1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Malware Infection - Computer Won't Do Anything...help!

Discussion in 'Malware Removal Help' started by bairn7, Apr 19, 2010.

  1. bairn7

    bairn7 Registered Members

    Joined:
    Apr 19, 2010
    Messages:
    21
    Location:
    edinburgh
    Operating System:
    Windows Vista Ultimate
    Hi Guys

    I'm going crazy, please help me!

    On Friday, my computer became infected with Antimalware Doctor. After spending hours trying to remove it, I have still been unable to do so. I tried the automatic method and malwarebytes found antimalware doctor files and removed them. But when I restarted, antimalware doctor was still present on my computer and malwarebytes can no longer find any infected files.

    I then tried the manual way to remove it and have been able to delete the registry keys but I cannot find any of the files mentioned in any of the websites that tell me about manual removal! There is nothing I can see in the system32 folder. Nor am I able to remove using add/remove programs.

    So I've got to a stage where antimalware doctor doesn't start when I start my computer. Buy now I have the following problems:

    - my computer is deathly slow at doing anything.
    - IE doesn't work
    - Google Chrome works intermittently but often crashes (every couple of clicks)
    - firefox works perfectly up to speed but I am unable to download anything at all (it freezes when I try to safe or download a file).

    So I can browse using firefox but can't do anything else on my computer!! I'm going crazy. To make it worse, I hooked up my old computer and that immediately also became infected with antimalware doctor!! It runs XP and I can't even seem to get it into safe mode...aaargh!!

    PLEASE help me. I don't have a clue what else I can do. I've tried ccleaner, malwarebytes and ad-aware. None have been able to find any files or help.

    I'm absolutely stuck...please help!

    Thanks
     
  2. BeeCeeBee

    BeeCeeBee ADMINISTRATOR IN MEMORY

    Joined:
    Apr 20, 2009
    Messages:
    7,201
    Location:
    New Jersey "Stronger than the Storm"
    Operating System:
    Windows 7
    Welcome to Computer Help Forums Bairn!! It seems that things are getting worse rather than better. One of our Malware experts should be along and see this. I would urge you not to make any more changes until they do.

    In the meantime have a look at this thread. http://computerhelpforums.net/topic/13814-preparation-for-malware-removal-help/ I don't know if you will be able to do much of it but at least get familiar with the process.
     
  3. bairn7

    bairn7 Registered Members

    Joined:
    Apr 19, 2010
    Messages:
    21
    Location:
    edinburgh
    Operating System:
    Windows Vista Ultimate
    Thanks very much BeeCeeBee. I've done a lot of what is suggested in the thread but I can't currently download any of the software it recommends.

    Hopefully someone can help!
     
  4. bairn7

    bairn7 Registered Members

    Joined:
    Apr 19, 2010
    Messages:
    21
    Location:
    edinburgh
    Operating System:
    Windows Vista Ultimate
    Hi

    A bit of an update. It turns out that whist firefox crashes my computer when I try to download anything, it turns out that the file still downloads, so I was able to download and run TFC and malwarebytes again. I was only able to run a quick scan using malwarebytes this morning but it did find a few trojans etc. Unfortunately I didn't keep the log to post here.

    So to make sure I don't waste anyone's time, I'll follow the full rigmarole in BeeCeeBee's post above later today and post what I can. Hope this will help!

    Thanks again
    bairn
     
  5. DSTM (Dougie)

    DSTM (Dougie) Registered Members

    Joined:
    May 3, 2009
    Messages:
    8,270
    Location:
    SYDNEY AUSTRALIA
    Operating System:
    Windows 7
    Hi bairn7. Malwarebytes saves log files, by default.

    Click on "Logs", and select "Open".

    Copy and Paste from there. :)
     
  6. bairn7

    bairn7 Registered Members

    Joined:
    Apr 19, 2010
    Messages:
    21
    Location:
    edinburgh
    Operating System:
    Windows Vista Ultimate
    Thanks DSTM! I'll do it when I get home :)
     
  7. schrauber

    schrauber Guest

    Hi there :)

    Post the log when you are ready, I will have a look :)
     
  8. bairn7

    bairn7 Registered Members

    Joined:
    Apr 19, 2010
    Messages:
    21
    Location:
    edinburgh
    Operating System:
    Windows Vista Ultimate
    Right, here are my logs! The first is the malwarebytes log from my first scan a few days ago when the antimalware doctor files were found. The second is the malwarebytes log from this morning.

    And I have run OTL this evening. The log is attahced.

    I tried to run GMER several times but the scan would either stall on a certain file (a different one each time) or it would cause my system to restart. I've tried several times and I have been unable to complete a scan so far.

    On the plus side, my computer seems to be running better since doing the above!! But I'm worried that the antimalware doctor files are still on my system because so far I've only been able to delete the registry entries and nothing else.

    Hopefully someone can help!

    Thanks for looking :)

    Paul
     

    Attached Files:

  9. BeeCeeBee

    BeeCeeBee ADMINISTRATOR IN MEMORY

    Joined:
    Apr 20, 2009
    Messages:
    7,201
    Location:
    New Jersey "Stronger than the Storm"
    Operating System:
    Windows 7
    I am going to move this thread to the malware removal forum. Doing that insures that only the Malware Removal Specialist(s) that have been helping you will be able to post. (OK, other staff members can as well but we know better :) ) This is one of those times where we need to avoid to many cooks.
     
  10. schrauber

    schrauber Guest

    Hi,


    One or more of the identified infections is a backdoor trojan.

    This allows hackers to remotely control your computer, steal critical system information and download and execute files.

    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

    Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
    When Should I Format, How Should I Reinstall

    We can still clean this machine but I can't guarantee that it will be 100% secure afterwards




    Please go here and have a look how you can disable your security software.

    Download Combofix from any of the links below but rename it to <schrauber> before saving it to your desktop.

    Link 1
    Link 2



    --------------------------------------------------------------------

    Double click on the renamed Combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    If you need help, see this link:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
     
  11. bairn7

    bairn7 Registered Members

    Joined:
    Apr 19, 2010
    Messages:
    21
    Location:
    edinburgh
    Operating System:
    Windows Vista Ultimate
    That is quite a worrying reply, but thank you for taking the time to help me! Here is the log from combofix. I notice that it has deleted enemies-names.txt and newupdate1142C.exe which I think are the two antimalware doctor files that I couldn't find.

    Incidentally, I'd actually be prepared to reformat and reinstall the OS but I actually tried this over the weekend and I'm getting a message that Vista can't communicate with one of the devices or something like that. Sorry, I'd have to try again to get the proper message.

    Thanks again for you help :)
     

    Attached Files:

  12. BeeCeeBee

    BeeCeeBee ADMINISTRATOR IN MEMORY

    Joined:
    Apr 20, 2009
    Messages:
    7,201
    Location:
    New Jersey "Stronger than the Storm"
    Operating System:
    Windows 7
    Jumping in here, me. That is indeed disturbing. If you decide to continue with the disinfection process and not reformat I will leave this thread right here for you to continue one on one with Tom. If you need help reformatting it should be moved out of this forum where Tom can continue but so can other members and staff.

    That is not to suggest that Tom could not help you with a formatting but it would no longer fall into the restricted malware removal category and there are others who will be mare than able to evaluate your problem. By all means post the error message that you are getting.
     
  13. bairn7

    bairn7 Registered Members

    Joined:
    Apr 19, 2010
    Messages:
    21
    Location:
    edinburgh
    Operating System:
    Windows Vista Ultimate
    Thanks BeeCeeBee, I'll continue with disinfection which should hopefully do the trick. My computer was custom built and there have been lots of little things here and there running not quite right so I wouldn't be surprised if there would be a problem reinstalling Vista. But if you, or schrauber, recommend reinstalling rather than continuing then I will do that.

    Disinfection is my first choice though :)

    Thanks
     
  14. BeeCeeBee

    BeeCeeBee ADMINISTRATOR IN MEMORY

    Joined:
    Apr 20, 2009
    Messages:
    7,201
    Location:
    New Jersey "Stronger than the Storm"
    Operating System:
    Windows 7
    That is your choice and it will be left here. My concern is with the overall warning that schrauber gave. I personally would hate to not be able to ever trust my otherwise clean computer. However I expect that Tom will be the one to explain the risks more thoroughly if that is needed.
     
  15. schrauber

    schrauber Guest

    Hi,

    I have to give the backdoor speech because you have to know what is going on with your system. I think we can clean this :)


    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    File::
    C:\kxldapod.sys
    c:\windows\system32\mode.exe
    C:\tujserrew.bat
    Folder::
    c:\users\Paul\AppData\Roaming\Ixapn
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "{541A25E2-F305-15FA-C3E7-A38F68A1E9B9}"=-
    RegLOckDel::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bbnsvepsweylvdi]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



    First, you must verify that you can access the Vista Recovery Environment.
    To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu.
    If the option 'Repair your computer' is available, select it.

