Jump to content

Unruy.D infection


Recommended Posts

Hi together,

AntiVir and MS Security Essentials tell me at every boot that it's found "Unruy.D", asking to remove. But it is not possible to remove.

Sometimes after logging in, I even get a bluescreen and the system reboots.

Finally I came across this forum. As instructed, I am pasting the contents of "DDS.txt" , and attaching "attach.txt" .

Thanks for your help !

DDS (Ver_10-03-17.01) - NTFSx86

Run by HCI Admin at 16:28:30,50 on 11.06.2010

Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_16

Microsoft

Attach.txt

Link to post
Share on other sites

Hello doozer

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    netsvcs

    %SYSTEMDRIVE%\*.*

    %systemroot%\*. /mp /s

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\System32\config\*.sav

    %systemroot%\system32\drivers\*.sys /90


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Link to post
Share on other sites

Thanks for your help!

Find attached the logs:

GMER:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-12 12:29:23

Windows 6.0.6002 Service Pack 2

Running: t8r8rr4j.exe; Driver: C:\Users\HCIADM~1\AppData\Local\Temp\kxndiuog.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8BC0A000, 0x267978, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!SetWindowsHookExW 76CF87AD 5 Bytes JMP 6E2C9AC9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!CallNextHookEx 76CF8E3B 5 Bytes JMP 6E2BD0ED C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!UnhookWindowsHookEx 76CF98DB 5 Bytes JMP 6E23467C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!CreateWindowExW 76D01305 5 Bytes JMP 6E2CDB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxParamW 76D210B0 5 Bytes JMP 6E1F54C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxIndirectParamW 76D22EF5 5 Bytes JMP 6E3C480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxParamA 76D38152 5 Bytes JMP 6E3C47AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxIndirectParamA 76D3847D 5 Bytes JMP 6E3C4872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxIndirectA 76D4D4D9 5 Bytes JMP 6E3C4741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxIndirectW 76D4D5D3 5 Bytes JMP 6E3C46D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxExA 76D4D639 5 Bytes JMP 6E3C4674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxExW 76D4D65D 5 Bytes JMP 6E3C4612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] ole32.dll!OleLoadFromStream 75CD1E12 5 Bytes JMP 6E3C4B77 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2636] ole32.dll!CoCreateInstance 75D09EA6 5 Bytes JMP 6E2CDB78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2640] USER32.dll!CreateWindowExW 76D01305 5 Bytes JMP 6E2CDB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2640] USER32.dll!DialogBoxParamW 76D210B0 5 Bytes JMP 6E1F54C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2640] USER32.dll!DialogBoxIndirectParamW 76D22EF5 5 Bytes JMP 6E3C480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2640] USER32.dll!DialogBoxParamA 76D38152 5 Bytes JMP 6E3C47AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2640] USER32.dll!DialogBoxIndirectParamA 76D3847D 5 Bytes JMP 6E3C4872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2640] USER32.dll!MessageBoxIndirectA 76D4D4D9 5 Bytes JMP 6E3C4741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2640] USER32.dll!MessageBoxIndirectW 76D4D5D3 5 Bytes JMP 6E3C46D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2640] USER32.dll!MessageBoxExA 76D4D639 5 Bytes JMP 6E3C4674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2640] USER32.dll!MessageBoxExW 76D4D65D 5 Bytes JMP 6E3C4612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\BTHUSB \Device\00000079 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

Device \Driver\BTHUSB \Device\0000007b bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d604eb4ab

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00221566f18d

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00221566f18d@0007cf59fbcf 0xEA 0xDD 0xE0 0xEB ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00221566f18d@0007cf59fb46 0xE7 0xE8 0x81 0x44 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00221566f18d@0007cf59fb69 0x58 0xE1 0xC5 0x3D ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00221566f18d@0007cf59fb2f 0xA7 0x47 0xE6 0x79 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00221566f18d@0007cf54fae6 0xFD 0x44 0x03 0x43 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6E 0x6A 0x22 0x29 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x19 0xEA 0x46 0x1D ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD7 0xC4 0xB0 0x22 ...

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001d604eb4ab (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00221566f18d (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00221566f18d@0007cf59fbcf 0xEA 0xDD 0xE0 0xEB ...

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00221566f18d@0007cf59fb46 0xE7 0xE8 0x81 0x44 ...

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00221566f18d@0007cf59fb69 0x58 0xE1 0xC5 0x3D ...

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00221566f18d@0007cf59fb2f 0xA7 0x47 0xE6 0x79 ...

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00221566f18d@0007cf54fae6 0xFD 0x44 0x03 0x43 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6E 0x6A 0x22 0x29 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x19 0xEA 0x46 0x1D ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD7 0xC4 0xB0 0x22 ...

