Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

atapi.sys infected


  • This topic is locked This topic is locked
28 replies to this topic

#1 garethi

garethi

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 10 June 2010 - 01:54 PM

hi everyone ,
i am having a problem with my computer ,
for about 6 weeks when i have started surfing my computer has been redirecting my browser sometimes to directdr.com or zylom games ,
or crashing ,
i thought it was some sort of pop-up or cookie from facebook games as it started happening there first . but also then by google , then it started crashing at different times .
I have malware-bytes anti malware also Avira antivira and they found nothing .
i searched for directdr.com and found a reference to Hitman pro 3.5 installed the 30 free trail it found a few things which it removed but it couldnt remove the Rootkit infection as there was a warning that the system holds important info .
i searched atapi.sys and found this site .
i have gone through the steps to post this mail ,
i had diffuculty with the GMER scan while doing it it crashed twice with a blue screen with script but finally managed to complete it



DDS (Ver_10-03-17.01) - NTFSx86
Run by gareth at 18:11:40,60 on 10.06.2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.2047.1230 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programme\Lexmark X5100 Series\lxbabmgr.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
C:\Programme\DivX\DivX Update\DivXUpdate.exe
C:\Programme\Gemeinsame Dateien\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\ISUSPM.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Messenger\msmsgs.exe
C:\Program Files\ASUS\ASUS DH Remote\AsDhRemote.exe
C:\Programme\Lexmark X5100 Series\lxbabmon.exe
C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\AskBarDis\bar\bin\AskService.exe
C:\Programme\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Skype\Toolbars\Shared\SkypeNames.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
C:\Dokumente und Einstellungen\gareth\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://flvdirect.iamwired.net/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://support.wdc.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\programme\askbardis\bar\bin\askBar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programme\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programme\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\programme\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programme\google\google toolbar\GoogleToolbar_32.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\programme\spybot - search & destroy\TeaTimer.exe
uRun: [Messenger (Yahoo!)] "c:\programme\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ISUSPM] "c:\programme\gemeinsame dateien\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Steam] "c:\programme\steam\Steam.exe" -silent
uRun: [Skype] "c:\programme\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MSMSGS] "c:\programme\messenger\msmsgs.exe" /background
uRun: [swg] "c:\programme\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\JMRaidSetup.exe boot
mRun: [Ai Quicker Help] "c:\program files\asus\asus dh remote\AsRc.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Google Desktop Search] "c:\programme\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AppleSyncNotifier] c:\programme\gemeinsame dateien\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Lexmark X5100 Series] "c:\programme\lexmark x5100 series\lxbabmgr.exe"
mRun: [TkBellExe] "c:\programme\gemeinsame dateien\real\update_ob\realsched.exe" -osboot
mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\programme\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\programme\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\programme\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\programme\gemeinsame dateien\java\java update\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\programme\gemeinsame dateien\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\programme\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [BlackBerryAutoUpdate] c:\programme\gemeinsame dateien\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\programme\gemeinsame dateien\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [HitmanPro35] "c:\programme\hitman pro 3.5\HitmanPro35.exe" /scan:boot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\windows\system32\0041.dll c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\gareth\anwend~1\mozilla\firefox\profiles\mxfswe0p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programme\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\programme\mozilla firefox\extensions\{e8b6d5b2-8796-4de4-0739-5fbcf84e38a7}\components\SFZw6O-TNV.dll
FF - plugin: c:\dokumente und einstellungen\gareth\anwendungsdaten\mozilla\firefox\profiles\mxfswe0p.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\programme\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\programme\gemeinsame dateien\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\programme\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\google\google updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\programme\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\programme\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\programme\picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: LoudMo Contextual Ad Assistant: No Registry Reference - c:\programme\mozilla firefox\extensions\{e8b6d5b2-8796-4de4-0739-5fbcf84e38a7}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\programme\avira\antivir desktop\avgio.sys [2009-10-10 11608]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\avira\antivir desktop\sched.exe [2009-10-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programme\avira\antivir desktop\avguard.exe [2009-10-10 185089]
R2 ASKService;ASKService;c:\programme\askbardis\bar\bin\AskService.exe [2009-9-7 464264]
R2 ASKUpgrade;ASKUpgrade;c:\programme\askbardis\bar\bin\ASKUpgrade.exe [2009-9-7 234888]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-20 56816]
R3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.sys [2005-2-24 162176]
S1 MpKslf3309f18;MpKslf3309f18;\??\c:\windows\system32\mpenginestore\mpkslf3309f18.sys --> c:\windows\system32\mpenginestore\MpKslf3309f18.sys [?]
S2 gupdate1c9d7a068488b76;Google Update Service (gupdate1c9d7a068488b76);c:\programme\google\update\GoogleUpdate.exe [2009-5-18 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\programme\google\google desktop search\GoogleDesktop.exe [2002-1-8 30192]

=============== Created Last 30 ================

2010-06-10 16:10:40 0 ----a-w- c:\dokumente und einstellungen\gareth\defogger_reenable
2010-06-06 09:35:43 49 ----a-w- c:\windows\wininit.ini
2010-06-04 13:29:21 370 ----a-w- c:\windows\system32\.crusader
2010-06-04 13:29:11 96512 ----a-w- c:\windows\system32\drivers\atapi_restored.sys
2010-06-04 13:04:49 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-04 13:04:36 0 d-----w- c:\dokume~1\alluse~1\anwend~1\Hitman Pro
2010-06-04 13:04:35 0 d-----w- c:\programme\Hitman Pro 3.5
2010-05-21 12:00:42 0 d-----w- c:\programme\gemeinsame dateien\Sonic Shared
2010-05-21 12:00:41 0 d-----w- c:\programme\Roxio
2010-05-21 11:57:09 0 d-----w- c:\dokume~1\alluse~1\anwend~1\Research In Motion
2010-05-21 11:56:52 0 d-----w- c:\programme\gemeinsame dateien\Research In Motion

==================== Find3M ====================

2010-04-18 22:04:28 6896 ----a-w- c:\windows\system32\WORK.DAT
2010-04-16 09:41:23 91864 ----a-w- c:\windows\system32\perfc007.dat
2010-04-16 09:41:23 476162 ----a-w- c:\windows\system32\perfh007.dat
2010-04-12 15:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-01-07 03:01:50 32768 --sha-w- c:\windows\system32\config\systemprofile\lokale einstellungen\verlauf\history.ie5\mshist012009122120091228\index.dat
2010-01-07 03:01:50 32768 --sha-w- c:\windows\system32\config\systemprofile\lokale einstellungen\verlauf\history.ie5\mshist012010010720100108\index.dat
2010-01-08 03:56:09 32768 --sha-w- c:\windows\system32\config\systemprofile\lokale einstellungen\verlauf\history.ie5\mshist012010010820100109\index.dat

============= FINISH: 18:12:49,81 ===============

i have since reeabled the defogger even though i dont know what ot does blink.gif

Merged posts. ~ OB

Attached Files

  • Attached File  DDS.txt   13.91KB   6 downloads
  • Attached File  ark.txt   4.8KB   7 downloads

Edited by Orange Blossom, 10 June 2010 - 07:22 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 AM

Posted 15 June 2010 - 05:43 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 garethi

garethi
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 16 June 2010 - 12:18 AM

hi Elise ,
thanks in advance for your time and help .
as stated , for about 6 weeks when i have started surfing my computer has been redirecting my browser sometimes to directdr.com or zylom games ,
or crashing ,
i thought it was some sort of pop-up or cookie from facebook games as it started happening there first . but also then by google , then it started crashing at different times .
I have malware-bytes anti malware also Avira antivira and they found nothing .
i searched for directdr.com and found a reference to Hitman pro 3.5 installed the 30 free trail it found a few things which it removed but it couldnt remove the Rootkit infection as there was a warning that the system holds important info .
i searched atapi.sys and found this site .
something else that also sometimes occurs is that when the computer has powered up and running i get a little red cross warning me that the windows firewall is not active but it only lasts a second or two , and when i click on the cross and go to the windows page everything is ok .
here are the logs that you asked for .
the GMER log i must try again as in the first try it crashed , and the second try it was still not finished after 5 hours so will try again and see what happens


Computer Name: 0001-75CCCCB161
Current User Name: gareth
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.06.16 00:37:45 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\gareth\Desktop\OTL.exe
PRC - [2010.04.13 00:46:36 | 001,135,912 | ---- | M] () -- C:\Programme\DivX\DivX Update\DivXUpdate.exe
PRC - [2010.03.31 15:32:54 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe
PRC - [2010.03.25 11:01:36 | 000,648,536 | ---- | M] (Research In Motion Limited) -- C:\Programme\Gemeinsame Dateien\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2010.02.18 11:43:18 | 000,248,040 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
PRC - [2009.12.22 04:47:15 | 000,030,192 | ---- | M] (Google) -- C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2009.09.26 23:40:29 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
PRC - [2009.08.28 20:42:54 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009.07.21 14:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2009.05.13 16:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2009.04.02 12:47:04 | 000,234,888 | ---- | M] () -- C:\Programme\AskBarDis\bar\bin\ASKUpgrade.exe
PRC - [2009.04.02 12:47:02 | 000,464,264 | ---- | M] () -- C:\Programme\AskBarDis\bar\bin\AskService.exe
PRC - [2009.03.05 16:07:20 | 002,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009.03.02 13:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008.10.24 09:14:36 | 000,206,112 | ---- | M] (Macrovision Corporation) -- C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\ISUSPM.exe
PRC - [2008.04.14 04:22:45 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006.11.09 22:29:14 | 003,165,696 | ---- | M] () -- C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
PRC - [2006.11.09 19:44:32 | 000,221,184 | ---- | M] (T-wins) -- C:\Program Files\ASUS\ASUS DH Remote\AsDHRemote.exe
PRC - [2005.01.14 09:32:38 | 000,053,248 | ---- | M] () -- C:\WINDOWS\system32\PAStiSvc.exe
PRC - [2002.12.16 13:26:20 | 000,045,056 | ---- | M] (Lexmark International, Inc.) -- C:\Programme\Lexmark X5100 Series\lxbabmon.exe
PRC - [2002.12.16 13:14:34 | 000,086,101 | ---- | M] (Lexmark International, Inc.) -- C:\Programme\Lexmark X5100 Series\lxbabmgr.exe