    If not available, you will need to insert your Vista installation dvd and restart, then press any key when prompted to boot from the cd.
    At the Install Windows screen, select Repair your computer. (image below)

    [​IMG]

    Next, please download maxlook, saving the file to your desktop.
    Double click maxlook.exe to run it. Note - you must run it only once!
    As instructed when the tool runs, restart the computer and logon to the Recovery Environment.
    Once you get to the System Recovery Options screen, first take note of the drive letter assigned to the operating system, then select Command Prompt.

    [​IMG]

    Type the following bolded command at the x:\sources> prompt (or x:\windows\system32>) then hit Enter.

    cd /d x:\windows <--- the red x represents your operating system drive letter, as shown in the image below


    [​IMG]

    At the C:\Windows> prompt type the following command then hit Enter

    look.bat

    You will see many files copied then return to the x:\windows> prompt.
    Type Exit then restart your computer and logon in normal mode.
    Back in windows, go to start > run and type

    maxlook -sig and hit enter. PLease post back with the upcoming logfile.
     
  16. bairn7

    bairn7 Registered Members

    Joined:
    Apr 19, 2010
    Messages:
    21
    Location:
    edinburgh
    Operating System:
    Windows Vista Ultimate
    Hi again

    Here is my CFScript file:

    ComboFix 10-04-21.01 - Paul 22/04/2010 19:56:52.2.4 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1215 [GMT 1:00]
    Running from: c:\users\Paul\Desktop\schrauber.exe
    Command switches used :: c:\users\Paul\Desktop\CFScript.txt
    FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    FILE ::
    "C:\kxldapod.sys"
    "C:\tujserrew.bat"
    "c:\windows\system32\mode.exe"
    .
    PEV Error: LocalSettingsFile

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\kxldapod.sys
    C:\tujserrew.bat
    c:\users\Paul\AppData\Roaming\Ixapn
    c:\users\Paul\AppData\Roaming\Ixapn\amnya.exe
    c:\windows\system32\mode.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
    .

    2010-04-22 19:05 . 2010-04-22 19:05 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-04-22 19:05 . 2010-04-22 19:05 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-04-21 06:36 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2010-04-20 06:35 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-20 06:35 . 2010-04-20 06:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-20 06:35 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-17 15:03 . 2010-04-17 15:03 -------- d-----w- c:\users\Paul\AppData\Roaming\Helper
    2010-04-17 15:02 . 2010-04-17 15:02 38400 ----a-w- c:\windows\system32\sabb.dll
    2010-04-17 10:42 . 2010-04-17 10:42 17632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
    2010-04-17 08:31 . 2010-04-17 08:31 -------- d-----w- c:\users\Paul\AppData\Roaming\Malwarebytes
    2010-04-17 08:31 . 2010-04-17 08:31 -------- d-----w- c:\programdata\Malwarebytes
    2010-04-14 06:26 . 2010-02-18 14:49 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-04-14 06:26 . 2010-02-18 14:49 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-04-14 06:26 . 2010-02-18 17:36 902024 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-04-14 06:26 . 2010-02-18 17:36 220040 ----a-w- c:\windows\system32\drivers\netio.sys
    2010-04-14 06:26 . 2010-02-18 17:36 98192 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
    2010-04-14 06:26 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-04-14 06:26 . 2010-02-18 13:59 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
    2010-04-14 06:26 . 2010-02-18 13:59 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
    2010-04-14 06:26 . 2010-02-18 13:57 328704 ----a-w- c:\windows\system32\BFE.DLL
    2010-04-14 06:26 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-04-13 17:37 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
    2010-04-13 17:37 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
    2010-03-31 06:15 . 2010-03-31 06:15 107492 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-03-29 19:31 . 2010-03-29 19:31 -------- d-----w- c:\program files\BBC iPlayer Desktop
    2010-03-27 18:37 . 2010-03-27 18:39 -------- d-----w- C:\flvrecorder
    2010-03-27 14:49 . 2010-03-31 05:50 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
    2010-03-27 14:49 . 2010-03-31 05:50 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
    2010-03-27 14:49 . 2010-03-27 14:49 -------- d-----w- c:\users\Paul\AppData\Local\mdnslib
    2010-03-27 14:49 . 2010-03-31 05:53 -------- d-----w- c:\program files\Replay Media Catcher
    2010-03-27 14:49 . 2010-03-27 14:49 -------- d-----w- c:\windows\Replay Media Catcher
    2010-03-27 12:40 . 2010-03-27 12:40 -------- d-----w- c:\programdata\IObit
    2010-03-27 08:55 . 2010-03-27 08:55 -------- d-----w- c:\program files\vasfmc

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-22 18:55 . 2009-05-09 12:43 84608 ----a-w- c:\programdata\nvModes.dat
    2010-04-22 18:42 . 2010-02-14 09:20 -------- d-----w- c:\users\Paul\AppData\Roaming\Efvipy
    2010-04-21 06:24 . 2007-11-26 19:27 -------- d-----w- c:\programdata\Kontiki
    2010-04-17 14:14 . 2008-02-17 18:15 -------- d-----w- c:\program files\Yahoo!
    2010-04-17 14:14 . 2008-11-01 16:12 -------- d-----w- c:\program files\Gabest
    2010-04-17 14:13 . 2010-01-24 14:32 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
    2010-04-17 14:05 . 2008-11-01 16:12 -------- d-----w- c:\program files\AviSynth 2.5
    2010-03-29 19:31 . 2009-07-07 15:19 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-03-27 21:00 . 2008-12-01 21:19 -------- d-----w- c:\users\Paul\AppData\Roaming\GetRightToGo
    2010-03-27 18:37 . 2008-10-21 14:30 -------- d-----w- c:\program files\WinPcap
    2010-03-27 12:39 . 2009-05-04 11:53 -------- d-----w- c:\users\Paul\AppData\Roaming\IObit
    2010-03-27 12:39 . 2009-05-04 11:53 -------- d-----w- c:\program files\IObit
    2010-03-27 09:17 . 2010-02-05 20:47 -------- d-----w- c:\program files\7digital Locker
    2010-03-27 09:17 . 2007-11-10 19:37 61264 ----a-w- c:\users\Paul\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-03-27 09:14 . 2010-02-13 16:29 -------- d-----w- c:\program files\Nokia
    2010-03-27 09:11 . 2008-12-29 21:40 -------- d-----w- c:\users\Paul\AppData\Roaming\Amazon
    2010-03-27 09:11 . 2008-12-29 21:40 -------- d-----w- c:\program files\Amazon
    2010-03-16 20:10 . 2008-11-01 16:57 -------- d-----w- c:\users\Paul\AppData\Roaming\dvdcss
    2010-03-16 20:07 . 2010-03-16 20:07 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
    2010-03-16 20:07 . 2010-03-16 20:07 -------- d-----w- c:\program files\dvd43
    2010-03-13 19:25 . 2010-03-13 19:25 598368 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScanner.dll
    2010-03-13 19:25 . 2010-02-27 14:17 6330848 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
    2010-03-13 07:56 . 2010-03-13 07:56 -------- d-----w- c:\programdata\Radialpoint
    2010-03-13 07:56 . 2010-03-13 07:56 -------- d-----w- c:\users\Paul\AppData\Roaming\Virgin Media
    2010-03-13 07:56 . 2010-03-13 07:56 -------- d-----w- c:\programdata\Virgin Media
    2010-03-13 07:56 . 2010-03-13 07:56 -------- d-----w- c:\program files\Virgin Media
    2010-03-12 07:52 . 2010-03-12 07:51 -------- d-----w- c:\program files\SquawkBox
    2010-03-10 07:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-02-28 14:17 . 2008-08-30 22:33 -------- d-----w- c:\users\Paul\AppData\Roaming\LimeWire
    2010-02-27 14:20 . 2010-02-27 14:12 -------- d-----w- c:\programdata\Lavasoft
    2010-02-27 14:20 . 2010-03-13 19:25 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-02-27 14:20 . 2010-02-27 14:20 95024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
    2010-02-27 14:19 . 2010-02-27 14:19 566608 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\sbap.dll
    2010-02-27 14:19 . 2010-02-27 15:25 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-02-27 14:19 . 2010-02-27 14:19 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
    2010-02-27 14:18 . 2010-02-27 14:18 1230160 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBTE.dll
    2010-02-27 14:18 . 2010-02-27 14:18 247120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBRE.dll
    2010-02-27 14:17 . 2010-02-27 14:17 17480 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
    2010-02-04 15:53 . 2010-02-27 14:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-01-25 12:48 . 2010-02-24 07:38 472576 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:48 . 2010-02-24 07:38 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:48 . 2010-02-24 07:38 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:48 . 2010-02-24 07:38 472064 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 12:45 . 2010-02-24 07:38 329216 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:35 . 2010-02-24 07:38 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:35 . 2010-02-24 07:38 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:34 . 2010-02-24 07:38 511488 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:34 . 2010-02-24 07:38 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-23 09:44 . 2010-02-24 07:38 2048 ----a-w- c:\windows\system32\tzres.dll
    2009-01-16 22:12 . 2009-01-16 22:07 276238 ----a-w- c:\program files\UnGEXUSACAN.exe
    2008-02-17 06:33 . 2008-02-17 06:33 14 ----a-w- c:\program files\settings.cfg
    2008-12-29 08:49 . 2008-12-29 08:49 61 --sh--w- c:\windows\cnerolf.bin
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9FAD24BA-9822-41B0-9EB9-50C824A02033}]
    2010-04-17 15:02 38400 ----a-w- c:\windows\System32\sabb.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "Google Update"="c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-07-07 133104]
    "ANT Agent"="c:\garmin\ANT Agent\ANT Agent.exe" [2008-09-02 8203352]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2007-07-12 233472]
    "SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2007-07-12 131072]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13781536]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
    "Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-08-26 722288]
    "VirginMediaHUB.exe"="c:\program files\Virgin Media\HUB\VirginMediaHUB.exe" [2009-12-14 4277488]
    "Ask and Record FLV Service"="c:\program files\Replay Media Catcher\FLVSrvc.exe" [2009-09-22 156672]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0lsdelete