---- EOF - GMER 1.0.15 ----

OTL.txt

OTL logfile created on: 14.06.2010 10:48:39 - Run 1

OTL by OldTimer - Version 3.2.6.0 Folder = C:\Users\HCI\Downloads

Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18928)

Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 48,00% Memory free

4,00 Gb Paging File | 3,00 Gb Available in Paging File | 72,00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 213,35 Gb Total Space | 145,49 Gb Free Space | 68,19% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: SURFACE-GLJD3FB

Current User Name: HCI

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\HCI\Downloads\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)

PRC - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)

PRC - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE (Microsoft Corporation)

PRC - C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)

PRC - C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe (Logitech, Inc.)

PRC - C:\Program Files\TortoiseSVN\bin\TSVNCache.exe (http://tortoisesvn.net)

PRC - C:\Windows\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Microsoft Surface\v1.0\SurfaceInput.exe (Microsoft Corporation)

PRC - C:\Program Files\Microsoft Surface\v1.0\ScmService.exe (Microsoft Corporation)

PRC - C:\Program Files\Microsoft Surface\v1.0\SurfaceOutOfOrderMonitor.exe (Microsoft Corporation)

PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)

========== Modules (SafeList) ==========

MOD - C:\Users\HCI\Downloads\OTL.exe (OldTimer Tools)

MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)

MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)

SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)

SRV - (aspnet_state) -- C:\Windows\Microsoft.NET\Framework\v4.0.21006\aspnet_state.exe (Microsoft Corporation)

SRV - (WPFFontCache_v0400) -- C:\Windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)

SRV - (clr_optimization_v4.0.21006_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.21006\mscorsvw.exe (Microsoft Corporation)

SRV - (NetTcpPortSharing) -- C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (Microsoft Corporation)

SRV - (NetTcpActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (Microsoft Corporation)

SRV - (NetPipeActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (Microsoft Corporation)

SRV - (NetMsmqActivator) -- C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (Microsoft Corporation)

SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)

SRV - (wlidsvc) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)

SRV - (ANTS Memory Profiler 4 Service) -- C:\Program Files\Red Gate\ANTS Profiler 4\Memory\RedGate.Profiler.IISProfileHost.exe (Red Gate Software Ltd)

SRV - (ANTS Performance Profiler 4 Service) -- C:\Program Files\Red Gate\ANTS Profiler 4\RedGate.Profiler.IISService.exe (Red Gate Software Ltd.)

SRV - (LBTServ) -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe (Logitech, Inc.)

SRV - (SCMService) -- C:\Program Files\Microsoft Surface\v1.0\ScmService.exe (Microsoft Corporation)

SRV - (SurfaceOutOfOrderMonitor) -- C:\Program Files\Microsoft Surface\v1.0\SurfaceOutOfOrderMonitor.exe (Microsoft Corporation)

SRV - (msvsmon90) -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe (Microsoft Corporation)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)

DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)

DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)

DRV - (MpFilter) -- C:\Windows\System32\drivers\MpFilter.sys (Microsoft Corporation)

DRV - (MpNWMon) -- C:\Windows\System32\drivers\MpNWMon.sys (Microsoft Corporation)

DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys (Duplex Secure Ltd.)

DRV - (LUsbFilt) -- C:\Windows\System32\drivers\LUsbFilt.sys (Logitech, Inc.)

DRV - (LMouKE) -- C:\Windows\System32\drivers\LMouKE.Sys (Logitech, Inc.)

DRV - (LMouFilt) -- C:\Windows\System32\drivers\LMouFilt.Sys (Logitech, Inc.)

DRV - (LHidFilt) -- C:\Windows\System32\drivers\LHidFilt.Sys (Logitech, Inc.)

DRV - (LHidEqd) -- C:\Windows\System32\drivers\LHidEqd.sys (Logitech, Inc.)

DRV - (LEqdUsb) -- C:\Windows\System32\drivers\LEqdUsb.sys (Logitech, Inc.)

DRV - (L8042mou) -- C:\Windows\System32\drivers\L8042mou.Sys (Logitech, Inc.)

DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)

DRV - (Hydra) -- C:\Windows\System32\drivers\Hydra.sys (Microsoft Corporation)

DRV - (athrusb) -- C:\Windows\System32\drivers\athrusb.sys (Atheros Communications, Inc.)

DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)

DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)

DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)

DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)

DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)

DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)

DRV - (e1express) Intel® -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)

DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)

DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)

DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)

DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)

DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)

DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)

DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)

DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)

DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)

DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)

DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)

DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)

DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)

DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)

DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)

DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)

DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)

DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)

DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)

DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)

DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)

DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)

DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)

DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)

DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)

DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)

DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)

DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)

DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)

DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)

DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)

DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)

DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)

DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)

DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)

DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)

DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)

DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)

DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://de.msn.com/?ocid=iehp

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 63 A4 60 3E AA 07 CB 01 [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16

FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.9

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009.07.10 13:09:08 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.06.11 15:19:35 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.05.14 15:01:14 | 000,000,000 | ---D | M]

[2009.06.24 15:02:44 | 000,000,000 | ---D | M] -- C:\Users\HCI\AppData\Roaming\Mozilla\Extensions

[2009.06.24 15:02:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\HCI\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[2010.06.10 20:29:34 | 000,000,000 | ---D | M] -- C:\Users\HCI\AppData\Roaming\Mozilla\Firefox\Profiles\84wsmj1r.default\extensions

[2009.07.19 17:08:12 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\HCI\AppData\Roaming\Mozilla\Firefox\Profiles\84wsmj1r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010.06.10 20:29:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010.04.07 10:58:12 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2009.08.22 17:26:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

[2010.04.07 10:57:54 | 000,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll

[2010.04.07 10:57:54 | 000,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll

[2009.08.22 17:26:34 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll

[2010.04.07 10:58:01 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll

[2006.10.26 20:12:16 | 000,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL

[2010.04.04 01:43:36 | 000,103,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll

[2010.04.07 10:58:03 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml

[2010.04.07 10:58:03 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml

[2010.04.07 10:58:03 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml

[2010.04.07 10:58:03 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml

[2010.04.07 10:58:03 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml

[2010.04.07 10:58:03 | 000,000,801 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2010.06.09 10:29:12 | 000,403,693 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 13965 more lines...

O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

O2 - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)

O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)

O4 - HKLM..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: Wallpaper = c:\windows\web\wallpaper\surface1.jpg ()

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: WallpaperStyle = 2

O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)

O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe File not found

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\nlaapi.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\System32\wshbth.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Windows\System32\winrnr.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)

O13 - gopher Prefix: missing

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 134.34.3.3 134.34.3.2

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\System32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\Windows\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\Windows\System32\sysdm.cpl (Microsoft Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\System32\webcheck.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\Windows\System32\browseui.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\System32\credssp.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (kerberos) - C:\Windows\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - C:\Windows\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - C:\Windows\System32\wdigest.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (tspkg) - C:\Windows\System32\tspkg.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O33 - MountPoints2\{0019f3ee-8f58-11de-b100-00221566f18d}\Shell - "" = AutoRun

O33 - MountPoints2\{0019f3ee-8f58-11de-b100-00221566f18d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found

O33 - MountPoints2\{823b0d1e-9ead-11de-809e-00221566f18d}\Shell - "" = AutoRun

O33 - MountPoints2\{823b0d1e-9ead-11de-809e-00221566f18d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found

O33 - MountPoints2\{9a85fbdd-5cb1-11de-a6b4-00221566f18d}\Shell - "" = AutoRun

O33 - MountPoints2\{cfce3aa4-4c9c-11df-854c-00221566f18d}\Shell\1\Command - "" = .\recycled\info.exe

O33 - MountPoints2\{cfce3aa4-4c9c-11df-854c-00221566f18d}\Shell\AutoRun\command - "" = C:\Windows\System32\shell32.dll -- [2009.04.11 08:28:24 | 011,584,000 | ---- | M] (Microsoft Corporation)

O33 - MountPoints2\{f341235c-818f-11de-a0aa-00221566f18d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found

NetSvcs: Ias - C:\Windows\System32\ias [2008.01.21 04:35:08 | 000,000,000 | ---D | M]

NetSvcs: Nla - File not found

NetSvcs: Ntmssvc - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: SRService - File not found

NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)

NetSvcs: WmdmPmSp - File not found

NetSvcs: LogonHours - File not found

NetSvcs: PCAudit - File not found

NetSvcs: helpsvc - File not found

NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT

Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2010.06.11 11:20:23 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials

[2010.06.10 21:32:38 | 000,000,000 | ---D | C] -- C:\Users\HCI\AppData\Roaming\Malwarebytes

[2010.06.10 21:32:28 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2010.06.10 21:32:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2010.06.10 21:32:23 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2010.06.10 21:32:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010.06.10 21:26:47 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center

[2010.06.10 20:04:21 | 000,000,000 | ---D | C] -- C:\SURFACE

[2010.06.10 14:19:39 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys

[2010.06.10 14:19:37 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys

[2010.06.10 14:19:37 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys

[2010.06.10 14:19:37 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntdd.sys

[2010.06.10 14:19:37 | 000,017,016 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntmgr.sys

[2010.06.10 14:19:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira

[2010.06.10 14:19:35 | 000,000,000 | ---D | C] -- C:\Program Files\Avira

[2010.06.10 13:07:07 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft

[2010.06.10 13:02:02 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll

[2010.06.10 13:01:45 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll

[2010.06.10 13:01:45 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll

[2010.06.10 13:01:44 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl

[2010.06.10 13:01:44 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll

[2010.06.10 13:01:44 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll

[2010.06.10 13:01:43 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll

[2010.06.10 13:01:43 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe

[2010.06.10 13:01:43 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe

[2010.06.10 13:01:43 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll

[2010.06.10 13:01:43 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll

[2010.06.10 13:01:43 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll

[2010.06.10 13:01:43 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll

[2010.06.10 13:01:43 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll

[2010.06.10 13:01:43 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe

[2010.06.10 13:01:42 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb

[2010.06.10 13:01:25 | 002,037,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