========== Modules (SafeList) ==========

MOD - [2010.06.16 00:37:45 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\gareth\Desktop\OTL.exe
MOD - [2009.09.26 23:40:56 | 000,102,400 | ---- | M] (RealPlayer) -- c:\Program Files\Real\RealPlayer\browserrecord\chrome\hook\rpchromebrowserrecordhelper.dll
MOD - [2009.09.26 23:40:31 | 000,499,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp71.dll
MOD - [2009.08.13 15:55:39 | 001,748,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
MOD - [2009.03.29 08:53:30 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll
MOD - [2008.04.14 04:21:06 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009.12.22 04:47:15 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-110309-193829)
SRV - [2009.12.17 17:37:52 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Programme\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009.08.28 20:42:54 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009.07.21 14:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009.07.08 12:31:36 | 000,313,840 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - [2009.07.08 12:31:32 | 000,170,480 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9)
SRV - [2009.07.08 12:31:12 | 001,108,464 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9)
SRV - [2009.05.16 11:00:36 | 000,361,728 | ---- | M] (TuneUp Software GmbH) [On_Demand | Stopped] -- C:\WINDOWS\system32\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2009.05.13 16:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009.04.02 12:47:04 | 000,234,888 | ---- | M] () [Auto | Running] -- C:\Programme\AskBarDis\bar\bin\ASKUpgrade.exe -- (ASKUpgrade)
SRV - [2009.04.02 12:47:02 | 000,464,264 | ---- | M] () [Auto | Running] -- C:\Programme\AskBarDis\bar\bin\AskService.exe -- (ASKService)
SRV - [2008.07.18 15:05:40 | 000,028,416 | ---- | M] (TuneUp Software GmbH) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2005.01.14 09:32:38 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PAStiSvc.exe -- (STI Simulator)
SRV - [2004.10.22 03:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2009.12.22 04:47:58 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009.05.11 10:12:20 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.03.30 10:33:03 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009.02.13 12:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Programme\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008.11.12 15:54:00 | 006,188,320 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008.04.13 20:40:30 | 000,096,512 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\atapi.sys -- (atapi)
DRV - [2008.04.13 18:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006.12.06 13:41:16 | 000,044,416 | R--- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\jraid.sys -- (JRAID)
DRV - [2006.10.18 21:12:16 | 000,012,664 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2006.04.17 10:31:26 | 004,262,912 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006.02.07 13:52:58 | 000,006,912 | R--- | M] (JMicron ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\JGOGO.sys -- (JGOGO)
DRV - [2005.03.30 09:24:00 | 000,230,400 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005.02.24 12:29:14 | 000,162,176 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PFC027.sys -- (PAC207)
DRV - [2004.08.13 04:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-436374069-484061587-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKU\S-1-5-21-436374069-484061587-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://flvdirect.iamwired.net/
IE - HKU\S-1-5-21-436374069-484061587-839522115-1004\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-436374069-484061587-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-436374069-484061587-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Search"
FF - prefs.js..browser.search.defaulturl: "http://flvdirect.iamwired.net/websearch.php?src=tops&search="
FF - prefs.js..browser.search.selectedEngine: "Search"
FF - prefs.js..browser.startup.homepage: "http://yahoo.com/"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.60
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
FF - prefs.js..extensions.enabledItems: {e8b6d5b2-8796-4de4-0739-5fbcf84e38a7}:4.6.6.9
FF - prefs.js..keyword.URL: "http://flvdirect.iamwired.net/websearch.php?src=tops&search="


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.05.26 10:52:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.04.28 01:31:05 | 000,000,000 | ---D | M]

[2002.01.10 00:08:28 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\gareth\Anwendungsdaten\Mozilla\Extensions
[2010.06.16 00:03:39 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\gareth\Anwendungsdaten\Mozilla\Firefox\Profiles\mxfswe0p.default\extensions
[2009.08.14 11:29:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\gareth\Anwendungsdaten\Mozilla\Firefox\Profiles\mxfswe0p.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009.01.03 22:38:52 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Dokumente und Einstellungen\gareth\Anwendungsdaten\Mozilla\Firefox\Profiles\mxfswe0p.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009.10.10 18:33:19 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\gareth\Anwendungsdaten\Mozilla\Firefox\Profiles\mxfswe0p.default\extensions\{ca0849e8-2c76-42ae-9abe-34e14d337acf}(2)
[2009.12.22 09:16:55 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Dokumente und Einstellungen\gareth\Anwendungsdaten\Mozilla\Firefox\Profiles\mxfswe0p.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2009.09.07 11:43:17 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\gareth\Anwendungsdaten\Mozilla\Firefox\Profiles\mxfswe0p.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2009.10.10 18:54:49 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\gareth\Anwendungsdaten\Mozilla\Firefox\Profiles\mxfswe0p.default\extensions\searchrecs@veoh.com
[2010.05.20 22:47:16 | 000,000,266 | ---- | M] () -- C:\Dokumente und Einstellungen\gareth\Anwendungsdaten\Mozilla\Firefox\Profiles\mxfswe0p.default\searchplugins\Search.xml
[2010.06.15 23:53:44 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.04.28 01:27:24 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.05.20 22:47:23 | 000,000,000 | ---D | M] (LoudMo Contextual Ad Assistant) -- C:\Programme\Mozilla Firefox\extensions\{e8b6d5b2-8796-4de4-0739-5fbcf84e38a7}
[2010.04.12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
[2010.03.30 12:36:38 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.03.30 12:36:38 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.03.30 12:36:39 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.03.30 12:36:39 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.03.30 12:36:39 | 000,000,801 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2009.01.01 23:20:48 | 000,290,879 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10016 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programme\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Programme\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programme\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Programme\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Programme\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKU\S-1-5-21-436374069-484061587-839522115-1004\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-436374069-484061587-839522115-1004\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-436374069-484061587-839522115-1004\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Programme\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKU\S-1-5-21-436374069-484061587-839522115-1004\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [36X Raid Configurer] C:\WINDOWS\System32\JMRaidSetup.exe (JMicron Technology Corp.)
O4 - HKLM..\Run: [Adobe ARM] C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ai Quicker Help] C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe ()
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Programme\Gemeinsame Dateien\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [DivXUpdate] C:\Programme\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [Google Desktop Search] C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [HitmanPro35] C:\Programme\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe ()
O4 - HKLM..\Run: [Lexmark X5100 Series] C:\Programme\Lexmark X5100 Series\lxbabmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Programme\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [RoxWatchTray] C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\S-1-5-21-436374069-484061587-839522115-1004..\Run: [ISUSPM] C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKU\S-1-5-21-436374069-484061587-839522115-1004..\Run: [Messenger (Yahoo!)] C:\Programme\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-436374069-484061587-839522115-1004..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-436374069-484061587-839522115-1004..\Run: [Steam] C:\Programme\Steam\Steam.exe (Valve Corporation)
O4 - HKU\S-1-5-21-436374069-484061587-839522115-1004..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-436374069-484061587-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-436374069-484061587-839522115-1004\..Trusted Domains: localhost ([]http in Lokales Intranet)
O15 - HKU\S-1-5-21-436374069-484061587-839522115-1004\..Trusted Ranges: GD ([http] in Lokales Intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (C:\WINDOWS\SYSTEM32\0041.DLL) - C:\WINDOWS\System32\0041.DLL File not found
O20 - AppInit_DLLs: (C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\gareth\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\gareth\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008.12.01 19:46:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010.04.02 14:29:34 | 000,000,000 | R--D | M] - D:\Autoplay -- [ CDFS ]
O32 - AutoRun File - [2010.04.02 14:03:16 | 003,048,072 | R--- | M] () - D:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2010.03.29 18:24:43 | 000,000,050 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{7f3029a8-03da-11d6-af19-001bfc7d8a81}\Shell\AutoRun\command - "" = E:\WDSetup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.06.16 00:37:44 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\gareth\Desktop\OTL.exe
[2010.06.04 15:04:36 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Hitman Pro
[2010.06.04 15:04:35 | 000,000,000 | ---D | C] -- C:\Programme\Hitman Pro 3.5
[2010.05.21 14:00:42 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\Sonic Shared
[2010.05.21 14:00:41 | 000,000,000 | ---D | C] -- C:\Programme\Roxio
[2010.05.21 13:57:09 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Research In Motion
[2010.05.21 13:56:52 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\Research In Motion
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.06.16 00:40:04 | 006,553,600 | ---- | M] () -- C:\Dokumente und Einstellungen\gareth\ntuser.dat
[2010.06.16 00:37:45 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\gareth\Desktop\OTL.exe
[2010.06.16 00:36:58 | 000,000,468 | ---- | M] () -- C:\WINDOWS\LEXSTAT.INI
[2010.06.16 00:28:00 | 000,001,088 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010.06.16 00:00:00 | 000,000,494 | ---- | M] () -- C:\WINDOWS\tasks\1-Klick-Wartung.job
[2010.06.15 23:52:36 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010.06.15 23:50:36 | 000,001,044 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010.06.15 23:49:55 | 000,203,188 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010.06.15 23:49:51 | 000,001,084 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010.06.15 23:49:46 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.06.15 23:49:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.06.10 18:06:30 | 000,000,755 | ---- | M] () -- C:\Dokumente und Einstellungen\gareth\Desktop\Verknüpfung mit gmer.lnk
[2010.06.10 09:08:37 | 000,525,824 | ---- | M] () -- C:\Dokumente und Einstellungen\gareth\Desktop\dds.scr
[2010.06.10 09:07:02 | 000,050,477 | ---- | M] () -- C:\Dokumente und Einstellungen\gareth\Desktop\Defogger.exe
[2010.06.09 11:04:53 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.06.06 13:43:08 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010.06.06 11:35:43 | 000,000,049 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010.06.05 09:08:28 | 000,096,512 | ---- | M] () -- C:\WINDOWS\System32\drivers\atapi_restored.sys
[2010.06.05 09:08:28 | 000,000,370 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2010.06.04 15:04:35 | 000,001,635 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Hitman Pro 3.5.lnk
[2010.05.28 14:54:39 | 018,499,623 | ---- | M] () -- C:\Dokumente und Einstellungen\gareth\Eigene Dateien\vlc-1.0.5-win32.exe
[2010.05.28 13:29:55 | 000,002,121 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\iTunes.lnk
[2010.05.21 14:24:29 | 000,001,709 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Desktop Manager.lnk
[2010.05.21 14:19:16 | 000,065,024 | ---- | M] () -- C:\Dokumente und Einstellungen\gareth\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.05.21 14:04:37 | 000,029,424 | ---- | M] () -- C:\Dokumente und Einstellungen\gareth\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
[2010.05.21 14:04:19 | 000,145,216 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.05.21 13:33:44 | 000,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2010.05.19 23:29:55 | 000,001,887 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Google Earth.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.06.10 18:06:30 | 000,000,755 | ---- | C] () -- C:\Dokumente und Einstellungen\gareth\Desktop\Verknüpfung mit gmer.lnk
[2010.06.10 09:08:37 | 000,525,824 | ---- | C] () -- C:\Dokumente und Einstellungen\gareth\Desktop\dds.scr
[2010.06.10 09:07:02 | 000,050,477 | ---- | C] () -- C:\Dokumente und Einstellungen\gareth\Desktop\Defogger.exe
[2010.06.06 11:35:43 | 000,000,049 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010.06.04 15:29:21 | 000,000,370 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2010.06.04 15:29:11 | 000,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi_restored.sys
[2010.06.04 15:04:49 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010.06.04 15:04:35 | 000,001,635 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Hitman Pro 3.5.lnk
[2010.05.28 14:54:13 | 018,499,623 | ---- | C] () -- C:\Dokumente und Einstellungen\gareth\Eigene Dateien\vlc-1.0.5-win32.exe
[2010.05.21 14:24:29 | 000,001,709 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Desktop Manager.lnk
[2010.05.19 23:29:55 | 000,001,887 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Google Earth.lnk
[2010.04.15 08:34:12 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009.06.12 00:29:50 | 000,041,808 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2009.04.17 17:56:25 | 000,000,468 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2009.04.17 17:52:45 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBALCNP.DLL
[2009.03.30 11:09:49 | 000,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009.03.29 08:54:53 | 000,000,075 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008.12.14 21:04:33 | 000,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2008.12.01 20:50:54 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2008.12.01 20:50:54 | 000,012,664 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2008.12.01 20:50:52 | 000,012,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys
[2008.12.01 20:50:52 | 000,010,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys
[2008.12.01 20:46:54 | 000,135,168 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008.12.01 20:40:40 | 000,033,261 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2008.12.01 20:40:30 | 000,032,862 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008.12.01 20:40:30 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008.12.01 20:40:19 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008.11.12 15:54:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008.11.12 15:54:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008.11.12 15:54:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008.11.12 15:54:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008.10.07 10:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008.10.07 10:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2007.11.26 21:56:28 | 000,151,415 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2006.02.28 14:00:00 | 000,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2005.02.24 12:29:14 | 000,162,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\PFC027.sys
[2005.01.25 15:15:42 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\PA207USD.DLL
[2002.08.21 15:55:26 | 000,000,188 | ---- | C] () -- C:\WINDOWS\System32\lxbacoin.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 114 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:DE3BE525
< End of report >