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    R2 gupdate1c9d181a781cd5d;Google Update Service (gupdate1c9d181a781cd5d);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 133104]
    R3 SaiH0BAC;SaiH0BAC;c:\windows\system32\DRIVERS\SaiH0BAC.sys [2007-07-13 135168]
    R3 vsdatant7;vsdatant7;c:\windows\system32\drivers\vsdatant.win7.sys [x]
    R3 wrssweep;Webroots Volume Access Driver;c:\program files\Webroot\Washer\wrssweep.sys [x]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
    S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2009-08-26 25208]
    S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2009-08-26 435568]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-17 1265264]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
    S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\HUB\ServicepointService.exe [2009-12-14 668912]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{59EC7186-6FFB-47E8-99BE-D1D07B1B4551}]
    2010-04-17 15:02 38400 ----a-w- c:\windows\System32\sabb.dll
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 15:11]

    2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 15:11]

    2010-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2144580109-3991663038-3949325318-1000Core.job
    - c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-02 15:09]

    2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2144580109-3991663038-3949325318-1000UA.job
    - c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-02 15:09]

    2010-04-22 c:\windows\Tasks\User_Feed_Synchronization-{90B0C00F-18EC-497D-B497-4D99A41ED256}.job
    - c:\windows\system32\msfeedssync.exe [2010-04-01 04:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath - c:\users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\nqryg5xu.default\
    FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
    FF - plugin: c:\program files\Virgin Media\HUB\nprpspa.dll
    FF - plugin: c:\users\Paul\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-22 20:05
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\users\Paul\AppData\Local\Temp\catchme.dll 53248 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x867FD8C8]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0x82fa4322
    \Driver\ACPI -> acpi.sys @ 0x80698d4c
    \Driver\atapi -> atapi.sys @ 0x8079d9aa
    IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2144580109-3991663038-3949325318-1000\Software\SecuROM\License information*]
    @Allowed: (Read) (RestrictedCode)
    "datasecu"=hex:76,00,57,fa,55,d7,ad,86,fb,bc,6d,ae,fd,15,7c,4f,21,c8,03,b0,75,
    9e,19,64,ce,38,ea,49,e3,b3,a6,1e,bf,6f,86,59,2f,b0,dc,42,4c,2d,c9,1a,99,85,\
    "rkeysecu"=hex:36,4b,cd,75,a2,a1,42,f7,bd,aa,59,59,de,b2,41,e2

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(592)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    .
    Completion time: 2010-04-22 20:09:32
    ComboFix-quarantined-files.txt 2010-04-22 19:09
    ComboFix2.txt 2010-04-21 06:48

    Pre-Run: 72,380,407,808 bytes free
    Post-Run: 72,290,648,064 bytes free

    - - End Of File - - E6D307B7A7623AEC0DF06F3239B05149






    I'm not sure if I used maxlook properly but here is the file:

    Code:
    Run from C:\Users\Paul\Desktop\maxlook.exe on 22/04/2010 at 20:43:23.17
    
    --------- maxlook unsigned files ---------
    
    c:\windows\maxdriver\ASPI32.SYS:
    Verified:	Unsigned
    File date:	13:06 10/09/1999
    Publisher:	Adaptec
    Description:	ASPI for WIN32 Kernel Driver
    Product:	Adaptec's ASPI Layer
    Version:	4.60 (1021)
    File version:	4.60 (1021)
    c:\windows\maxdriver\atapi.sys:
    Verified:	Unsigned
    File date:	08:41 19/01/2008
    Publisher:	n/a
    Description:	n/a
    Product:	n/a
    Version:	n/a
    File version:	n/a
    c:\windows\maxdriver\dvd43llh.sys:
    Verified:	Unsigned
    File date:	21:07 16/03/2010
    Publisher:	RIF
    Description:	dvd43llh.sys
    Product:	DVD For Free
    Version:	3.5.000
    File version:	3.5.000
    
    --------- system32\drivers unsigned files ---------
    
    c:\windows\system32\drivers\ASPI32.SYS:
    Verified:	Unsigned
    File date:	13:06 10/09/1999
    Publisher:	Adaptec
    Description:	ASPI for WIN32 Kernel Driver
    Product:	Adaptec's ASPI Layer
    Version:	4.60 (1021)
    File version:	4.60 (1021)
    c:\windows\system32\drivers\dvd43llh.sys:
    Verified:	Unsigned
    File date:	21:07 16/03/2010
    Publisher:	RIF
    Description:	dvd43llh.sys
    Product:	DVD For Free
    Version:	3.5.000
    File version:	3.5.000
    

    Does this help?

    Thanks again
    Paul
     
  17. schrauber

    schrauber Guest

    Hi,

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      atapi*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  18. bairn7

    bairn7 Registered Members

    Joined:
    Apr 19, 2010
    Messages:
    21
    Location:
    edinburgh
    Operating System:
    Windows Vista Ultimate
    Here we go!...

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 21:05 on 22/04/2010 by Paul (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "atapi*"
    C:\Windows\ERDNT\cache\atapi.sys --a--- 21560 bytes [06:44 21/04/2010] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
    C:\Windows\maxdriver\atapi.sys --a--- 21560 bytes [04:40 23/04/2010] [07:41 19/01/2008] 29BFA2EEFA76DA44D5393197DF069107
    C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [20:49 18/08/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
    C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys --a--- 21560 bytes [11:31 16/02/2008] [11:31 16/02/2008] B35CFCEF838382AB6490B321C87EDF17
    C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
    C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [08:05 30/08/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
    C:\Windows\System32\drivers\atapi.sys --a--- 21560 bytes [08:05 30/08/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
    C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys --a--- 21560 bytes [11:31 16/02/2008] [11:31 16/02/2008] B35CFCEF838382AB6490B321C87EDF17
    C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys --a--- 21560 bytes [11:31 16/02/2008] [11:31 16/02/2008] E03E8C99D15D0381E02743C36AFC7C6F
    C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [08:05 30/08/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9

    -=End Of File=-


    Thanks :)
     
  19. schrauber

    schrauber Guest

    Hi,

    Copy and paste the content of the codebox below into notepad and save it as fix.bat to your windows folder. You have to set save as to "all files".

    It should look like this now:

    c:\windows\fix.bat


    Code:
    ren C:\Windows\System32\drivers\atapi.sys C:\Windows\System32\drivers\atapi.old
    copy C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys C:\Windows\System32\drivers\
    
    Now please boot again into the recovery console like you did before, at the command prompt type

    fix.bat

    and hit enter. Now type exit, reboot into normal windows and post back with a fresh Combofix logfile and also please do the following:



    Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
    • Click on this link to see a list of programs that should be disabled.
    • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
    • Allow the driver to load if asked.
    • You may be prompted to scan immediately if it detects rootkit activity.
    • If you are prompted to scan your system click "No", save the log and post back the results.
    • If not prompted, click the "Rootkit/Malware" tab.
    • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
    • Select all drives that are connected to your system to be scanned.
    • Click the Scan button to begin. (Please be patient as it can take some time to complete)
    • When the scan is finished, click Save to save the scan results to your Desktop.
    • Save the file as Results.log and copy/paste the contents in your next reply.
    • Exit the program and re-enable all active protection when done.
     
  20. bairn7

    bairn7 Registered Members

    Joined:
    Apr 19, 2010
    Messages:
    21
    Location:
    edinburgh
    Operating System:
    Windows Vista Ultimate
    Hi

    Here is the updated combofix file:

    ComboFix 10-04-21.01 - Paul 22/04/2010 21:41:11.3.4 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1071 [GMT 1:00]
    Running from: c:\users\Paul\Desktop\schrauber.exe
    FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\look.bat

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
    .