[2010.06.10 13:01:24 | 000,289,792 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll

[2010.06.10 13:01:23 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll

[2010.06.10 13:01:22 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\asycfilt.dll

[2010.06.09 11:30:55 | 000,000,000 | ---D | C] -- C:\Windows\BDOSCAN8

[2010.06.09 10:19:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy

[2010.06.09 10:19:55 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2010.06.09 09:44:49 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%

[2010.06.08 15:03:55 | 000,000,000 | ---D | C] -- C:\Users\HCI\Documents\PassMark

[2010.06.08 15:03:51 | 000,000,000 | ---D | C] -- C:\Users\HCI\AppData\Local\PassMark

[2010.06.08 15:03:38 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_39.dll

[2010.06.08 15:03:38 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_39.dll

[2010.06.08 15:03:38 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_39.dll

[2010.06.08 15:02:58 | 000,000,000 | ---D | C] -- C:\ProgramData\PassMark

[2010.06.08 14:45:58 | 000,000,000 | ---D | C] -- C:\speedtest

[2010.06.06 15:03:41 | 000,000,000 | ---D | C] -- C:\Users\HCI\BaseXData

[2010.06.06 14:53:17 | 000,000,000 | ---D | C] -- C:\Users\HCI\Desktop\FacetBrowsing

[2010.05.20 11:39:06 | 000,000,000 | ---D | C] -- C:\Users\HCI\AppData\Roaming\ATI

[2010.05.20 11:39:06 | 000,000,000 | ---D | C] -- C:\Users\HCI\AppData\Local\ATI

[2010.05.20 11:39:06 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI

[2010.05.20 11:34:39 | 000,000,000 | ---D | C] -- C:\Program Files\ATI

[2010.05.20 11:34:24 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies

[2010.05.20 11:33:20 | 000,000,000 | ---D | C] -- C:\ATI

========== Files - Modified Within 30 Days ==========

[2010.06.14 10:50:19 | 006,029,312 | -HS- | M] () -- C:\Users\HCI\ntuser.dat

[2010.06.14 09:44:09 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2010.06.14 09:44:09 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2010.06.14 09:43:58 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2010.06.14 09:43:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010.06.14 09:43:52 | 2144,542,720 | -HS- | M] () -- C:\hiberfil.sys

[2010.06.12 12:41:13 | 000,005,332 | ---- | M] () -- C:\Windows\bthservsdp.dat

[2010.06.11 17:34:34 | 000,065,536 | -HS- | M] () -- C:\Users\HCI\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TM.blf

[2010.06.11 17:34:33 | 000,524,288 | -HS- | M] () -- C:\Users\HCI\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regtrans-ms

[2010.06.11 15:19:38 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat

[2010.06.11 15:12:20 | 000,000,418 | RHS- | M] () -- C:\ProgramData\ntuser.pol

[2010.06.11 15:09:27 | 000,101,312 | ---- | M] () -- C:\Windows\System32\GDIPFONTCACHEV1.DAT

[2010.06.11 14:55:44 | 000,524,288 | -HS- | M] () -- C:\Users\HCI\NTUSER.DAT{d681d1f0-7556-11df-bccd-002215b322d0}.TMContainer00000000000000000002.regtrans-ms

[2010.06.11 14:55:44 | 000,524,288 | -HS- | M] () -- C:\Users\HCI\NTUSER.DAT{d681d1f0-7556-11df-bccd-002215b322d0}.TMContainer00000000000000000001.regtrans-ms

[2010.06.11 14:55:44 | 000,065,536 | -HS- | M] () -- C:\Users\HCI\NTUSER.DAT{d681d1f0-7556-11df-bccd-002215b322d0}.TM.blf

[2010.06.11 14:53:33 | 000,524,288 | -HS- | M] () -- C:\Users\HCI\NTUSER.DAT{d681d1da-7556-11df-bccd-002215b322d0}.TMContainer00000000000000000002.regtrans-ms

[2010.06.11 14:53:33 | 000,524,288 | -HS- | M] () -- C:\Users\HCI\NTUSER.DAT{d681d1da-7556-11df-bccd-002215b322d0}.TMContainer00000000000000000001.regtrans-ms

[2010.06.11 14:53:33 | 000,065,536 | -HS- | M] () -- C:\Users\HCI\NTUSER.DAT{d681d1da-7556-11df-bccd-002215b322d0}.TM.blf

[2010.06.11 13:50:50 | 002,434,010 | -H-- | M] () -- C:\Users\HCI\AppData\Local\IconCache.db