OTL Extras logfile created on: 16.06.2010 00:39:23 - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Dokumente und Einstellungen\gareth\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 58,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 80,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 465,75 Gb Total Space | 360,84 Gb Free Space | 77,47% Space Free | Partition Type: NTFS
Drive D: | 7,73 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: 0001-75CCCCB161
Current User Name: gareth
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-436374069-484061587-839522115-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiSpyWareDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"UacDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" = C:\Programme\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Programme\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe" = C:\Programme\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:*:Enabled:Tom Clancy's Rainbow Six Vegas 2 -- ()
"C:\Programme\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe" = C:\Programme\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:*:Enabled:Tom Clancy's Rainbow Six Vegas 2 Update -- (Ubisoft)
"C:\Programme\Activision\Prototype\prototypef.exe" = C:\Programme\Activision\Prototype\prototypef.exe:*:Enabled:Prototype™ -- (Activision)
"C:\Programme\Mozilla Firefox\firefox.exe" = C:\Programme\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox (2) -- (Mozilla Corporation)
"C:\Programme\Xfire\Xfire.exe" = C:\Programme\Xfire\Xfire.exe:*:Enabled:Xfire -- (Xfire Inc.)
"C:\Programme\Stardock Games\Demigod Demo\bin\Demigod.exe" = C:\Programme\Stardock Games\Demigod Demo\bin\Demigod.exe:*:Enabled:Demigod -- File not found
"C:\Programme\iTunes\iTunes.exe" = C:\Programme\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Programme\Steam\SteamApps\common\call of duty modern warfare 2\iw4sp.exe" = C:\Programme\Steam\SteamApps\common\call of duty modern warfare 2\iw4sp.exe:*:Enabled:Call of Duty: Modern Warfare 2 -- ()
"C:\Programme\Steam\SteamApps\common\call of duty modern warfare 2\iw4mp.exe" = C:\Programme\Steam\SteamApps\common\call of duty modern warfare 2\iw4mp.exe:*:Enabled:Call of Duty: Modern Warfare 2 - Multiplayer -- ()
"C:\Programme\Opera\opera.exe" = C:\Programme\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Programme\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe" = C:\Programme\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe:*:Enabled:Ubisoft Game Launcher -- (Ubisoft)
"C:\Programme\Ubisoft\Tom Clancy's Splinter Cell Conviction\src\system\conviction_game.exe" = C:\Programme\Ubisoft\Tom Clancy's Splinter Cell Conviction\src\system\conviction_game.exe:*:Enabled:Tom Clancy's Splinter Cell Conviction -- ()
"C:\Programme\Ubisoft\Tom Clancy's Splinter Cell Conviction\src\system\gu.exe" = C:\Programme\Ubisoft\Tom Clancy's Splinter Cell Conviction\src\system\gu.exe:*:Enabled:Tom Clancy's Splinter Cell Conviction Update -- (Ubisoft)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Reg Error: Key error.
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 20
"{34A0AF85-C323-4867-8AA3-00A3E5A7A12B}" = ASUS DH Remote
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMB36X Raid Configurer
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{4468EF97-A253-4699-9E1C-88CAE2C6832D}" = ABBYY FineReader 5.0 Sprint
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{582D2A53-F426-4C5E-A2E6-43C1AB36B907}" = Safari
"{5888428E-699C-4E71-BF71-94EE06B497DA}" = TuneUp Utilities 2008
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{689E0AB3-50B2-4E5A-9DCE-6DA9F5BE1314}" = BlackBerry® Media Sync
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D8DDB4A-C263-40DE-BA16-AFDAD159D59A}" = Tom Clancy's Splinter Cell Conviction
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}" = Microsoft Games for Windows - LIVE Redistributable
"{9322A850-9091-4D0E-B252-3E82EDA3D94A}" = Prototype™
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC54E544-3E42-443C-A91D-A00A6974C592}" = NVIDIA PhysX v8.10.13
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.2 - Deutsch
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B8041710-E0B8-4C98-AA19-0C357AF87E53}" = Opera 10.52
"{B98BE95C-E76F-4246-B8E6-BEB8EE791D06}" = Roxio Media Manager
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{EA450D5D-95EA-4FD0-B8B0-6D8E68FBE2C7}" = Impulse
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"{F5BDF2BB-C990-4351-A05B-B2243D4037D4}" = BlackBerry Desktop Software 5.0.1
"{F6CE1230-A694-4B86-B21C-A11A112689DA}" = Trust WB-1400T Webcam
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{FD416706-875C-4B0B-A23A-9E740DAE029E}" = Tom Clancy's Rainbow Six Vegas 2
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Ask Toolbar_is1" = Vuze Toolbar
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}" = Reg Error: Key error.
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DivX Setup.divx.com" = DivX-Setup
"Google Chrome" = Google Chrome
"Google Desktop" = Reg Error: Key error.
"Google Updater" = Google Updater
"HitmanPro35" = Hitman Pro 3.5
"ie8" = Windows Internet Explorer 8
"Impulse" = Impulse
"InstallShield_{9322A850-9091-4D0E-B252-3E82EDA3D94A}" = Prototype™
"InstallShield_{F6CE1230-A694-4B86-B21C-A11A112689DA}" = Trust WB-1400T Webcam
"Lexmark X5100 Series" = Lexmark X5100 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Reg Error: Key error.
"PunkBusterSvc" = PunkBuster Services
"RealPlayer 12.0" = RealPlayer
"SADK" = Die Siedler - Aufbruch der Kulturen
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"Steam App 10180" = Call of Duty: Modern Warfare 2
"Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer
"Tropico3" = Tropico 3 1.00
"TuneUpMedia" = TuneUp Companion 1.5.9
"VLC media player" = VLC media player 0.9.8a
"Vuze" = Vuze
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"Xfire" = Xfire (remove only)
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-436374069-484061587-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 17.05.2010 18:02:35 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2004
Description = Der Serverdienst konnte nicht geöffnet werden. Die Server-Leistungsinformationen
werden
nicht zurückgegeben. Der zurückgegebene Fehlercode befindet sich in DWORD 0.