    2010-04-22 20:46 . 2010-04-22 20:46 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-04-22 20:46 . 2010-04-22 20:46 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-04-22 20:26 . 2010-04-22 20:26 190 ----a-w- c:\windows\fix.bat
    2010-04-22 19:43 . 2010-02-26 16:26 220024 ----a-w- c:\windows\sigcheck.exe
    2010-04-22 19:35 . 2010-04-22 19:35 -------- d-----w- c:\windows\maxdriver
    2010-04-21 06:36 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2010-04-20 06:35 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-20 06:35 . 2010-04-20 06:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-20 06:35 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-17 15:03 . 2010-04-17 15:03 -------- d-----w- c:\users\Paul\AppData\Roaming\Helper
    2010-04-17 15:02 . 2010-04-17 15:02 38400 ----a-w- c:\windows\system32\sabb.dll
    2010-04-17 10:42 . 2010-04-17 10:42 17632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
    2010-04-17 08:31 . 2010-04-17 08:31 -------- d-----w- c:\users\Paul\AppData\Roaming\Malwarebytes
    2010-04-17 08:31 . 2010-04-17 08:31 -------- d-----w- c:\programdata\Malwarebytes
    2010-04-14 06:26 . 2010-02-18 14:49 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-04-14 06:26 . 2010-02-18 14:49 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-04-14 06:26 . 2010-02-18 17:36 902024 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-04-14 06:26 . 2010-02-18 17:36 220040 ----a-w- c:\windows\system32\drivers\netio.sys
    2010-04-14 06:26 . 2010-02-18 17:36 98192 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
    2010-04-14 06:26 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-04-14 06:26 . 2010-02-18 13:59 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
    2010-04-14 06:26 . 2010-02-18 13:59 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
    2010-04-14 06:26 . 2010-02-18 13:57 328704 ----a-w- c:\windows\system32\BFE.DLL
    2010-04-14 06:26 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-04-13 17:37 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
    2010-04-13 17:37 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
    2010-03-31 06:15 . 2010-03-31 06:15 107492 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-03-29 19:31 . 2010-03-29 19:31 -------- d-----w- c:\program files\BBC iPlayer Desktop
    2010-03-27 18:37 . 2010-03-27 18:39 -------- d-----w- C:\flvrecorder
    2010-03-27 14:49 . 2010-03-31 05:50 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
    2010-03-27 14:49 . 2010-03-31 05:50 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
    2010-03-27 14:49 . 2010-03-27 14:49 -------- d-----w- c:\users\Paul\AppData\Local\mdnslib
    2010-03-27 14:49 . 2010-03-31 05:53 -------- d-----w- c:\program files\Replay Media Catcher
    2010-03-27 14:49 . 2010-03-27 14:49 -------- d-----w- c:\windows\Replay Media Catcher
    2010-03-27 12:40 . 2010-03-27 12:40 -------- d-----w- c:\programdata\IObit
    2010-03-27 08:55 . 2010-03-27 08:55 -------- d-----w- c:\program files\vasfmc