[2010.06.11 11:20:25 | 000,000,947 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk

[2010.06.10 21:32:30 | 000,000,825 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2010.06.10 20:03:47 | 000,780,054 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

[2010.06.10 20:03:47 | 000,647,890 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2010.06.10 20:03:47 | 000,125,070 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2010.06.10 19:53:36 | 145,861,992 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2010.06.10 19:25:32 | 000,059,447 | ---- | M] () -- C:\test.jpg

[2010.06.10 16:56:03 | 000,000,660 | RHS- | M] () -- C:\Users\HCI\ntuser.pol

[2010.06.10 14:19:52 | 000,001,854 | ---- | M] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk

[2010.06.10 13:23:37 | 000,387,984 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2010.06.09 12:10:31 | 000,001,282 | ---- | M] () -- C:\Users\HCI\Desktop\Sample.MTScatterPlot.exe - Shortcut.lnk

[2010.06.09 10:29:12 | 000,403,693 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2010.06.07 11:35:21 | 000,000,272 | ---- | M] () -- C:\Users\HCI\.basex

[2010.06.06 19:30:45 | 000,001,437 | ---- | M] () -- C:\Users\HCI\.basexwin

[2010.06.06 15:01:52 | 000,000,041 | ---- | M] () -- C:\Users\HCI\.basexperm

[2010.05.26 19:06:41 | 000,034,304 | ---- | M] (Adobe Systems) -- C:\Windows\System32\atmlib.dll

[2010.05.26 16:47:41 | 000,289,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll

[2010.05.21 14:14:28 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe

========== Files Created - No Company Name ==========

[2010.06.11 15:19:38 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat

[2010.06.11 15:12:20 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol

[2010.06.11 15:03:12 | 2144,542,720 | -HS- | C] () -- C:\hiberfil.sys

[2010.06.11 14:55:44 | 000,524,288 | -HS- | C] () -- C:\Users\HCI\NTUSER.DAT{d681d1f0-7556-11df-bccd-002215b322d0}.TMContainer00000000000000000002.regtrans-ms

[2010.06.11 14:55:43 | 000,524,288 | -HS- | C] () -- C:\Users\HCI\NTUSER.DAT{d681d1f0-7556-11df-bccd-002215b322d0}.TMContainer00000000000000000001.regtrans-ms

[2010.06.11 14:55:43 | 000,065,536 | -HS- | C] () -- C:\Users\HCI\NTUSER.DAT{d681d1f0-7556-11df-bccd-002215b322d0}.TM.blf

[2010.06.11 14:53:32 | 006,029,312 | -HS- | C] () -- C:\Users\HCI\ntuser.dat

[2010.06.11 14:53:32 | 000,524,288 | -HS- | C] () -- C:\Users\HCI\NTUSER.DAT{d681d1da-7556-11df-bccd-002215b322d0}.TMContainer00000000000000000002.regtrans-ms

[2010.06.11 14:53:32 | 000,524,288 | -HS- | C] () -- C:\Users\HCI\NTUSER.DAT{d681d1da-7556-11df-bccd-002215b322d0}.TMContainer00000000000000000001.regtrans-ms

[2010.06.11 14:53:32 | 000,065,536 | -HS- | C] () -- C:\Users\HCI\NTUSER.DAT{d681d1da-7556-11df-bccd-002215b322d0}.TM.blf

[2010.06.11 11:20:25 | 000,000,947 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk

[2010.06.10 21:32:30 | 000,000,825 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2010.06.10 20:45:44 | 000,228,863 | ---- | C] () -- C:\Desert Landscape.jpg

[2010.06.10 20:04:37 | 000,059,447 | ---- | C] () -- C:\test.jpg

[2010.06.10 14:19:52 | 000,001,854 | ---- | C] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk

[2010.06.09 12:10:31 | 000,001,282 | ---- | C] () -- C:\Users\HCI\Desktop\Sample.MTScatterPlot.exe - Shortcut.lnk

[2010.06.06 15:01:52 | 000,001,437 | ---- | C] () -- C:\Users\HCI\.basexwin

[2010.06.06 15:01:52 | 000,000,041 | ---- | C] () -- C:\Users\HCI\.basexperm

[2010.06.06 15:01:49 | 000,000,272 | ---- | C] () -- C:\Users\HCI\.basex

[2010.02.11 07:30:38 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll

[2010.01.18 17:18:26 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2009.06.19 11:33:42 | 000,000,172 | ---- | C] () -- C:\Windows\ODBC.INI

[2009.02.10 02:55:51 | 000,005,810 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys

[2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2009.06.19 11:17:16 | 000,000,000 | ---D | M] -- C:\Users\HCI\AppData\Roaming\DAEMON Tools Lite

[2009.10.14 13:28:01 | 000,000,000 | ---D | M] -- C:\Users\HCI\AppData\Roaming\Leadertech