Error - 17.05.2010 18:02:42 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

Error - 17.05.2010 18:02:42 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 18.05.2010 04:05:52 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2004
Description = Der Serverdienst konnte nicht geöffnet werden. Die Server-Leistungsinformationen
werden
nicht zurückgegeben. Der zurückgegebene Fehlercode befindet sich in DWORD 0.

Error - 18.05.2010 04:06:00 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

Error - 18.05.2010 04:06:00 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 18.05.2010 18:40:00 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2004
Description = Der Serverdienst konnte nicht geöffnet werden. Die Server-Leistungsinformationen
werden
nicht zurückgegeben. Der zurückgegebene Fehlercode befindet sich in DWORD 0.

Error - 18.05.2010 18:40:09 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2004
Description = Der Serverdienst konnte nicht geöffnet werden. Die Server-Leistungsinformationen
werden
nicht zurückgegeben. Der zurückgegebene Fehlercode befindet sich in DWORD 0.

Error - 19.05.2010 03:41:25 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2004
Description = Der Serverdienst konnte nicht geöffnet werden. Die Server-Leistungsinformationen
werden
nicht zurückgegeben. Der zurückgegebene Fehlercode befindet sich in DWORD 0.

Error - 19.05.2010 03:41:31 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

[ Application Events ]
Error - 17.05.2010 18:02:35 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2004
Description = Der Serverdienst konnte nicht geöffnet werden. Die Server-Leistungsinformationen
werden
nicht zurückgegeben. Der zurückgegebene Fehlercode befindet sich in DWORD 0.

Error - 17.05.2010 18:02:42 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

Error - 17.05.2010 18:02:42 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 18.05.2010 04:05:52 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2004
Description = Der Serverdienst konnte nicht geöffnet werden. Die Server-Leistungsinformationen
werden
nicht zurückgegeben. Der zurückgegebene Fehlercode befindet sich in DWORD 0.

Error - 18.05.2010 04:06:00 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

Error - 18.05.2010 04:06:00 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 18.05.2010 18:40:00 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2004
Description = Der Serverdienst konnte nicht geöffnet werden. Die Server-Leistungsinformationen
werden
nicht zurückgegeben. Der zurückgegebene Fehlercode befindet sich in DWORD 0.

Error - 18.05.2010 18:40:09 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2004
Description = Der Serverdienst konnte nicht geöffnet werden. Die Server-Leistungsinformationen
werden
nicht zurückgegeben. Der zurückgegebene Fehlercode befindet sich in DWORD 0.

Error - 19.05.2010 03:41:25 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2004
Description = Der Serverdienst konnte nicht geöffnet werden. Die Server-Leistungsinformationen
werden
nicht zurückgegeben. Der zurückgegebene Fehlercode befindet sich in DWORD 0.

Error - 19.05.2010 03:41:31 | Computer Name = 0001-75CCCCB161 | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

[ System Events ]
Error - 14.06.2010 11:41:06 | Computer Name = 0001-75CCCCB161 | Source = Ftdisk | ID = 262193
Description = Die Konfiguration der Auslagerungsdatei für das Speicherabbild ist
fehlgeschlagen. Stellen Sie sicher, dass eine Auslagerungsdatei auf der Startpartition
vorhanden ist und dass diese groß genug ist, um den gesamten physikalischen Speicher
abbilden zu können.

Error - 14.06.2010 11:41:48 | Computer Name = 0001-75CCCCB161 | Source = Service Control Manager | ID = 7009
Description = Zeitüberschreitung (30000 ms) beim Verbindungsversuch mit Dienst Roxio
Hard Drive Watcher 9.

Error - 14.06.2010 21:00:31 | Computer Name = 0001-75CCCCB161 | Source = Windows Update Agent | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
Fehler 0x8007f0f4 fehlgeschlagen: Sicherheitsupdate für Windows XP (KB979683)

Error - 15.06.2010 04:52:01 | Computer Name = 0001-75CCCCB161 | Source = Ftdisk | ID = 262189
Description = Das System konnte den Treiber für das Speicherabbild nicht laden.

Error - 15.06.2010 04:52:01 | Computer Name = 0001-75CCCCB161 | Source = Ftdisk | ID = 262193
Description = Die Konfiguration der Auslagerungsdatei für das Speicherabbild ist
fehlgeschlagen. Stellen Sie sicher, dass eine Auslagerungsdatei auf der Startpartition
vorhanden ist und dass diese groß genug ist, um den gesamten physikalischen Speicher
abbilden zu können.

Error - 15.06.2010 04:52:42 | Computer Name = 0001-75CCCCB161 | Source = Service Control Manager | ID = 7009
Description = Zeitüberschreitung (30000 ms) beim Verbindungsversuch mit Dienst Roxio
Hard Drive Watcher 9.

Error - 15.06.2010 04:53:37 | Computer Name = 0001-75CCCCB161 | Source = Windows Update Agent | ID = 16
Description = Verbindung nicht möglich: Es konnte keine Verbindung mit dem Dienst
"Automatische Updates" hergestellt werden, daher können Updates nicht nach dem
angegebenen Zeitplan heruntergeladen und installiert werden. Es wird weiterhin versucht,
eine Verbindung herzustellen.

Error - 15.06.2010 17:50:11 | Computer Name = 0001-75CCCCB161 | Source = Ftdisk | ID = 262189
Description = Das System konnte den Treiber für das Speicherabbild nicht laden.

Error - 15.06.2010 17:50:11 | Computer Name = 0001-75CCCCB161 | Source = Ftdisk | ID = 262193
Description = Die Konfiguration der Auslagerungsdatei für das Speicherabbild ist
fehlgeschlagen. Stellen Sie sicher, dass eine Auslagerungsdatei auf der Startpartition
vorhanden ist und dass diese groß genug ist, um den gesamten physikalischen Speicher
abbilden zu können.

Error - 15.06.2010 17:50:57 | Computer Name = 0001-75CCCCB161 | Source = Service Control Manager | ID = 7009
Description = Zeitüberschreitung (30000 ms) beim Verbindungsversuch mit Dienst Roxio
Hard Drive Watcher 9.


< End of report >





#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 AM

Posted 16 June 2010 - 05:13 AM

Hello again,

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 garethi

garethi
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 17 June 2010 - 03:26 AM


hi Elise ,
i finally got the GMER log in safe mode ,
restarted the computer and it when straight into chdsk mode ,
then it crashed and started from alone , but with no desktop icons ,
so i turned it off and back on again and it went into chdsk mode again but this time it started as normal ,
so here is the GMER log i did it without the IAT/EAT because i was advised to do so in the preperation guide ,
i hope this was the right thing to do ,.
As next tonight i will try to download combofix and post the log as instructed and see what needs to be done to save my computer ,
i have cancelled my credit cards and ordered new , thank you for the advice .
Gareth





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-17 09:58:35
Windows 5.1.2600 Service Pack 3
Running: 84do77jg.exe; Driver: C:\DOKUME~1\gareth\LOKALE~1\Temp\ugtoifoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74D57A8]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[592] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 0087000A
.text C:\WINDOWS\system32\svchost.exe[592] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 0088000A
.text C:\WINDOWS\system32\svchost.exe[592] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 003F000C
.text C:\WINDOWS\system32\svchost.exe[592] ole32.dll!CoCreateInstance 774D057E 5 Bytes JMP 0104000A
.text C:\WINDOWS\Explorer.EXE[820] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00D5000A
.text C:\WINDOWS\Explorer.EXE[820] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00D6000A
.text C:\WINDOWS\Explorer.EXE[820] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00AB000C