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-22 20:38 . 2009-05-09 12:43 84608 ----a-w- c:\programdata\nvModes.dat
    2010-04-22 20:11 . 2007-11-26 19:27 -------- d-----w- c:\programdata\Kontiki
    2010-04-22 18:42 . 2010-02-14 09:20 -------- d-----w- c:\users\Paul\AppData\Roaming\Efvipy
    2010-04-17 14:14 . 2008-02-17 18:15 -------- d-----w- c:\program files\Yahoo!
    2010-04-17 14:14 . 2008-11-01 16:12 -------- d-----w- c:\program files\Gabest
    2010-04-17 14:13 . 2010-01-24 14:32 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
    2010-04-17 14:05 . 2008-11-01 16:12 -------- d-----w- c:\program files\AviSynth 2.5
    2010-03-29 19:31 . 2009-07-07 15:19 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-03-27 21:00 . 2008-12-01 21:19 -------- d-----w- c:\users\Paul\AppData\Roaming\GetRightToGo
    2010-03-27 18:37 . 2008-10-21 14:30 -------- d-----w- c:\program files\WinPcap
    2010-03-27 12:39 . 2009-05-04 11:53 -------- d-----w- c:\users\Paul\AppData\Roaming\IObit
    2010-03-27 12:39 . 2009-05-04 11:53 -------- d-----w- c:\program files\IObit
    2010-03-27 09:17 . 2010-02-05 20:47 -------- d-----w- c:\program files\7digital Locker
    2010-03-27 09:17 . 2007-11-10 19:37 61264 ----a-w- c:\users\Paul\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-03-27 09:14 . 2010-02-13 16:29 -------- d-----w- c:\program files\Nokia
    2010-03-27 09:11 . 2008-12-29 21:40 -------- d-----w- c:\users\Paul\AppData\Roaming\Amazon
    2010-03-27 09:11 . 2008-12-29 21:40 -------- d-----w- c:\program files\Amazon
    2010-03-16 20:10 . 2008-11-01 16:57 -------- d-----w- c:\users\Paul\AppData\Roaming\dvdcss
    2010-03-16 20:07 . 2010-03-16 20:07 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
    2010-03-16 20:07 . 2010-03-16 20:07 -------- d-----w- c:\program files\dvd43
    2010-03-13 19:25 . 2010-03-13 19:25 598368 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScanner.dll
    2010-03-13 19:25 . 2010-02-27 14:17 6330848 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
    2010-03-13 07:56 . 2010-03-13 07:56 -------- d-----w- c:\programdata\Radialpoint
    2010-03-13 07:56 . 2010-03-13 07:56 -------- d-----w- c:\users\Paul\AppData\Roaming\Virgin Media
    2010-03-13 07:56 . 2010-03-13 07:56 -------- d-----w- c:\programdata\Virgin Media
    2010-03-13 07:56 . 2010-03-13 07:56 -------- d-----w- c:\program files\Virgin Media
    2010-03-12 07:52 . 2010-03-12 07:51 -------- d-----w- c:\program files\SquawkBox
    2010-03-10 07:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-02-28 14:17 . 2008-08-30 22:33 -------- d-----w- c:\users\Paul\AppData\Roaming\LimeWire
    2010-02-27 14:20 . 2010-02-27 14:12 -------- d-----w- c:\programdata\Lavasoft
    2010-02-27 14:20 . 2010-03-13 19:25 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-02-27 14:20 . 2010-02-27 14:20 95024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
    2010-02-27 14:19 . 2010-02-27 14:19 566608 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\sbap.dll
    2010-02-27 14:19 . 2010-02-27 15:25 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-02-27 14:19 . 2010-02-27 14:19 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
    2010-02-27 14:18 . 2010-02-27 14:18 1230160 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBTE.dll
    2010-02-27 14:18 . 2010-02-27 14:18 247120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBRE.dll
    2010-02-27 14:17 . 2010-02-27 14:17 17480 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
    2010-02-04 15:53 . 2010-02-27 14:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-01-25 12:48 . 2010-02-24 07:38 472576 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:48 . 2010-02-24 07:38 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:48 . 2010-02-24 07:38 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:48 . 2010-02-24 07:38 472064 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 12:45 . 2010-02-24 07:38 329216 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:35 . 2010-02-24 07:38 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:35 . 2010-02-24 07:38 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:34 . 2010-02-24 07:38 511488 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:34 . 2010-02-24 07:38 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-23 09:44 . 2010-02-24 07:38 2048 ----a-w- c:\windows\system32\tzres.dll
    2009-01-16 22:12 . 2009-01-16 22:07 276238 ----a-w- c:\program files\UnGEXUSACAN.exe
    2008-02-17 06:33 . 2008-02-17 06:33 14 ----a-w- c:\program files\settings.cfg
    2008-12-29 08:49 . 2008-12-29 08:49 61 --sh--w- c:\windows\cnerolf.bin
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-04-22_19.06.05 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2007-11-10 21:09 . 2010-04-22 20:40 79482 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 13:05 . 2010-04-22 20:41 67504 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2007-11-10 19:38 . 2010-04-22 20:16 24974 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2144580109-3991663038-3949325318-1000_UserData.bin
    - 2006-11-02 13:02 . 2010-04-22 18:52 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2006-11-02 13:02 . 2010-04-22 19:42 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-04-20 06:33 . 2010-04-22 19:42 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-04-20 06:33 . 2010-04-22 18:52 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2006-11-02 13:02 . 2010-04-22 19:42 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2006-11-02 13:02 . 2010-04-22 18:52 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-04-23 04:41 . 2008-01-19 05:53 83328 c:\windows\maxdriver\WUDFRd.sys
    + 2010-04-23 04:41 . 2008-01-19 05:52 51200 c:\windows\maxdriver\WUDFPf.sys
    + 2010-04-23 04:41 . 2008-01-19 05:56 15872 c:\windows\maxdriver\ws2ifsl.sys
    + 2010-04-23 04:41 . 2008-01-19 06:04 39936 c:\windows\maxdriver\WpdUsb.sys
    + 2010-04-23 04:41 . 2008-01-19 07:41 17976 c:\windows\maxdriver\wmilib.sys
    + 2010-04-23 04:41 . 2006-11-02 08:35 11264 c:\windows\maxdriver\wmiacpi.sys
    + 2010-04-23 04:41 . 2008-01-19 07:41 35896 c:\windows\maxdriver\WdfLdr.sys
    + 2010-04-23 04:41 . 2006-11-02 09:49 19560 c:\windows\maxdriver\wd.sys
    + 2010-04-23 04:41 . 2008-01-19 05:35 32768 c:\windows\maxdriver\watchdog.sys
    + 2010-04-23 04:41 . 2008-01-19 05:56 62464 c:\windows\maxdriver\wanarp.sys
    + 2010-04-23 04:41 . 2006-11-02 08:52 20608 c:\windows\maxdriver\wacompen.sys
    + 2010-04-23 04:41 . 2008-01-19 07:42 52792 c:\windows\maxdriver\volmgr.sys
    + 2010-04-23 04:41 . 2006-11-02 09:49 17512 c:\windows\maxdriver\viaide.sys
    + 2010-04-23 04:41 . 2006-11-02 08:30 39424 c:\windows\maxdriver\viac7.sys
    + 2010-04-23 04:41 . 2006-11-02 09:49 54376 c:\windows\maxdriver\VIAAGP.SYS
    + 2010-04-23 04:41 . 2006-11-02 08:53 26112 c:\windows\maxdriver\vgapnp.sys
    + 2010-04-23 04:41 . 2008-01-19 05:52 25088 c:\windows\maxdriver\vga.sys
    + 2010-04-23 04:41 . 2008-01-19 05:53 23552 c:\windows\maxdriver\usbuhci.sys
    + 2010-04-23 04:41 . 2008-01-19 05:53 55296 c:\windows\maxdriver\USBSTOR.SYS
    + 2010-04-23 04:41 . 2008-01-19 05:53 28160 c:\windows\maxdriver\usbser.sys
    + 2010-04-23 04:41 . 2008-01-19 06:14 35328 c:\windows\maxdriver\usbscan.sys
    + 2010-04-23 04:41 . 2008-01-19 06:14 18944 c:\windows\maxdriver\usbprint.sys
    + 2010-04-23 04:41 . 2006-11-02 08:55 19456 c:\windows\maxdriver\usbohci.sys
    + 2010-04-23 04:41 . 2008-01-19 05:53 39424 c:\windows\maxdriver\usbehci.sys
    + 2010-04-23 04:41 . 2006-11-02 08:55 68608 c:\windows\maxdriver\usbcir.sys
    + 2010-04-23 04:41 . 2008-01-19 05:53 73216 c:\windows\maxdriver\usbccgp.sys
    + 2010-04-23 04:41 . 2008-01-19 05:53 25728 c:\windows\maxdriver\USBCAMD2.sys
    + 2010-04-23 04:41 . 2008-01-19 05:53 25728 c:\windows\maxdriver\USBCAMD.sys
    + 2010-04-23 04:41 . 2009-08-28 18:42 40448 c:\windows\maxdriver\usbaapl.sys
    + 2010-04-23 04:41 . 2008-01-19 05:56 15872 c:\windows\maxdriver\usb8023.sys
    + 2010-04-23 04:41 . 2008-01-19 05:53 34816 c:\windows\maxdriver\umbus.sys
    + 2010-04-23 04:41 . 2006-11-02 09:50 98408 c:\windows\maxdriver\ulsata.sys
    + 2010-04-23 04:41 . 2006-11-02 09:50 58472 c:\windows\maxdriver\ULIAGPKX.SYS
    + 2010-04-23 04:41 . 2006-11-02 09:49 56936 c:\windows\maxdriver\UAGP35.SYS
    + 2010-04-23 04:41 . 2010-02-18 11:52 25088 c:\windows\maxdriver\tunnel.sys
    + 2010-04-23 04:41 . 2008-01-19 05:55 15360 c:\windows\maxdriver\TUNMP.SYS
    + 2010-04-23 04:41 . 2008-01-19 06:01 23552 c:\windows\maxdriver\tssecsrv.sys
    + 2010-04-23 04:41 . 2008-01-19 07:42 54328 c:\windows\maxdriver\termdd.sys
    + 2010-04-23 04:41 . 2008-01-19 05:55 71680 c:\windows\maxdriver\tdx.sys
    + 2010-04-23 04:41 . 2008-01-19 06:01 29184 c:\windows\maxdriver\tdtcp.sys
    + 2010-04-23 04:41 . 2008-01-19 06:01 17920 c:\windows\maxdriver\tdpipe.sys
    + 2010-04-23 04:41 . 2008-01-19 05:57 20992 c:\windows\maxdriver\tdi.sys
    + 2010-04-23 04:41 . 2008-01-19 05:56 30208 c:\windows\maxdriver\tcpipreg.sys
    + 2010-04-23 04:41 . 2008-01-19 05:49 24576 c:\windows\maxdriver\tape.sys
    + 2010-04-23 04:41 . 2006-11-02 09:50 35944 c:\windows\maxdriver\symc8xx.sys
    + 2010-04-23 04:41 . 2006-11-02 09:50 34920 c:\windows\maxdriver\sym_u3.sys
    + 2010-04-23 04:41 . 2006-11-02 09:49 31848 c:\windows\maxdriver\sym_hi.sys
    + 2010-04-23 04:41 . 2008-01-19 07:41 15288 c:\windows\maxdriver\swenum.sys
    + 2010-04-23 04:41 . 2008-01-19 05:53 52992 c:\windows\maxdriver\stream.sys
    + 2010-04-23 04:41 . 2009-12-11 12:07 98304 c:\windows\maxdriver\srvnet.sys
    + 2010-04-23 04:41 . 2008-01-19 07:41 21048 c:\windows\maxdriver\spldr.sys
    + 2010-04-23 04:41 . 2008-01-19 05:49 17408 c:\windows\maxdriver\smclib.sys
    + 2010-04-23 04:41 . 2008-01-19 05:55 66560 c:\windows\maxdriver\smb.sys
    + 2010-04-23 04:41 . 2006-11-02 09:50 71784 c:\windows\maxdriver\sisraid4.sys
    + 2010-04-23 04:41 . 2006-11-02 09:50 38504 c:\windows\maxdriver\sisraid2.sys