[2009.08.17 11:44:10 | 000,000,000 | ---D | M] -- C:\Users\HCI\AppData\Roaming\MySQL-Front

[2009.06.29 13:49:31 | 000,000,000 | ---D | M] -- C:\Users\HCI\AppData\Roaming\Scooter Software

[2010.02.02 09:12:38 | 000,000,000 | ---D | M] -- C:\Users\HCI\AppData\Roaming\Subversion

[2010.06.12 12:41:17 | 000,032,646 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2006.09.18 23:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat

[2009.04.11 08:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr

[2009.02.10 02:41:26 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK

[2006.09.18 23:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys

[2006.11.02 14:37:18 | 000,228,863 | ---- | M] () -- C:\Desert Landscape.jpg

[2010.06.10 20:45:44 | 000,000,086 | -HS- | M] () -- C:\desktop.ini

[2010.06.14 09:43:52 | 2144,542,720 | -HS- | M] () -- C:\hiberfil.sys

[2010.06.14 09:43:51 | 2460,434,432 | -HS- | M] () -- C:\pagefile.sys

[2010.06.10 19:25:32 | 000,059,447 | ---- | M] () -- C:\test.jpg

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

[2010.02.11 07:32:36 | 000,442,368 | ---- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 -- C:\Windows\System32\ATIDEMGX.dll

[2009.04.11 08:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll

[2009.04.11 08:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

[2008.01.21 05:20:25 | 017,223,680 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV

[2008.01.21 05:20:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV

[2008.01.21 05:20:25 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV

[2006.11.02 12:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV

[2006.11.02 12:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >

[2010.04.29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2010.04.29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

< End of report >

OTL Extras

OTL Extras logfile created on: 14.06.2010 10:48:39 - Run 1

OTL by OldTimer - Version 3.2.6.0 Folder = C:\Users\HCI\Downloads

Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18928)

Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 48,00% Memory free

4,00 Gb Paging File | 3,00 Gb Available in Paging File | 72,00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 213,35 Gb Total Space | 145,49 Gb Free Space | 68,19% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: SURFACE-GLJD3FB

Current User Name: HCI

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2344377527-770595384-1655790898-1002]

"EnableNotifications" = 0

"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{04DFB231-6F09-47AB-A053-43970D955C78}" = lport=139 | protocol=6 | dir=in | app=system |

"{083AB350-81B4-461B-BF00-AF9C4BB359D9}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

"{167F2DF4-A648-4B93-B9D4-A479D29EE9C4}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

"{33823ED4-B3AD-47F1-B582-C3E9C34B4754}" = rport=138 | protocol=17 | dir=out | app=system |

"{47DBA35F-604A-4CE8-931B-26BF9BD2E78F}" = lport=445 | protocol=6 | dir=in | app=system |

"{5A222ACD-C0CD-4AF0-9FE5-03F92DD73B75}" = rport=445 | protocol=6 | dir=out | app=system |

"{6E371000-8CB4-419F-A040-6AD9EAC6A885}" = rport=139 | protocol=6 | dir=out | app=system |

"{6F9A0098-7C7C-4C67-B3F5-84A0A75DB8AC}" = lport=137 | protocol=17 | dir=in | app=system |

"{71D01AD1-79CD-4484-9405-CAB10EFA7A78}" = lport=138 | protocol=17 | dir=in | app=system |

"{9D063A7A-C928-48FE-AE40-9820E5813B37}" = rport=137 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{21C7A772-DDA5-460C-AE65-8290F47842E4}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{32E02995-6484-4811-B758-538BC78C940D}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

"{46FF2696-AE4F-4297-B40D-17597D7C2328}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |

"{5AF5908A-BE83-4510-85C1-63960C0078B9}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |

"{95BD4377-1323-45BF-9DFA-F85833081FDD}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

"{C92ACE4A-E7A8-4880-8FE2-793E6F2C7CB6}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"TCP Query User{0FC43D2C-6F9C-4F35-9E5E-F8B318416A99}C:\squidyworkshop\jdk1.6.0_16\bin\javaw.exe" = protocol=6 | dir=in | app=c:\squidyworkshop\jdk1.6.0_16\bin\javaw.exe |

"TCP Query User{1561D5F9-E135-4F67-A4E0-A04C9DB493A6}C:\users\hci\desktop\jonastest\sampleclientmultifoci\bin\release\sampleclientmultifoci.vshost.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\jonastest\sampleclientmultifoci\bin\release\sampleclientmultifoci.vshost.exe |

"TCP Query User{180871FE-CE98-4486-9E6A-DD1DFE16FDD2}C:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\debug\databackend.server.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\debug\databackend.server.exe |

"TCP Query User{303D072A-0BA0-448D-9842-BC1D0948457A}C:\users\hci\desktop\zoil-demo\framework\branches\group3\databackend.server\bin\release\databackend.server.vshost.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\branches\group3\databackend.server\bin\release\databackend.server.vshost.exe |