---- Devices - GMER 1.0.15 ----

Device \Driver\00000731 -> \Driver\atapi \Device\Harddisk0\DR0 8A7F046E

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@DisplayName BlackBerry Desktop Software 5.0.1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@UninstallString MsiExec.exe /i{F5BDF2BB-C990-4351-A05B-B2243D4037D4}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@Comments
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@Contact
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@DisplayVersion 5.0.1.37
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@HelpTelephone
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@InstallDate
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@InstallLocation C:\Programme\Research In Motion\BlackBerry\
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@InstallSource
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@ProductID
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@Publisher Research In Motion Ltd.
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@Readme
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@URLInfoAbout http://www.rim.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@URLUpdateInfo
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@HelpLink
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@EstimatedSize 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@Language 1033
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@Version 67108864
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@VersionMajor 4
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@VersionMinor 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@DisplayIcon C:\Programme\Research In Motion\BlackBerry\blackberry.ico
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@RegOwner 0001
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}@RegCompany
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop@DisplayIcon C:\Programme\Google\Google Desktop Search\GoogleDesktopSetup.exe
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop@DisplayName Google Desktop
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop@DisplayVersion 5.9.0911.03589
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop@HelpLink http://desktop.google.com/help.html?hl=de
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop@Publisher Google
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop@UninstallString C:\Programme\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop@URLInfoAbout http://desktop.google.com/?hl=de
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop@URLUpdateInfo http://desktop.google.com/?hl=de
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop@InstallLocation C:\Programme\Google\Google Desktop Search\
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop@VersionMajor 5
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop@VersionMinor 9
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@DisplayName Update f?r Windows XP (KB955759)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@UninstallString "C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@HelpLink http://support.microsoft.com?kbid=955759
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@ReleaseType Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB955759@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB955759
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@DisplayName Sicherheitsupdate f?r Windows XP (KB969947)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@UninstallString "C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@InstallDate 20091112
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@HelpLink http://support.microsoft.com?kbid=969947
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB969947@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB969947
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@DisplayName Sicherheitsupdate f?r Windows XP (KB971468)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@UninstallString "C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@HelpLink http://support.microsoft.com?kbid=971468
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB971468@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB971468
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@DisplayName Sicherheitsupdate f?r Windows XP (KB972270)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@UninstallString "C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@HelpLink http://support.microsoft.com?kbid=972270
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB972270@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB972270
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@DisplayName Sicherheitsupdate f?r Windows XP (KB975560)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@UninstallString "C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@HelpLink http://support.microsoft.com?kbid=975560
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975560@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB975560
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@DisplayName Sicherheitsupdate f?r Windows XP (KB975561)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@UninstallString "C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@HelpLink http://support.microsoft.com?kbid=975561
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975561@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB975561
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@DisplayName Sicherheitsupdate f?r Windows XP (KB975713)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@UninstallString "C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@HelpLink http://support.microsoft.com?kbid=975713
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB975713@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB975713
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@DisplayName Hotfix for Windows XP (KB976002-v5)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@UninstallString
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@InstallDate 20100414
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@HelpLink http://support.microsoft.com?kbid=976002
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@DisplayVersion 5
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@NoRemove 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@NoRemoveInitialValue 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@ParentDisplayName Windows XP - Software Updates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@ReleaseType Hotfix
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB976002-v5
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@DisplayName Update f?r Windows Internet Explorer 8 (KB976662)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@UninstallString "C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@HelpLink http://support.microsoft.com?kbid=976662
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@DisplayIcon C:\Programme\internet explorer\iexplore.exe
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@ParentKeyName ie8Hotfix
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP0\KB976662-IE8
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@RemoveOnIE8Uninstall 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@ParentDisplayName Windows Internet Explorer 8 - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8@ReleaseType Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@DisplayName Sicherheitsupdate f?r Windows XP (KB977816)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@UninstallString "C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@InstallDate 20100415
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@HelpLink http://support.microsoft.com?kbid=977816
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977816@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB977816
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@DisplayName Sicherheitsupdate f?r Windows XP (KB977914)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@UninstallString "C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@HelpLink http://support.microsoft.com?kbid=977914
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB977914@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB977914
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@DisplayName Sicherheitsupdate f?r Windows XP (KB978037)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@UninstallString "C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@HelpLink http://support.microsoft.com?kbid=978037
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978037@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB978037
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@DisplayName Sicherheitsupdate f?r Windows Internet Explorer 8 (KB978207)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@UninstallString "C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@HelpLink http://support.microsoft.com?kbid=978207
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@DisplayIcon C:\Programme\internet explorer\iexplore.exe
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@ParentKeyName ie8Hotfix
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP0\KB978207-IE8
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@RemoveOnIE8Uninstall 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@ParentDisplayName Windows Internet Explorer 8 - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@DisplayName Sicherheitsupdate f?r Windows XP (KB978251)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@UninstallString "C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@HelpLink http://support.microsoft.com?kbid=978251
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978251@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB978251
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@DisplayName Sicherheitsupdate f?r Windows XP (KB978262)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@UninstallString "C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@HelpLink http://support.microsoft.com?kbid=978262
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978262@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB978262
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@DisplayName Sicherheitsupdate f?r Windows XP (KB978338)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@UninstallString "C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@InstallDate 20100415
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@HelpLink http://support.microsoft.com?kbid=978338
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978338@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB978338
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@DisplayName Sicherheitsupdate f?r Windows XP (KB978542)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@UninstallString "C:\WINDOWS\$NtUninstallKB978542$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@InstallDate 20100513
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@HelpLink http://support.microsoft.com?kbid=978542
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978542@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB978542
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@DisplayName Sicherheitsupdate f?r Windows XP (KB978601)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@UninstallString "C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@InstallDate 20100416
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@HelpLink http://support.microsoft.com?kbid=978601
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978601@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB978601
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@DisplayName Sicherheitsupdate f?r Windows XP (KB978706)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@UninstallString "C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@HelpLink http://support.microsoft.com?kbid=978706
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB978706@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB978706
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@DisplayName Hotfix f?r Windows XP (KB979306)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@UninstallString "C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@InstallDate 20100330
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@HelpLink http://support.microsoft.com?kbid=979306
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@ReleaseType Hotfix
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979306@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB979306
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@DisplayName Sicherheitsupdate f?r Windows XP (KB979309)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@UninstallString "C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@InstallDate 20100415
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@HelpLink http://support.microsoft.com?kbid=979309
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979309@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB979309
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979402_WM9@DisplayName Sicherheitsupdate f?r Windows Media Player (KB979402)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979402_WM9@UninstallString "C:\WINDOWS\$NtUninstallKB979402_WM9$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979402_WM9@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979402_WM9@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979402_WM9@InstallDate 20100415
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979402_WM9@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979402_WM9@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979402_WM9@HelpLink http://support.microsoft.com/?kbid=979402
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979402_WM9@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979402_WM9@DisplayIcon "%ProgramFiles%\windows media player\wmplayer.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB979402_WM9@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@DisplayName Update f?r Windows Internet Explorer 8 (KB980182)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@UninstallString "C:\WINDOWS\ie8updates\KB980182-IE8\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@InstallDate 20100401
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@HelpLink http://support.microsoft.com?kbid=980182
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@DisplayIcon C:\Programme\internet explorer\iexplore.exe
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@ParentKeyName ie8Hotfix
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP0\KB980182-IE8
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@RemoveOnIE8Uninstall 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@ParentDisplayName Windows Internet Explorer 8 - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8@ReleaseType Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@DisplayName Sicherheitsupdate f?r Windows XP (KB980232)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@UninstallString "C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@InstallDate 20100415
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@HelpLink http://support.microsoft.com?kbid=980232
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@ParentKeyName OperatingSystem
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@ParentDisplayName Windows XP - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB980232@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB980232
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@DisplayName Sicherheitsupdate f?r Windows Internet Explorer 8 (KB981332)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@UninstallString "C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@TSAware 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@InstallDate 20100415
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@Publisher Microsoft Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@HelpLink http://support.microsoft.com?kbid=981332
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@URLInfoAbout http://support.microsoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@DisplayVersion 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@DisplayIcon C:\Programme\internet explorer\iexplore.exe
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@ParentKeyName ie8Hotfix
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@RegistryLocation HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP0\KB981332-IE8
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@RemoveOnIE8Uninstall 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@ParentDisplayName Windows Internet Explorer 8 - Softwareupdates
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8@ReleaseType Security Update
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Picasa 3@DisplayName Picasa 3
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Picasa 3@UninstallString "C:\Programme\Picasa2\Uninstall.exe"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Picasa 3@DisplayVersion 3.1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Picasa 3@VersionMajor 3
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Picasa 3@VersionMinor 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Picasa 3@HelpLink http://photos.google.com/
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Picasa 3@Publisher Google, Inc.
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Picasa 3@URLInfoAbout http://google.com/support/
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Picasa 3@InstallLocation "C:\Programme\Picasa2"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}@DisplayName Google Toolbar for Internet Explorer
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}@UninstallString "C:\Programme\Google\Google Toolbar\Component\GoogleToolbarManager_A22A7357696681C5.exe" /uninstall
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}@NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}@NoRepair 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}@Publisher Google Inc.
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}@DisplayIcon C:\Programme\Google\Google Toolbar\Component\GoogleToolbarManager_A22A7357696681C5.exe
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}@InstallLocation C:\Programme\Google\Google Toolbar\
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}@MajorVersion 6
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}@MinorVersion 5
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83216020FB}@DisplayIcon C:\Programme\Java\jre6\\bin\javaws.exe

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  gmer.log   64.69KB   3 downloads


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 AM

Posted 17 June 2010 - 06:33 AM

Hello again,

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 garethi

garethi
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 17 June 2010 - 11:42 AM

so i ran combofix here is the log ,
thank you very much for your time and energy ,

ComboFix 10-06-16.04 - gareth 17.06.2010 18:22:00.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.2047.1675 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\gareth\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokumente und einstellungen\gareth\Lokale Einstellungen\Temporary Internet Files\K6-AEwgedd
c:\dokumente und einstellungen\gareth\Lokale Einstellungen\Temporary Internet Files\mKaOC81-U3f-
c:\dokumente und einstellungen\gareth\Lokale Einstellungen\Temporary Internet Files\QWvL_-
c:\windows\run.log
c:\windows\system32\win.com
c:\windows\system32\WORK.DAT

Infizierte Kopie von c:\windows\system32\DRIVERS\atapi.sys wurde gefunden und desinfiziert
Kopie von - Kitty had a snack tongue.gif wurde wiederhergestellt
.
((((((((((((((((((((((( Dateien erstellt von 2010-05-17 bis 2010-06-17 ))))))))))))))))))))))))))))))
.