    + 2010-04-23 04:41 . 2006-11-02 09:49 53352 c:\windows\maxdriver\SISAGP.SYS
    + 2010-04-23 04:41 . 2007-09-06 14:53 18944 c:\windows\maxdriver\SiLib.sys
    + 2010-04-23 04:41 . 2006-11-02 08:51 13312 c:\windows\maxdriver\sfloppy.sys
    + 2010-04-23 04:41 . 2006-11-02 08:51 12800 c:\windows\maxdriver\sffp_sd.sys
    + 2010-04-23 04:41 . 2006-11-02 08:51 12800 c:\windows\maxdriver\sffp_mmc.sys
    + 2010-04-23 04:41 . 2006-11-02 08:51 13312 c:\windows\maxdriver\sffdisk.sys
    + 2010-04-23 04:41 . 2008-01-19 05:49 19968 c:\windows\maxdriver\sermouse.sys
    + 2010-04-23 04:41 . 2006-11-02 08:51 83456 c:\windows\maxdriver\serial.sys
    + 2010-04-23 04:41 . 2006-11-02 08:51 17920 c:\windows\maxdriver\serenum.sys
    + 2010-04-23 04:41 . 2006-11-02 06:37 20480 c:\windows\maxdriver\secdrv.sys
    + 2010-04-23 04:41 . 2010-02-27 14:20 95024 c:\windows\maxdriver\SBREDrv.sys
    + 2010-04-23 04:41 . 2006-11-02 09:50 76392 c:\windows\maxdriver\sbp2port.sys
    + 2010-04-23 04:41 . 2007-07-13 02:22 14080 c:\windows\maxdriver\SaiMini.sys
    + 2010-04-23 04:41 . 2007-07-13 02:22 35072 c:\windows\maxdriver\SaiBus.sys
    + 2010-04-23 04:41 . 2008-01-19 05:55 60416 c:\windows\maxdriver\rspndr.sys
    + 2010-04-23 04:41 . 2008-01-19 05:56 33280 c:\windows\maxdriver\RNDISMP.sys
    + 2010-04-23 04:41 . 2008-01-19 05:56 69120 c:\windows\maxdriver\rassstp.sys
    + 2010-04-23 04:41 . 2008-01-19 05:56 62976 c:\windows\maxdriver\raspptp.sys
    + 2010-04-23 04:41 . 2008-01-19 05:56 41472 c:\windows\maxdriver\raspppoe.sys
    + 2010-04-23 04:41 . 2008-01-19 05:56 76288 c:\windows\maxdriver\rasl2tp.sys
    + 2010-04-23 04:41 . 2008-01-19 05:56 11776 c:\windows\maxdriver\rasacd.sys
    + 2010-04-23 04:41 . 2008-01-19 05:56 31232 c:\windows\maxdriver\qwavedrv.sys
    + 2010-04-23 04:41 . 2006-11-02 08:30 38400 c:\windows\maxdriver\processr.sys
    + 2010-04-23 04:41 . 2008-01-19 07:42 45112 c:\windows\maxdriver\pciidex.sys
    + 2010-04-23 04:41 . 2008-01-19 07:41 16440 c:\windows\maxdriver\pciide.sys
    + 2010-04-23 04:41 . 2008-08-26 10:26 18816 c:\windows\maxdriver\pccsmcfd.sys
    + 2010-04-23 04:41 . 2008-01-19 07:42 56376 c:\windows\maxdriver\partmgr.sys
    + 2010-04-23 04:41 . 2008-01-19 05:49 79360 c:\windows\maxdriver\parport.sys
    + 2010-04-23 04:41 . 2008-04-05 01:21 72192 c:\windows\maxdriver\pacer.sys
    + 2010-04-23 04:41 . 2006-11-02 08:55 62080 c:\windows\maxdriver\ohci1394.sys
    + 2010-04-23 04:41 . 2006-11-02 09:50 40040 c:\windows\maxdriver\nvstor.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 88680 c:\windows\maxdriver\nvraid.sys
    + 2010-04-23 04:40 . 2006-11-02 07:36 20608 c:\windows\maxdriver\ntrigdigi.sys
    + 2010-04-23 04:40 . 2008-01-19 05:55 16384 c:\windows\maxdriver\nsiproxy.sys
    + 2010-04-23 04:40 . 2008-01-19 05:28 34816 c:\windows\maxdriver\npfs.sys
    + 2010-04-23 04:40 . 2009-10-20 18:19 50704 c:\windows\maxdriver\npf.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 45160 c:\windows\maxdriver\nfrd960.sys
    + 2010-04-23 04:40 . 2008-01-19 05:55 35840 c:\windows\maxdriver\netbios.sys
    + 2010-04-23 04:40 . 2008-01-19 05:56 49664 c:\windows\maxdriver\ndproxy.sys
    + 2010-04-23 04:40 . 2008-01-19 05:55 16896 c:\windows\maxdriver\ndisuio.sys
    + 2010-04-23 04:40 . 2008-01-19 05:56 20992 c:\windows\maxdriver\ndistapi.sys
    + 2010-04-23 04:40 . 2008-01-19 07:42 49720 c:\windows\maxdriver\mup.sys
    + 2010-04-23 04:40 . 2008-01-19 07:41 31288 c:\windows\maxdriver\mssmbios.sys
    + 2010-04-23 04:40 . 2008-01-19 07:41 16440 c:\windows\maxdriver\msisadrv.sys
    + 2010-04-23 04:40 . 2008-01-19 05:28 22528 c:\windows\maxdriver\msfs.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 80488 c:\windows\maxdriver\msdsm.sys
    + 2010-04-23 04:40 . 2006-11-02 09:49 23144 c:\windows\maxdriver\msahci.sys
    + 2010-04-23 04:40 . 2008-01-19 05:28 78848 c:\windows\maxdriver\mrxsmb20.sys
    + 2010-04-23 04:40 . 2006-11-02 09:49 33384 c:\windows\maxdriver\Mraid35x.sys
    + 2010-04-23 04:40 . 2008-01-19 05:54 64000 c:\windows\maxdriver\mpsdrv.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 78952 c:\windows\maxdriver\mpio.sys
    + 2010-04-23 04:40 . 2008-01-19 07:42 57400 c:\windows\maxdriver\mountmgr.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 15872 c:\windows\maxdriver\mouhid.sys
    + 2010-04-23 04:40 . 2008-01-19 07:41 34360 c:\windows\maxdriver\mouclass.sys
    + 2010-04-23 04:40 . 2008-01-19 05:52 41984 c:\windows\maxdriver\monitor.sys
    + 2010-04-23 04:40 . 2008-01-19 05:57 31744 c:\windows\maxdriver\modem.sys
    + 2010-04-23 04:40 . 2006-11-02 09:49 28776 c:\windows\maxdriver\megasas.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 18944 c:\windows\maxdriver\mcd.sys
    + 2010-04-23 04:40 . 2010-03-29 23:46 38224 c:\windows\maxdriver\mbamswissarmy.sys
    + 2010-04-23 04:40 . 2010-03-29 23:45 20824 c:\windows\maxdriver\mbam.sys
    + 2010-04-23 04:40 . 2008-01-19 05:30 84480 c:\windows\maxdriver\luafv.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 65640 c:\windows\maxdriver\lsi_scsi.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 65640 c:\windows\maxdriver\lsi_sas.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 65640 c:\windows\maxdriver\lsi_fc.sys
    + 2010-04-23 04:40 . 2008-01-19 05:55 47104 c:\windows\maxdriver\lltdio.sys
    + 2010-04-23 04:40 . 2010-02-04 15:53 64288 c:\windows\maxdriver\Lbd.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 15872 c:\windows\maxdriver\kbdhid.sys
    + 2010-04-23 04:40 . 2008-01-19 07:41 35384 c:\windows\maxdriver\kbdclass.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 35944 c:\windows\maxdriver\iteraid.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 35944 c:\windows\maxdriver\iteatapi.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 47208 c:\windows\maxdriver\isapnp.sys
    + 2010-04-23 04:40 . 2008-01-19 05:55 13312 c:\windows\maxdriver\irenum.sys
    + 2010-04-23 04:40 . 2008-01-19 05:55 95744 c:\windows\maxdriver\irda.sys
    + 2010-04-23 04:40 . 2006-11-02 08:42 65536 c:\windows\maxdriver\IPMIDrv.sys
    + 2010-04-23 04:40 . 2008-01-19 05:56 47616 c:\windows\maxdriver\ipfltdrv.sys
    + 2010-04-23 04:40 . 2008-01-19 05:27 41472 c:\windows\maxdriver\intelppm.sys
    + 2010-04-23 04:40 . 2006-11-02 09:49 14952 c:\windows\maxdriver\intelide.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 41576 c:\windows\maxdriver\iirsp.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 54784 c:\windows\maxdriver\i8042prt.sys
    + 2010-04-23 04:40 . 2006-11-02 09:49 27752 c:\windows\maxdriver\i2omp.sys
    + 2010-04-23 04:40 . 2006-11-02 09:49 16488 c:\windows\maxdriver\i2omgmt.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 37480 c:\windows\maxdriver\HpCISSs.sys
    + 2010-04-23 04:40 . 2008-01-19 05:53 12288 c:\windows\maxdriver\hidusb.sys
    + 2010-04-23 04:40 . 2008-01-19 05:53 25472 c:\windows\maxdriver\hidparse.sys
    + 2010-04-23 04:40 . 2006-11-02 08:55 21504 c:\windows\maxdriver\hidir.sys
    + 2010-04-23 04:40 . 2008-01-19 05:53 38912 c:\windows\maxdriver\hidclass.sys
    + 2010-04-23 04:40 . 2006-11-02 08:55 29184 c:\windows\maxdriver\hidbth.sys
    + 2010-04-23 04:40 . 2008-01-19 04:30 53760 c:\windows\maxdriver\hdaudbus.sys
    + 2010-04-23 04:40 . 2007-03-08 17:18 18432 c:\windows\maxdriver\grmngen.sys
    + 2010-04-23 04:40 . 2009-05-18 13:17 26600 c:\windows\maxdriver\GEARAspiWDM.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 58984 c:\windows\maxdriver\GAGP30KX.SYS
    + 2010-04-23 04:40 . 2010-02-18 17:36 98192 c:\windows\maxdriver\FWPKCLNT.SYS
    + 2010-04-23 04:40 . 2008-01-19 05:27 12800 c:\windows\maxdriver\fs_rec.sys
    + 2010-04-23 04:40 . 2006-11-02 08:51 20480 c:\windows\maxdriver\flpydisk.sys
    + 2010-04-23 04:40 . 2008-01-19 05:30 27648 c:\windows\maxdriver\filetrace.sys
    + 2010-04-23 04:40 . 2008-01-19 07:42 58936 c:\windows\maxdriver\fileinfo.sys
    + 2010-04-23 04:40 . 2006-11-02 08:51 25088 c:\windows\maxdriver\fdc.sys
    + 2010-04-23 04:40 . 2008-01-19 05:36 76288 c:\windows\maxdriver\dxg.sys
    + 2010-04-23 04:40 . 2008-01-19 05:36 13312 c:\windows\maxdriver\dxapi.sys
    + 2010-04-23 04:40 . 2010-03-16 20:07 18816 c:\windows\maxdriver\dvd43llh.sys
    + 2010-04-23 04:40 . 2008-01-19 07:41 29240 c:\windows\maxdriver\Dumpata.sys
    + 2010-04-23 04:40 . 2007-09-06 14:53 14848 c:\windows\maxdriver\DSI_SiUSBXp_3_1.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 36864 c:\windows\maxdriver\Dot4usb.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 16384 c:\windows\maxdriver\Dot4Prt.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 71272 c:\windows\maxdriver\djsvs.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 19968 c:\windows\maxdriver\Diskdump.sys
    + 2010-04-23 04:40 . 2008-01-19 07:42 55352 c:\windows\maxdriver\disk.sys
    + 2010-04-23 04:40 . 2008-01-19 05:28 75264 c:\windows\maxdriver\dfsc.sys
    + 2010-04-23 04:40 . 2006-11-02 08:30 38912 c:\windows\maxdriver\crusoe.sys
    + 2010-04-23 04:40 . 2006-11-02 09:49 22632 c:\windows\maxdriver\crcdisk.sys
    + 2010-04-23 04:40 . 2008-01-19 07:41 36408 c:\windows\maxdriver\crashdmp.sys
    + 2010-04-23 04:40 . 2006-11-02 09:49 18280 c:\windows\maxdriver\compbatt.sys
    + 2010-04-23 04:40 . 2006-11-02 09:49 16488 c:\windows\maxdriver\cmdide.sys
    + 2010-04-23 04:40 . 2006-11-02 08:55 35328 c:\windows\maxdriver\circlass.sys
    + 2010-04-23 04:40 . 2009-04-11 04:39 67072 c:\windows\maxdriver\cdrom.sys
    + 2010-04-23 04:40 . 2008-01-19 05:28 70144 c:\windows\maxdriver\cdfs.sys
    + 2010-04-23 04:40 . 2009-02-09 08:37 22016 c:\windows\maxdriver\ccdcmbo.sys
    + 2010-04-23 04:40 . 2009-02-09 08:37 17664 c:\windows\maxdriver\ccdcmb.sys
    + 2010-04-23 04:40 . 2006-11-02 08:55 39936 c:\windows\maxdriver\bthmodem.sys
    + 2010-04-23 04:40 . 2006-11-02 08:24 11904 c:\windows\maxdriver\BrUsbSer.sys
    + 2010-04-23 04:40 . 2006-11-02 08:24 12160 c:\windows\maxdriver\BrUsbMdm.sys
    + 2010-04-23 04:40 . 2006-11-02 08:24 62336 c:\windows\maxdriver\BrSerWdm.sys