"TCP Query User{3FAE983F-9244-4A9E-AD16-13AC276E5E18}C:\users\hci\desktop\zoil-demo\framework\tags\demoversion\databackend.server\bin\release\databackend.server.vshost.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\tags\demoversion\databackend.server\bin\release\databackend.server.vshost.exe |

"TCP Query User{41BF3EDE-F538-4CCC-BC0E-71A60E01E304}C:\squidyworkshop\eclipse\eclipse.exe" = protocol=6 | dir=in | app=c:\squidyworkshop\eclipse\eclipse.exe |

"TCP Query User{45E30596-B84D-43D5-8EEC-976750EFC942}C:\users\hci\desktop\mediovis2\zoil2_svn\trunk\databackend.server\bin\debug\databackend.server.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\mediovis2\zoil2_svn\trunk\databackend.server\bin\debug\databackend.server.exe |

"TCP Query User{49485D42-6943-4FE8-8D08-A2254AE1829C}C:\users\hci\desktop\zoil-demo\framework\trunk\multifocallandscape\bin\debug\multifocallandscape.vshost.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\multifocallandscape\bin\debug\multifocallandscape.vshost.exe |

"TCP Query User{4F3D5AE0-BF7A-414F-A1F4-FD92BBA72604}C:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\release\databackend.server.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\release\databackend.server.exe |

"TCP Query User{53839BE8-4906-474D-BA5C-FCBC9EDFDF16}C:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\release\databackend.server.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\release\databackend.server.exe |

"TCP Query User{59ADA618-DBF6-4C0A-BBBA-907BC4512BD3}C:\users\hci\desktop\databackend.server\databackend.server.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\databackend.server\databackend.server.exe |

"TCP Query User{6188959A-9BE2-4584-A0E5-56D05CDC4064}C:\users\hci\desktop\zoil-demo\framework\trunk\sampleclientmultifoci\bin\release\sampleclientmultifoci.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\sampleclientmultifoci\bin\release\sampleclientmultifoci.exe |

"TCP Query User{6957BEA3-1728-4677-8B7D-F43556892EDF}C:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\debug\databackend.server.vshost.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\debug\databackend.server.vshost.exe |

"TCP Query User{6DAC06A1-1B98-4163-89AA-881CB2F89D71}C:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\release\databackend.server.vshost.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\release\databackend.server.vshost.exe |

"TCP Query User{8CE7BB14-7FD9-4BEE-9B1B-A5AAA58C4E0D}C:\users\hci\desktop\jonastest\sampleclientmultifoci\bin\release\sampleclientmultifoci.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\jonastest\sampleclientmultifoci\bin\release\sampleclientmultifoci.exe |

"TCP Query User{8F4DBAA2-3C2F-4FC9-83EB-9ADEEACFDF7D}C:\users\hci\desktop\zoil aktuell\trunk\databackend.server\bin\debug\databackend.server.vshost.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil aktuell\trunk\databackend.server\bin\debug\databackend.server.vshost.exe |

"TCP Query User{9585B679-CE36-40A7-8F01-6D097BBD1BA4}C:\users\hci\desktop\zoil-demo\framework\trunk\multifocallandscape\bin\debug\multifocallandscape.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\multifocallandscape\bin\debug\multifocallandscape.exe |

"TCP Query User{9826DBEF-DBC3-44C8-AA23-F1ED7E30DA6E}C:\users\hci\desktop\server\databackend.server.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\server\databackend.server.exe |

"TCP Query User{A3DD41A0-4A1D-42D6-B2EF-F4D9CB0A0A1E}C:\users\hci\desktop\zoil-demo\server\databackend.server.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\server\databackend.server.exe |

"TCP Query User{A505BF98-1D61-441E-84AF-CD6315190F1B}C:\users\hci\desktop\zoil aktuell\trunk\databackend.server\bin\debug\databackend.server.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil aktuell\trunk\databackend.server\bin\debug\databackend.server.exe |

"TCP Query User{C521A1A2-8AFC-4AE7-AEDC-01AAF1C348D2}C:\users\hci\desktop\zoil-demo\framework\trunk\sampleclientmultifoci\bin\debug\sampleclientmultifoci.vshost.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\sampleclientmultifoci\bin\debug\sampleclientmultifoci.vshost.exe |

"TCP Query User{D70BFB1B-CF2B-48F4-9E7C-6D04DD0DB859}C:\windows\system32\java.exe" = protocol=6 | dir=in | app=c:\windows\system32\java.exe |

"TCP Query User{DAD18F85-8A1E-4F0D-A67A-CC79D2430E72}C:\users\hci\desktop\zoil-demo\framework\branches\group3\databackend.server\bin\release\databackend.server.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\branches\group3\databackend.server\bin\release\databackend.server.exe |