2010-06-17 16:17 . 2008-04-13 18:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-06-17 16:17 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-06-17 15:58 . 2010-06-17 15:58 -------- d-----w- c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Help
2010-06-04 13:29 . 2010-06-05 07:08 96512 ----a-w- c:\windows\system32\drivers\atapi_restored.sys
2010-06-04 13:04 . 2010-06-17 15:36 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-04 13:04 . 2010-06-04 13:29 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Hitman Pro
2010-06-04 13:04 . 2010-06-04 13:04 -------- d-----w- c:\programme\Hitman Pro 3.5
2010-05-26 21:11 . 2010-05-26 21:11 503808 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26eadd8d-n\msvcp71.dll
2010-05-26 21:11 . 2010-05-26 21:11 499712 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26eadd8d-n\jmc.dll
2010-05-26 21:11 . 2010-05-26 21:11 348160 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26eadd8d-n\msvcr71.dll
2010-05-26 21:11 . 2010-05-26 21:11 61440 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c559e3c-n\decora-sse.dll
2010-05-26 21:11 . 2010-05-26 21:11 12800 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c559e3c-n\decora-d3d.dll
2010-05-21 12:00 . 2010-05-21 12:00 -------- d-----w- c:\programme\Gemeinsame Dateien\Sonic Shared
2010-05-21 12:00 . 2010-05-21 12:01 -------- d-----w- c:\programme\Roxio
2010-05-21 11:57 . 2010-05-21 12:24 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Research In Motion
2010-05-21 11:56 . 2010-05-21 11:57 -------- d-----w- c:\programme\Gemeinsame Dateien\Research In Motion

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 16:29 . 2010-01-02 18:02 -------- d-----w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Skype
2010-06-17 16:29 . 2009-11-10 17:08 -------- d-----w- c:\programme\Steam
2010-06-06 11:43 . 2010-03-31 07:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-28 12:53 . 2009-03-29 07:39 -------- d-----w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\dvdcss
2010-05-21 13:38 . 2009-09-07 09:45 -------- d-----w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\TuneUpMedia
2010-05-21 12:15 . 2009-04-13 12:15 -------- d-----w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Research In Motion
2010-05-21 12:04 . 2008-12-01 18:08 29424 ----a-w- c:\dokumente und einstellungen\gareth\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2010-05-21 12:01 . 2009-04-13 12:11 -------- d-----w- c:\programme\Gemeinsame Dateien\Roxio Shared
2010-05-21 12:00 . 2009-04-13 12:11 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Roxio
2010-05-21 11:58 . 2009-04-13 12:07 -------- d-----w- c:\programme\Research In Motion
2010-05-21 11:33 . 2009-04-13 12:15 256 ----a-w- c:\windows\system32\pool.bin
2010-05-13 08:43 . 2010-04-27 23:32 57344 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-13 08:43 . 2010-04-27 23:29 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX
2010-05-13 08:43 . 2010-05-13 08:43 56766 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-13 08:43 . 2009-03-29 07:31 -------- d-----w- c:\programme\DivX
2010-05-13 08:43 . 2010-05-13 08:43 53600 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\Update\Uninstaller.exe
2010-05-13 08:43 . 2010-05-13 08:43 57409 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\ControlPanel\Uninstaller.exe
2010-05-13 08:30 . 2010-05-13 08:30 144696 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-05-13 08:30 . 2010-04-27 23:31 754984 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\Setup\Resource.dll
2010-05-13 08:30 . 2010-04-27 23:31 1180952 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\Setup\DivXSetup.exe
2010-04-29 12:54 . 2009-03-30 09:10 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Ubisoft
2010-04-29 12:53 . 2009-03-30 08:51 -------- d-----w- c:\programme\Ubisoft
2010-04-29 12:53 . 2008-12-01 18:46 -------- d--h--w- c:\programme\InstallShield Installation Information
2010-04-29 12:29 . 2010-04-29 12:29 -------- d-----w- c:\programme\Opera
2010-04-27 23:31 . 2010-04-27 23:31 56978 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\WebPlayer\Uninstaller.exe
2010-04-27 23:31 . 2010-04-27 23:31 52963 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-27 23:30 . 2010-04-27 23:30 54073 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\Qt4.5\Uninstaller.exe
2010-04-27 23:30 . 2009-03-29 07:31 -------- d-----w- c:\programme\Gemeinsame Dateien\DivX Shared
2010-04-27 23:27 . 2010-04-27 23:27 -------- d-----w- c:\programme\Gemeinsame Dateien\Java
2010-04-27 23:27 . 2010-04-27 23:27 503808 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-492b138e-n\msvcp71.dll
2010-04-27 23:27 . 2010-04-27 23:27 499712 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-492b138e-n\jmc.dll
2010-04-27 23:27 . 2010-04-27 23:27 348160 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-492b138e-n\msvcr71.dll
2010-04-27 23:27 . 2010-04-27 23:27 61440 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5a99dc11-n\decora-sse.dll
2010-04-27 23:27 . 2010-04-27 23:27 12800 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5a99dc11-n\decora-d3d.dll
2010-04-27 23:27 . 2010-01-08 06:43 -------- d-----w- c:\programme\Java
2010-04-20 07:44 . 2010-01-02 18:12 -------- d-----w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\skypePM
2010-04-16 09:41 . 2006-02-28 12:00 91864 ----a-w- c:\windows\system32\perfc007.dat
2010-04-16 09:41 . 2006-02-28 12:00 476162 ----a-w- c:\windows\system32\perfh007.dat
2010-04-12 15:29 . 2010-04-27 23:27 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-12-22 02:47 . 2009-01-01 12:21 119808 ----a-w- c:\programme\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\programme\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\programme\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 10:47 333192 ----a-w- c:\programme\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\programme\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\programme\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\programme\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Messenger (Yahoo!)"="c:\programme\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]
"ISUSPM"="c:\programme\Gemeinsame Dateien\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Steam"="c:\programme\Steam\Steam.exe" [2010-05-07 1238352]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"swg"="c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-31 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 16143872]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792]
"Ai Quicker Help"="c:\program files\ASUS\ASUS DH Remote\AsRc.exe" [2006-11-09 3165696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"nwiz"="nwiz.exe" [2008-11-12 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"Google Desktop Search"="c:\programme\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-22 30192]
"AppleSyncNotifier"="c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Lexmark X5100 Series"="c:\programme\Lexmark X5100 Series\lxbabmgr.exe" [2002-12-16 86101]
"TkBellExe"="c:\programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2009-09-26 198160]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"Malwarebytes Anti-Malware (reboot)"="c:\programme\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"DivXUpdate"="c:\programme\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"BlackBerryAutoUpdate"="c:\programme\Gemeinsame Dateien\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-25 648536]
"RoxWatchTray"="c:\programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Programme\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"c:\\Programme\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Activision\\Prototype\\prototypef.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\Programme\\Xfire\\Xfire.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Programme\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Programme\\Opera\\opera.exe"=
"c:\\Programme\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Programme\\Ubisoft\\Tom Clancy's Splinter Cell Conviction\\src\\system\\conviction_game.exe"=
"c:\\Programme\\Ubisoft\\Tom Clancy's Splinter Cell Conviction\\src\\system\\gu.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [10.10.2009 18:59 108289]
R2 ASKService;ASKService;c:\programme\AskBarDis\bar\bin\AskService.exe [07.09.2009 11:43 464264]
R2 ASKUpgrade;ASKUpgrade;c:\programme\AskBarDis\bar\bin\ASKUpgrade.exe [07.09.2009 11:43 234888]
R3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.sys [24.02.2005 12:29 162176]
S1 MpKslf3309f18;MpKslf3309f18;\??\c:\windows\system32\MpEngineStore\MpKslf3309f18.sys --> c:\windows\system32\MpEngineStore\MpKslf3309f18.sys [?]
S2 gupdate1c9d7a068488b76;Google Update Service (gupdate1c9d7a068488b76);c:\programme\Google\Update\GoogleUpdate.exe [18.05.2009 12:07 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\programme\Google\Google Desktop Search\GoogleDesktop.exe [08.01.2002 15:38 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhalt des "geplante Tasks" Ordners

2010-06-17 c:\windows\Tasks\1-Klick-Wartung.job
- c:\programme\TuneUp Utilities 2008\OneClickStarter.exe [2008-08-21 16:47]

2009-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-06-17 c:\windows\Tasks\Google Software Updater.job
- c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe [2002-01-08 10:06]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-05-18 10:07]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-05-18 10:07]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://flvdirect.iamwired.net/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://support.wdc.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\dokumente und einstellungen\gareth\Anwendungsdaten\Mozilla\Firefox\Profiles\mxfswe0p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programme\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\programme\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\programme\Mozilla Firefox\extensions\{e8b6d5b2-8796-4de4-0739-5fbcf84e38a7}\components\SFZw6O-TNV.dll
FF - plugin: c:\dokumente und einstellungen\gareth\Anwendungsdaten\Mozilla\Firefox\Profiles\mxfswe0p.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\real\realplayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programme\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programme\Gemeinsame Dateien\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\programme\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\Google\Google Updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\programme\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\programme\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-17 18:31
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-436374069-484061587-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}]
@DACL=(02 0000)
"DisplayName"="BlackBerry Desktop Software 5.0.1"
"UninstallString"="MsiExec.exe /i{F5BDF2BB-C990-4351-A05B-B2243D4037D4}"
"Comments"=""
"Contact"=""
"DisplayVersion"="5.0.1.37"
"HelpTelephone"=""
"InstallDate"=""
"InstallLocation"="c:\\Programme\\Research In Motion\\BlackBerry\\"
"InstallSource"=""
"ProductID"=""
"Publisher"="Research In Motion Ltd."
"Readme"=""
"URLInfoAbout"="http://www.rim.com"
"URLUpdateInfo"=""
"HelpLink"=expand:""
"EstimatedSize"=dword:00000000
"Language"=dword:00000409
"Version"=dword:04000000
"VersionMajor"=dword:00000004
"VersionMinor"=dword:00000000
"DisplayIcon"="c:\\Programme\\Research In Motion\\BlackBerry\\blackberry.ico"
"RegOwner"="0001"
"RegCompany"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop]
@DACL=(02 0000)
"DisplayIcon"="c:\\Programme\\Google\\Google Desktop Search\\GoogleDesktopSetup.exe"
"DisplayName"="Google Desktop"
"DisplayVersion"="5.9.0911.03589"
"HelpLink"="http://desktop.google.com/help.html?hl=de"
"Publisher"="Google"
"UninstallString"="c:\\Programme\\Google\\Google Desktop Search\\GoogleDesktopSetup.exe -uninstall"
"URLInfoAbout"="http://desktop.google.com/?hl=de"
"URLUpdateInfo"="http://desktop.google.com/?hl=de"
"InstallLocation"="c:\\Programme\\Google\\Google Desktop Search\\"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"VersionMajor"=dword:00000005
"VersionMinor"=dword:00000009