    + 2010-04-23 04:40 . 2006-11-02 08:25 71808 c:\windows\maxdriver\BrSerId.sys
    + 2010-04-23 04:40 . 2008-01-19 06:58 93696 c:\windows\maxdriver\bridge.sys
    + 2010-04-23 04:40 . 2006-11-02 08:24 13568 c:\windows\maxdriver\BrFiltLo.sys
    + 2010-04-23 04:40 . 2008-01-19 05:28 69632 c:\windows\maxdriver\bowser.sys
    + 2010-04-23 04:40 . 2008-01-19 05:53 12288 c:\windows\maxdriver\bdasup.sys
    + 2010-04-23 04:40 . 2006-11-02 09:49 25192 c:\windows\maxdriver\battc.sys
    + 2010-04-23 04:40 . 2008-01-19 07:41 21560 c:\windows\maxdriver\atapi.sys
    + 2010-04-23 04:40 . 2008-01-19 05:56 17408 c:\windows\maxdriver\asyncmac.sys
    + 2010-04-23 04:40 . 1999-09-10 12:06 25244 c:\windows\maxdriver\ASPI32.SYS
    + 2010-04-23 04:40 . 2006-11-02 09:50 67688 c:\windows\maxdriver\arcsas.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 67688 c:\windows\maxdriver\arc.sys
    + 2010-04-23 04:40 . 2006-11-02 08:30 40960 c:\windows\maxdriver\amdk8.sys
    + 2010-04-23 04:40 . 2006-11-02 08:30 38912 c:\windows\maxdriver\amdk7.sys
    + 2010-04-23 04:40 . 2006-11-02 09:49 15464 c:\windows\maxdriver\amdide.sys
    + 2010-04-23 04:40 . 2006-11-02 09:49 54888 c:\windows\maxdriver\AMDAGP.SYS
    + 2010-04-23 04:40 . 2006-11-02 09:49 14952 c:\windows\maxdriver\aliide.sys
    + 2010-04-23 04:40 . 2006-11-02 09:49 53864 c:\windows\maxdriver\AGP440.sys
    + 2010-04-23 04:40 . 2008-05-26 16:09 27072 c:\windows\maxdriver\AFGSp50.sys
    + 2010-04-23 04:40 . 2006-11-02 09:50 98408 c:\windows\maxdriver\adpu160m.sys
    + 2010-04-23 04:40 . 2006-11-02 08:55 53376 c:\windows\maxdriver\1394bus.sys
    - 2010-04-22 18:52 . 2010-04-22 18:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2010-04-22 20:37 . 2010-04-22 20:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-04-22 18:52 . 2010-04-22 18:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-04-22 20:37 . 2010-04-22 20:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-04-23 04:41 . 2009-02-09 08:37 7808 c:\windows\maxdriver\usbser_lowerfltj.sys
    + 2010-04-23 04:41 . 2009-02-09 08:37 7808 c:\windows\maxdriver\usbser_lowerflt.sys
    + 2010-04-23 04:41 . 2008-01-19 05:53 5888 c:\windows\maxdriver\usbd.sys
    + 2010-04-23 04:41 . 2008-01-19 05:53 7680 c:\windows\maxdriver\umpass.sys
    + 2010-04-23 04:41 . 2008-01-19 05:57 8192 c:\windows\maxdriver\rootmdm.sys
    + 2010-04-23 04:41 . 2008-01-19 06:01 6144 c:\windows\maxdriver\RDPENCDD.sys
    + 2010-04-23 04:41 . 2008-01-19 06:01 6144 c:\windows\maxdriver\RDPCDD.sys
    + 2010-04-23 04:41 . 2008-01-19 05:49 8704 c:\windows\maxdriver\parvdm.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 4608 c:\windows\maxdriver\null.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 6016 c:\windows\maxdriver\mstee.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 5504 c:\windows\maxdriver\mspqm.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 5888 c:\windows\maxdriver\mspclock.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 8192 c:\windows\maxdriver\mskssrv.sys
    + 2010-04-23 04:40 . 2007-03-08 17:18 8320 c:\windows\maxdriver\grmnusb.sys
    + 2010-04-23 04:40 . 2008-01-19 05:53 5632 c:\windows\maxdriver\drmkaud.sys
    + 2010-04-23 04:40 . 2006-11-02 08:24 5248 c:\windows\maxdriver\BrFiltUp.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 6144 c:\windows\maxdriver\beep.sys
    + 2006-11-02 10:33 . 2010-04-22 20:45 599942 c:\windows\System32\perfh009.dat
    - 2006-11-02 10:33 . 2010-04-22 19:00 599942 c:\windows\System32\perfh009.dat
    + 2006-11-02 10:33 . 2010-04-22 20:45 105448 c:\windows\System32\perfc009.dat
    - 2006-11-02 10:33 . 2010-04-22 19:00 105448 c:\windows\System32\perfc009.dat
    + 2009-10-20 18:12 . 2010-04-22 19:42 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    - 2009-10-20 18:12 . 2010-04-21 05:54 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2010-04-23 04:41 . 2008-01-19 07:43 503864 c:\windows\maxdriver\Wdf01000.sys
    + 2010-04-23 04:41 . 2006-11-02 09:50 112232 c:\windows\maxdriver\vsmraid.sys
    + 2010-04-23 04:41 . 2009-08-26 21:10 443592 c:\windows\maxdriver\vsdatant.sys
    + 2010-04-23 04:41 . 2008-01-19 07:42 227896 c:\windows\maxdriver\volsnap.sys
    + 2010-04-23 04:41 . 2008-01-19 07:43 294456 c:\windows\maxdriver\volmgrx.sys
    + 2010-04-23 04:41 . 2008-01-19 05:52 110080 c:\windows\maxdriver\videoprt.sys
    + 2010-04-23 04:41 . 2008-01-19 05:53 226304 c:\windows\maxdriver\usbport.sys
    + 2010-04-23 04:41 . 2008-01-19 05:53 194560 c:\windows\maxdriver\usbhub.sys
    + 2010-04-23 04:41 . 2006-11-02 09:50 115816 c:\windows\maxdriver\ulsata2.sys
    + 2010-04-23 04:41 . 2006-11-02 09:51 235112 c:\windows\maxdriver\uliahci.sys
    + 2010-04-23 04:41 . 2008-01-19 05:28 226816 c:\windows\maxdriver\udfs.sys
    + 2010-04-23 04:41 . 2010-02-18 17:36 902024 c:\windows\maxdriver\tcpip.sys
    + 2010-04-23 04:41 . 2008-01-19 07:43 123960 c:\windows\maxdriver\Storport.sys
    + 2010-04-23 04:41 . 2009-09-14 09:44 144896 c:\windows\maxdriver\srv2.sys
    + 2010-04-23 04:41 . 2009-12-11 12:07 301568 c:\windows\maxdriver\srv.sys
    + 2010-04-23 04:41 . 2008-01-19 04:10 681984 c:\windows\maxdriver\spsys.sys
    + 2010-04-23 04:41 . 2008-01-19 07:42 142904 c:\windows\maxdriver\scsiport.sys
    + 2010-04-23 04:41 . 2007-07-13 02:22 135168 c:\windows\maxdriver\SaiH0BAC.sys
    + 2010-04-23 04:41 . 2008-08-06 08:26 124928 c:\windows\maxdriver\Rtlh86.sys
    + 2010-04-23 04:41 . 2008-08-29 06:42 113664 c:\windows\maxdriver\rmcast.sys
    + 2010-04-23 04:41 . 2008-01-19 06:01 181248 c:\windows\maxdriver\rdpwd.sys
    + 2010-04-23 04:41 . 2006-11-02 09:03 242688 c:\windows\maxdriver\rdpdr.sys
    + 2010-04-23 04:41 . 2008-01-19 05:28 224768 c:\windows\maxdriver\rdbss.sys
    + 2010-04-23 04:41 . 2006-11-02 09:50 106088 c:\windows\maxdriver\ql40xx.sys
    + 2010-04-23 04:41 . 2006-11-02 09:51 900712 c:\windows\maxdriver\ql2300.sys
    + 2010-04-23 04:41 . 2008-01-19 05:53 167936 c:\windows\maxdriver\portcls.sys
    + 2010-04-23 04:41 . 2006-11-02 09:04 878080 c:\windows\maxdriver\PEAuth.sys
    + 2010-04-23 04:41 . 2006-11-02 09:51 167528 c:\windows\maxdriver\pcmcia.sys
    + 2010-04-23 04:41 . 2008-01-19 07:42 151096 c:\windows\maxdriver\pci.sys
    + 2010-04-23 04:41 . 2008-05-20 02:07 148480 c:\windows\maxdriver\nwifi.sys
    + 2010-04-23 04:41 . 2006-11-02 09:50 106600 c:\windows\maxdriver\NV_AGP.SYS
    + 2010-04-23 04:40 . 2010-02-18 17:36 220040 c:\windows\maxdriver\netio.sys
    + 2010-04-23 04:40 . 2008-01-19 05:55 184320 c:\windows\maxdriver\netbt.sys
    + 2010-04-23 04:40 . 2008-01-19 05:56 121344 c:\windows\maxdriver\ndiswan.sys
    + 2010-04-23 04:40 . 2008-01-19 07:43 529464 c:\windows\maxdriver\ndis.sys
    + 2010-04-23 04:40 . 2008-01-19 07:42 163384 c:\windows\maxdriver\msrpc.sys
    + 2010-04-23 04:40 . 2008-01-19 07:42 181304 c:\windows\maxdriver\msiscsi.sys
    + 2010-04-23 04:40 . 2009-12-04 16:12 212992 c:\windows\maxdriver\mrxsmb10.sys
    + 2010-04-23 04:40 . 2009-12-04 16:12 105472 c:\windows\maxdriver\mrxsmb.sys
    + 2010-04-23 04:40 . 2008-01-19 05:28 110080 c:\windows\maxdriver\mrxdav.sys
    + 2010-04-23 04:40 . 2009-06-15 18:20 439896 c:\windows\maxdriver\ksecdd.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 148992 c:\windows\maxdriver\ks.sys
    + 2010-04-23 04:40 . 2008-01-19 05:56 100864 c:\windows\maxdriver\ipnat.sys
    + 2010-04-23 04:40 . 2006-11-02 09:51 232040 c:\windows\maxdriver\iaStorV.sys
    + 2010-04-23 04:40 . 2010-02-20 21:18 411136 c:\windows\maxdriver\http.sys
    + 2010-04-23 04:40 . 2006-11-02 07:36 235520 c:\windows\maxdriver\HdAudio.sys
    + 2010-04-23 04:40 . 2008-01-19 07:42 192056 c:\windows\maxdriver\fltMgr.sys
    + 2010-04-23 04:40 . 2008-01-19 05:28 143360 c:\windows\maxdriver\fastfat.sys
    + 2010-04-23 04:40 . 2008-01-19 05:28 136192 c:\windows\maxdriver\exfat.sys
    + 2010-04-23 04:40 . 2006-11-02 09:51 316520 c:\windows\maxdriver\elxstor.sys
    + 2010-04-23 04:40 . 2008-01-19 07:42 143416 c:\windows\maxdriver\ecache.sys
    + 2010-04-23 04:40 . 2006-11-02 07:30 117760 c:\windows\maxdriver\E1G60I32.sys
    + 2010-04-23 04:40 . 2008-08-02 01:01 625152 c:\windows\maxdriver\dxgkrnl.sys
    + 2010-04-23 04:40 . 2008-01-19 06:53 130048 c:\windows\maxdriver\drmk.sys
    + 2010-04-23 04:40 . 2008-01-19 05:49 131584 c:\windows\maxdriver\Dot4.sys
    + 2010-04-23 04:40 . 2008-01-19 07:43 127544 c:\windows\maxdriver\Classpnp.sys
    + 2010-04-23 04:40 . 2008-01-19 07:43 110136 c:\windows\maxdriver\ataport.sys
    + 2010-04-23 04:40 . 2008-01-19 05:57 273920 c:\windows\maxdriver\afd.sys
    + 2010-04-23 04:40 . 2006-11-02 09:51 147048 c:\windows\maxdriver\adpu320.sys
    + 2010-04-23 04:40 . 2006-11-02 09:51 297576 c:\windows\maxdriver\adpahci.sys
    + 2010-04-23 04:40 . 2006-11-02 09:51 420968 c:\windows\maxdriver\adp94xx.sys
    + 2010-04-23 04:40 . 2008-01-19 07:43 266808 c:\windows\maxdriver\acpi.sys
    + 2010-04-23 04:40 . 2009-04-30 21:02 9850016 c:\windows\maxdriver\nvlddmkm.sys
    + 2010-04-23 04:40 . 2008-01-19 07:43 1081912 c:\windows\maxdriver\ntfs.sys
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9FAD24BA-9822-41B0-9EB9-50C824A02033}]
    2010-04-17 15:02 38400 ----a-w- c:\windows\System32\sabb.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "Google Update"="c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-07-07 133104]
    "ANT Agent"="c:\garmin\ANT Agent\ANT Agent.exe" [2008-09-02 8203352]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2007-07-12 233472]
    "SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2007-07-12 131072]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13781536]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
    "Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-08-26 722288]
    "VirginMediaHUB.exe"="c:\program files\Virgin Media\HUB\VirginMediaHUB.exe" [2009-12-14 4277488]
    "Ask and Record FLV Service"="c:\program files\Replay Media Catcher\FLVSrvc.exe" [2009-09-22 156672]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0lsdelete

