2010-01-21 02:46:08 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-01-21 02:46:08 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-01-21 02:46:08 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-01-21 02:46:07 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-01-21 02:46:07 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-01-21 02:46:07 0 d-----w- c:\program files\AVS4YOU
2010-01-20 07:20:45 0 d-----w- c:\program files\Windows Media Components
2010-01-20 07:18:09 0 d-----w- c:\programdata\Ulead Systems
2010-01-20 07:15:37 0 d-----w- c:\program files\Corel
2010-01-13 00:24:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 00:24:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 02:50:15 31286680 ----a-w- C:\out2.ogg
2010-01-11 04:22:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-11 04:22:11 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-01-11 04:22:11 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-01-06 05:03:43 152848 ----a-w- c:\windows\system32\Comdlg32.ocx
2010-01-06 05:03:43 1081616 ----a-w- c:\windows\system32\mscomctl.ocx
2010-01-06 05:03:42 9728 ----a-w- c:\windows\system32\TCMSVR.dll
2010-01-06 05:03:41 7168 ----a-w- c:\windows\system32\drivers\FwLnk.sys
2010-01-06 05:03:41 0 d-----w- c:\program files\TOSHIBA
2010-01-06 05:03:06 0 d-----w- c:\windows\Driver Cache
2010-01-06 03:30:59 0 d-----w- C:\GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

==================== Find3M ====================

2010-01-26 20:11:40 391716 ----a-w- c:\windows\system32\perfh011.dat
2010-01-26 20:11:40 103702 ----a-w- c:\windows\system32\perfc011.dat
2009-12-20 23:13:10 59240 ----a-w- c:\windows\system32\GenSvcInst.exe
2009-12-20 23:13:10 38944 ----a-w- c:\windows\system32\drivers\CDRBSDRV.SYS
2009-12-20 23:13:10 139264 ----a-w- c:\windows\system32\bgsvcgen.exe
2009-12-13 20:12:47 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-11 07:05:44 148416 ----a-w- c:\windows\system32\PGPlspRollback.reg
2009-12-06 05:59:01 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-12-05 05:56:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-05 03:54:16 29520 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-05 03:54:16 171552 ----a-w- c:\windows\system32\guard32.dll
2009-12-05 03:54:16 128376 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-05 03:21:08 31548 ----a-w- c:\windows\system32\perfd011.dat
2009-12-05 03:21:08 31548 ----a-w- c:\windows\inf\perflib\0411\perfd.dat
2009-12-05 03:21:08 31548 ----a-w- c:\windows\inf\perflib\0411\perfc.dat
2009-12-05 03:21:08 141988 ----a-w- c:\windows\system32\perfi011.dat
2009-12-05 03:21:08 141988 ----a-w- c:\windows\inf\perflib\0411\perfi.dat
2009-12-05 03:21:08 141988 ----a-w- c:\windows\inf\perflib\0411\perfh.dat
2009-12-05 03:17:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:22:37 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 18:11:40.66 ===============

 

[Blade81]

Hi,

Delete this file:
C:\Users\Shuichiro\AppData\Roaming\Auslogics\Rescue\One Button Checkup\100120233401613.rsc

and folder:
C:\Users\Shuichiro\Desktop\Corel_Video_Studio_Pro_X2_v12.0.98.0_www.AsanDownload.com\Crack

How's the system running now?

 

[Shuichiro]

Deleted the suggested folders/files and google was still being redirected...

Gave PC a restart and google is working correctly after 20 websites.

Thank you very much for all your help :bigthumb::thanks:

I'll check back to this thread until you reply in case you'd like another system scan or other action.

 

[Shuichiro]

Spoke to soon it seems, after some additional time the redirection is back again:sad:

I'm up for suggestions :red:

 

[Blade81]

Hi,

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers.
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


Then run ComboFix and post back its report.

 

[Shuichiro]

Hi again!

I couldn't get defogger to run and after a restart I couldn't get Windows to log into my profile.

Booted the computer into safe mode and completed a backup of personal files, and formatted with new windows installation. I think it's safe to say the infection is gone now:red:

I really want to thank you for all your assistance however, since I really appreciate help like yours in times of need.

 

[Blade81]

Ok. Thanks for letting us know I'll close the topic.