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB955759]
@DACL=(02 0000)
"DisplayName"="Update für Windows XP (KB955759)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB955759$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=955759"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB955759"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB969947]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB969947)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB969947$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20091112"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=969947"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB969947"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB971468]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB971468)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB971468$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=971468"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB971468"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB972270]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB972270)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB972270$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=972270"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB972270"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB975560]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB975560)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB975560$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=975560"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB975560"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB975561]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB975561)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB975561$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=975561"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB975561"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB975713]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB975713)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB975713$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=975713"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB975713"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB976002-v5]
@DACL=(02 0000)
"DisplayName"="Hotfix for Windows XP (KB976002-v5)"
"UninstallString"=""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100414"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=976002"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="5"
"NoRemove"=dword:00000001
"NoRemoveInitialValue"=dword:00000001
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Software Updates"
"ReleaseType"="Hotfix"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB976002-v5"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB976662-IE8]
@DACL=(02 0000)
"DisplayName"="Update für Windows Internet Explorer 8 (KB976662)"
"UninstallString"="\"c:\\WINDOWS\\ie8updates\\KB976662-IE8\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=976662"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"DisplayIcon"="c:\\Programme\\internet explorer\\iexplore.exe"
"ParentKeyName"="ie8Hotfix"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP0\\KB976662-IE8"
"RemoveOnIE8Uninstall"=dword:00000001
"ParentDisplayName"="Windows Internet Explorer 8 - Softwareupdates"
"ReleaseType"="Update"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB977816]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB977816)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB977816$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100415"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=977816"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB977816"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB977914]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB977914)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB977914$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=977914"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB977914"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB978037]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB978037)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB978037$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=978037"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB978037"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB978207-IE8]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows Internet Explorer 8 (KB978207)"
"UninstallString"="\"c:\\WINDOWS\\ie8updates\\KB978207-IE8\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=978207"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"DisplayIcon"="c:\\Programme\\internet explorer\\iexplore.exe"
"ParentKeyName"="ie8Hotfix"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP0\\KB978207-IE8"
"RemoveOnIE8Uninstall"=dword:00000001
"ParentDisplayName"="Windows Internet Explorer 8 - Softwareupdates"
"ReleaseType"="Security Update"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB978251]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB978251)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB978251$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=978251"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB978251"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB978262]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB978262)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB978262$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=978262"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB978262"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB978338]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB978338)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB978338$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100415"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=978338"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB978338"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB978542]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB978542)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB978542$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100513"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=978542"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB978542"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB978601]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB978601)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB978601$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100416"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=978601"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB978601"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB978706]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB978706)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB978706$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=978706"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB978706"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB979306]
@DACL=(02 0000)
"DisplayName"="Hotfix für Windows XP (KB979306)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB979306$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100330"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=979306"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Hotfix"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB979306"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB979309]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB979309)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB979309$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100415"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=979309"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB979309"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB979402_WM9]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows Media Player (KB979402)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB979402_WM9$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100415"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com/?kbid=979402"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayIcon"=expand:"\"%ProgramFiles%\\windows media player\\wmplayer.exe\""
"ParentKeyName"="OperatingSystem"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB980182-IE8]
@DACL=(02 0000)
"DisplayName"="Update für Windows Internet Explorer 8 (KB980182)"
"UninstallString"="\"c:\\WINDOWS\\ie8updates\\KB980182-IE8\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100401"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=980182"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"DisplayIcon"="c:\\Programme\\internet explorer\\iexplore.exe"
"ParentKeyName"="ie8Hotfix"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP0\\KB980182-IE8"
"RemoveOnIE8Uninstall"=dword:00000001
"ParentDisplayName"="Windows Internet Explorer 8 - Softwareupdates"
"ReleaseType"="Update"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB980232]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows XP (KB980232)"
"UninstallString"="\"c:\\WINDOWS\\$NtUninstallKB980232$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100415"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=980232"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Softwareupdates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB980232"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\KB981332-IE8]
@DACL=(02 0000)
"DisplayName"="Sicherheitsupdate für Windows Internet Explorer 8 (KB981332)"
"UninstallString"="\"c:\\WINDOWS\\ie8updates\\KB981332-IE8\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20100415"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=981332"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"DisplayIcon"="c:\\Programme\\internet explorer\\iexplore.exe"
"ParentKeyName"="ie8Hotfix"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP0\\KB981332-IE8"
"RemoveOnIE8Uninstall"=dword:00000001
"ParentDisplayName"="Windows Internet Explorer 8 - Softwareupdates"
"ReleaseType"="Security Update"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Picasa 3]
@DACL=(02 0000)
"DisplayName"="Picasa 3"
"UninstallString"="\"c:\\Programme\\Picasa2\\Uninstall.exe\""
"DisplayVersion"="3.1"
"VersionMajor"="3"
"VersionMinor"="1"
"HelpLink"="http://photos.google.com/"
"Publisher"="Google, Inc."
"URLInfoAbout"="http://google.com/support/"
"InstallLocation"="\"c:\\Programme\\Picasa2\""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
@DACL=(02 0000)
"DisplayName"="Google Toolbar for Internet Explorer"
"UninstallString"="\"c:\\Programme\\Google\\Google Toolbar\\Component\\GoogleToolbarManager_A22A7357696681C5.exe\" /uninstall"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"Publisher"="Google Inc."
"DisplayIcon"="c:\\Programme\\Google\\Google Toolbar\\Component\\GoogleToolbarManager_A22A7357696681C5.exe"
"InstallLocation"="c:\\Programme\\Google\\Google Toolbar\\"
"MajorVersion"="6"
"MinorVersion"="5"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83216020FB}]
@DACL=(02 0000)
"DisplayIcon"="c:\\Programme\\Java\\jre6\\\\bin\\javaws.exe"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\SAMLIB.dll

- - - - - - - > 'explorer.exe'(2096)
c:\windows\system32\webcheck.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\programme\Avira\AntiVir Desktop\avguard.exe
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programme\Bonjour\mDNSResponder.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\ASUS\ASUS DH Remote\AsDhRemote.exe
c:\programme\Lexmark X5100 Series\lxbabmon.exe
c:\windows\System32\PAStiSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\programme\iPod\bin\iPodService.exe
c:\programme\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-06-17 18:32:51 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2010-06-17 16:32

Vor Suchlauf: 13 Verzeichnis(se), 387.046.477.824 Bytes frei
Nach Suchlauf: 15 Verzeichnis(se), 387.910.610.944 Bytes frei

WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,4,5
- - End Of File - - 677625826F3EF185878CEE03B743253E

Attached Files



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 AM

Posted 17 June 2010 - 12:01 PM

Hello again,
Please uninstall Vuze Toolbar using Add/Remove Programs.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall]

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 garethi

garethi
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 18 June 2010 - 06:56 AM

Hi Elise ,
i disabled the Vuze toolbar as told , but not the program itself , do i need to do that too ?
then i disabled my firewall and antivira , clicked on the combofix and pressed start but i didnt see anywhere to type in the words notebook , a blue box opened to tell me that combofix was running but i couldnt type anything in there ,
what next.
Gareth

#10 garethi

garethi
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 18 June 2010 - 08:39 AM

Hi Elise , sorry me being stupid , not that good with the computer , just realised that you mean the green windows start box and not the combofix start box , will do that when i finish work tonight ,
sorry i am not very computer savvy ,
Gareth

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 AM

Posted 18 June 2010 - 08:55 AM

No problem smile.gif

Just create the CFScript.txt first as indicated and then drag/drop that onto Combofix.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 garethi

garethi
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 18 June 2010 - 07:54 PM

hi Elise
i think this is what you asked for
Gareth

omboFix 10-06-16.04 - gareth 19.06.2010 2:36.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.2047.1521 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\gareth\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\gareth\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokumente und einstellungen\gareth\Lokale Einstellungen\Temporary Internet Files\K6-AEwgedd
c:\dokumente und einstellungen\gareth\Lokale Einstellungen\Temporary Internet Files\mKaOC81-U3f-
c:\dokumente und einstellungen\gareth\Lokale Einstellungen\Temporary Internet Files\QWvL_-

.
((((((((((((((((((((((( Dateien erstellt von 2010-05-19 bis 2010-06-19 ))))))))))))))))))))))))))))))
.