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    R2 gupdate1c9d181a781cd5d;Google Update Service (gupdate1c9d181a781cd5d);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 133104]
    R3 SaiH0BAC;SaiH0BAC;c:\windows\system32\DRIVERS\SaiH0BAC.sys [2007-07-13 135168]
    R3 vsdatant7;vsdatant7;c:\windows\system32\drivers\vsdatant.win7.sys [x]
    R3 wrssweep;Webroots Volume Access Driver;c:\program files\Webroot\Washer\wrssweep.sys [x]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
    S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2009-08-26 25208]
    S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2009-08-26 435568]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-17 1265264]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
    S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\HUB\ServicepointService.exe [2009-12-14 668912]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{59EC7186-6FFB-47E8-99BE-D1D07B1B4551}]
    2010-04-17 15:02 38400 ----a-w- c:\windows\System32\sabb.dll
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 15:11]

    2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 15:11]

    2010-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2144580109-3991663038-3949325318-1000Core.job
    - c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-02 15:09]

    2010-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2144580109-3991663038-3949325318-1000UA.job
    - c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-02 15:09]

    2010-04-22 c:\windows\Tasks\User_Feed_Synchronization-{90B0C00F-18EC-497D-B497-4D99A41ED256}.job
    - c:\windows\system32\msfeedssync.exe [2010-04-01 04:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath - c:\users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\nqryg5xu.default\
    FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
    FF - plugin: c:\program files\Virgin Media\HUB\nprpspa.dll
    FF - plugin: c:\users\Paul\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-22 21:46
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2144580109-3991663038-3949325318-1000\Software\SecuROM\License information*]
    @Allowed: (Read) (RestrictedCode)
    "datasecu"=hex:76,00,57,fa,55,d7,ad,86,fb,bc,6d,ae,fd,15,7c,4f,21,c8,03,b0,75,
    9e,19,64,ce,38,ea,49,e3,b3,a6,1e,bf,6f,86,59,2f,b0,dc,42,4c,2d,c9,1a,99,85,\
    "rkeysecu"=hex:36,4b,cd,75,a2,a1,42,f7,bd,aa,59,59,de,b2,41,e2

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(588)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    .
    Completion time: 2010-04-22 21:49:09
    ComboFix-quarantined-files.txt 2010-04-22 20:49
    ComboFix2.txt 2010-04-22 19:09
    ComboFix3.txt 2010-04-21 06:48

    Pre-Run: 72,177,934,336 bytes free
    Post-Run: 72,140,509,184 bytes free

    - - End Of File - - 69A203E9316380AAF53F49F9B449A0DC



    I still can't run GMER. It either causes a blue screen and restarts my computer, or it freezes on a random file (the last two file freezes were LSASRV.dll and USER32.dll if that is significant).

    Also, there seems to have been a problem since the last time I posted and my DVD drive is not recognised in My Computer anymore. I cannot run any disks and when I open my computer, there is no D:\ drive listed!!! Aaaargh!

    Please help!

    Thanks
    Paul
     

Share This Page