2010-06-17 20:37 . 2010-05-06 10:31 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-17 16:17 . 2008-04-13 18:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-06-17 16:17 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-06-17 15:58 . 2010-06-17 15:58 -------- d-----w- c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Help
2010-06-04 13:29 . 2010-06-05 07:08 96512 ----a-w- c:\windows\system32\drivers\atapi_restored.sys
2010-06-04 13:04 . 2010-06-17 15:36 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-04 13:04 . 2010-06-04 13:29 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Hitman Pro
2010-06-04 13:04 . 2010-06-04 13:04 -------- d-----w- c:\programme\Hitman Pro 3.5
2010-05-26 21:11 . 2010-05-26 21:11 503808 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26eadd8d-n\msvcp71.dll
2010-05-26 21:11 . 2010-05-26 21:11 499712 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26eadd8d-n\jmc.dll
2010-05-26 21:11 . 2010-05-26 21:11 348160 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26eadd8d-n\msvcr71.dll
2010-05-26 21:11 . 2010-05-26 21:11 61440 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c559e3c-n\decora-sse.dll
2010-05-26 21:11 . 2010-05-26 21:11 12800 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c559e3c-n\decora-d3d.dll
2010-05-21 12:00 . 2010-05-21 12:00 -------- d-----w- c:\programme\Gemeinsame Dateien\Sonic Shared
2010-05-21 12:00 . 2010-05-21 12:01 -------- d-----w- c:\programme\Roxio
2010-05-21 11:57 . 2010-05-21 12:24 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Research In Motion
2010-05-21 11:56 . 2010-05-21 11:57 -------- d-----w- c:\programme\Gemeinsame Dateien\Research In Motion

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 00:12 . 2009-11-10 17:08 -------- d-----w- c:\programme\Steam
2010-06-18 08:55 . 2010-01-02 18:02 -------- d-----w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Skype
2010-06-18 08:34 . 2006-02-28 12:00 91864 ----a-w- c:\windows\system32\perfc007.dat
2010-06-18 08:34 . 2006-02-28 12:00 476162 ----a-w- c:\windows\system32\perfh007.dat
2010-06-06 11:43 . 2010-03-31 07:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-28 12:53 . 2009-03-29 07:39 -------- d-----w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\dvdcss
2010-05-21 13:38 . 2009-09-07 09:45 -------- d-----w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\TuneUpMedia
2010-05-21 12:15 . 2009-04-13 12:15 -------- d-----w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Research In Motion
2010-05-21 12:04 . 2008-12-01 18:08 29424 ----a-w- c:\dokumente und einstellungen\gareth\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2010-05-21 12:01 . 2009-04-13 12:11 -------- d-----w- c:\programme\Gemeinsame Dateien\Roxio Shared
2010-05-21 12:00 . 2009-04-13 12:11 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Roxio
2010-05-21 11:58 . 2009-04-13 12:07 -------- d-----w- c:\programme\Research In Motion
2010-05-21 11:33 . 2009-04-13 12:15 256 ----a-w- c:\windows\system32\pool.bin
2010-05-13 08:43 . 2010-04-27 23:32 57344 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-13 08:43 . 2010-04-27 23:29 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX
2010-05-13 08:43 . 2010-05-13 08:43 56766 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-13 08:43 . 2009-03-29 07:31 -------- d-----w- c:\programme\DivX
2010-05-13 08:43 . 2010-05-13 08:43 53600 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\Update\Uninstaller.exe
2010-05-13 08:43 . 2010-05-13 08:43 57409 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\ControlPanel\Uninstaller.exe
2010-05-13 08:30 . 2010-05-13 08:30 144696 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-05-13 08:30 . 2010-04-27 23:31 754984 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\Setup\Resource.dll
2010-05-13 08:30 . 2010-04-27 23:31 1180952 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\Setup\DivXSetup.exe
2010-05-06 10:31 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:05 . 2006-02-28 12:00 1851392 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 12:54 . 2009-03-30 09:10 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Ubisoft
2010-04-29 12:53 . 2009-03-30 08:51 -------- d-----w- c:\programme\Ubisoft
2010-04-29 12:53 . 2008-12-01 18:46 -------- d--h--w- c:\programme\InstallShield Installation Information
2010-04-29 12:29 . 2010-04-29 12:29 -------- d-----w- c:\programme\Opera
2010-04-27 23:31 . 2010-04-27 23:31 56978 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\WebPlayer\Uninstaller.exe
2010-04-27 23:31 . 2010-04-27 23:31 52963 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-27 23:30 . 2010-04-27 23:30 54073 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DivX\Qt4.5\Uninstaller.exe
2010-04-27 23:30 . 2009-03-29 07:31 -------- d-----w- c:\programme\Gemeinsame Dateien\DivX Shared
2010-04-27 23:27 . 2010-04-27 23:27 -------- d-----w- c:\programme\Gemeinsame Dateien\Java
2010-04-27 23:27 . 2010-04-27 23:27 503808 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-492b138e-n\msvcp71.dll
2010-04-27 23:27 . 2010-04-27 23:27 499712 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-492b138e-n\jmc.dll
2010-04-27 23:27 . 2010-04-27 23:27 348160 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-492b138e-n\msvcr71.dll
2010-04-27 23:27 . 2010-04-27 23:27 61440 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5a99dc11-n\decora-sse.dll
2010-04-27 23:27 . 2010-04-27 23:27 12800 ----a-w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5a99dc11-n\decora-d3d.dll
2010-04-27 23:27 . 2010-01-08 06:43 -------- d-----w- c:\programme\Java
2010-04-20 07:44 . 2010-01-02 18:12 -------- d-----w- c:\dokumente und einstellungen\gareth\Anwendungsdaten\skypePM
2010-04-20 05:29 . 2006-02-28 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-12 15:29 . 2010-04-27 23:27 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-12-22 02:47 . 2009-01-01 12:21 119808 ----a-w- c:\programme\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\programme\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\programme\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-06-18_11.39.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-19 00:12 . 2010-06-19 00:12 16384 c:\windows\Temp\Perflib_Perfdata_8d4.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\programme\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Messenger (Yahoo!)"="c:\programme\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]
"ISUSPM"="c:\programme\Gemeinsame Dateien\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Steam"="c:\programme\Steam\Steam.exe" [2010-05-07 1238352]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"swg"="c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-31 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 16143872]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792]
"Ai Quicker Help"="c:\program files\ASUS\ASUS DH Remote\AsRc.exe" [2006-11-09 3165696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"nwiz"="nwiz.exe" [2008-11-12 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"Google Desktop Search"="c:\programme\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-22 30192]
"AppleSyncNotifier"="c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Lexmark X5100 Series"="c:\programme\Lexmark X5100 Series\lxbabmgr.exe" [2002-12-16 86101]
"TkBellExe"="c:\programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2009-09-26 198160]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"Malwarebytes Anti-Malware (reboot)"="c:\programme\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"DivXUpdate"="c:\programme\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"BlackBerryAutoUpdate"="c:\programme\Gemeinsame Dateien\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-25 648536]
"RoxWatchTray"="c:\programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Programme\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"c:\\Programme\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Activision\\Prototype\\prototypef.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\Programme\\Xfire\\Xfire.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Programme\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Programme\\Opera\\opera.exe"=
"c:\\Programme\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Programme\\Ubisoft\\Tom Clancy's Splinter Cell Conviction\\src\\system\\conviction_game.exe"=
"c:\\Programme\\Ubisoft\\Tom Clancy's Splinter Cell Conviction\\src\\system\\gu.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [10.10.2009 18:59 108289]
R3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.sys [24.02.2005 12:29 162176]
S1 MpKslf3309f18;MpKslf3309f18;\??\c:\windows\system32\MpEngineStore\MpKslf3309f18.sys --> c:\windows\system32\MpEngineStore\MpKslf3309f18.sys [?]
S2 gupdate1c9d7a068488b76;Google Update Service (gupdate1c9d7a068488b76);c:\programme\Google\Update\GoogleUpdate.exe [18.05.2009 12:07 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\programme\Google\Google Desktop Search\GoogleDesktop.exe [08.01.2002 15:38 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhalt des "geplante Tasks" Ordners

2010-06-18 c:\windows\Tasks\1-Klick-Wartung.job
- c:\programme\TuneUp Utilities 2008\OneClickStarter.exe [2008-08-21 16:47]

2009-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-06-19 c:\windows\Tasks\Google Software Updater.job
- c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe [2002-01-08 10:06]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-05-18 10:07]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-05-18 10:07]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://flvdirect.iamwired.net/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://support.wdc.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\dokumente und einstellungen\gareth\Anwendungsdaten\Mozilla\Firefox\Profiles\mxfswe0p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programme\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\programme\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\programme\Mozilla Firefox\extensions\{e8b6d5b2-8796-4de4-0739-5fbcf84e38a7}\components\SFZw6O-TNV.dll
FF - plugin: c:\dokumente und einstellungen\gareth\Anwendungsdaten\Mozilla\Firefox\Profiles\mxfswe0p.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\real\realplayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programme\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programme\Gemeinsame Dateien\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\programme\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\Google\Google Updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\programme\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\programme\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programme\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 02:40
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-436374069-484061587-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
.
Zeit der Fertigstellung: 2010-06-19 02:41:47
ComboFix-quarantined-files.txt 2010-06-19 00:41
ComboFix2.txt 2010-06-18 11:45
ComboFix3.txt 2010-06-18 11:40
ComboFix4.txt 2010-06-17 16:35

Vor Suchlauf: 14 Verzeichnis(se), 387.254.321.152 Bytes frei
Nach Suchlauf: 15 Verzeichnis(se), 387.214.114.816 Bytes frei

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,4,5
- - End Of File - - 91BC109CA3314868DA8D7675F034FF09
or this

Attached Files



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 AM

Posted 19 June 2010 - 04:19 AM

Hello again,

At this point, could you please list all issues you are still having, so I know on what to concentrate next.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 garethi

garethi
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 19 June 2010 - 10:52 AM

Hi Elise ,
at this moment in time it seems to be just opening new pages unasked for at the moment , i just logged on opened bleepingcomputer that opened and then immediatly a new page opened for a gaming site as well as bleeping computer .
sorry if this is getting arduous , thanks for all your help .
Gareth

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 AM

Posted 19 June 2010 - 11:32 AM

Please rerun OTL and post me a new log.

Edited by elise025, 19 June 2010 - 11:33 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users