"TCP Query User{F32AA93E-A414-42CE-8DBF-8A88E7C610EA}C:\users\hci\desktop\zoil-demo\framework\trunk\sampleclientmultifoci\bin\release\sampleclientmultifoci.vshost.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\sampleclientmultifoci\bin\release\sampleclientmultifoci.vshost.exe |

"TCP Query User{F53DC0BC-792E-4BC3-80C7-3F451AE7F554}C:\users\hci\desktop\zoil aktuell\trunk\multifocallandscape\bin\debug\multifocallandscape.vshost.exe" = protocol=6 | dir=in | app=c:\users\hci\desktop\zoil aktuell\trunk\multifocallandscape\bin\debug\multifocallandscape.vshost.exe |

"TCP Query User{F775693C-D580-455F-B520-C28BDD15DCDE}C:\users\hci\documents\projects\vizdash\databackend.server\bin\debug\databackend.server.vshost.exe" = protocol=6 | dir=in | app=c:\users\hci\documents\projects\vizdash\databackend.server\bin\debug\databackend.server.vshost.exe |

"UDP Query User{0D499593-DC54-4D7A-8D6B-88D98396826E}C:\users\hci\desktop\zoil-demo\server\databackend.server.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\server\databackend.server.exe |

"UDP Query User{18DA2B92-2B67-44A9-A683-1AF506A33758}C:\squidyworkshop\jdk1.6.0_16\bin\javaw.exe" = protocol=17 | dir=in | app=c:\squidyworkshop\jdk1.6.0_16\bin\javaw.exe |

"UDP Query User{25FE1438-9315-4085-92DD-972912546B33}C:\users\hci\desktop\databackend.server\databackend.server.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\databackend.server\databackend.server.exe |

"UDP Query User{2B485DB9-8C6F-444A-BBCD-62209394CC25}C:\users\hci\desktop\zoil-demo\framework\branches\group3\databackend.server\bin\release\databackend.server.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\branches\group3\databackend.server\bin\release\databackend.server.exe |

"UDP Query User{3B303D1F-9F13-4C63-9D75-4445C9791F4E}C:\users\hci\desktop\zoil aktuell\trunk\databackend.server\bin\debug\databackend.server.vshost.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil aktuell\trunk\databackend.server\bin\debug\databackend.server.vshost.exe |

"UDP Query User{3C0AB5A7-2823-4EEF-9FF2-88850B7C4559}C:\users\hci\desktop\zoil-demo\framework\tags\demoversion\databackend.server\bin\release\databackend.server.vshost.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\tags\demoversion\databackend.server\bin\release\databackend.server.vshost.exe |

"UDP Query User{53876C3E-3794-42BC-B1B0-A85E52E797CF}C:\users\hci\desktop\zoil aktuell\trunk\multifocallandscape\bin\debug\multifocallandscape.vshost.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil aktuell\trunk\multifocallandscape\bin\debug\multifocallandscape.vshost.exe |

"UDP Query User{60BB0AA2-AF7A-4CBC-BCD5-AFF4C51B0542}C:\users\hci\desktop\zoil aktuell\trunk\databackend.server\bin\debug\databackend.server.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil aktuell\trunk\databackend.server\bin\debug\databackend.server.exe |

"UDP Query User{60F7F781-F837-44F6-BF00-061ED0D23EAC}C:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\release\databackend.server.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\release\databackend.server.exe |

"UDP Query User{7329A00D-29B5-4B31-BD01-2314AFBDD19A}C:\users\hci\desktop\zoil-demo\framework\trunk\sampleclientmultifoci\bin\debug\sampleclientmultifoci.vshost.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\sampleclientmultifoci\bin\debug\sampleclientmultifoci.vshost.exe |

"UDP Query User{75C3C3FA-0AFE-4103-8C1D-7B9E0058545C}C:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\release\databackend.server.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\release\databackend.server.exe |

"UDP Query User{7C8F3B09-A0C5-496E-A9D9-B079B1164B6B}C:\users\hci\desktop\zoil-demo\framework\trunk\sampleclientmultifoci\bin\release\sampleclientmultifoci.vshost.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\sampleclientmultifoci\bin\release\sampleclientmultifoci.vshost.exe |

"UDP Query User{8331736D-48AC-4CB6-89F2-6F20F60CB301}C:\users\hci\desktop\mediovis2\zoil2_svn\trunk\databackend.server\bin\debug\databackend.server.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\mediovis2\zoil2_svn\trunk\databackend.server\bin\debug\databackend.server.exe |

"UDP Query User{868412A2-4A93-4FF6-8A41-FBDCD9046E68}C:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\release\databackend.server.vshost.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\release\databackend.server.vshost.exe |

"UDP Query User{86C083FD-4DC0-48D7-8921-34471A95336A}C:\users\hci\documents\projects\vizdash\databackend.server\bin\debug\databackend.server.vshost.exe" = protocol=17 | dir=in | app=c:\users\hci\documents\projects\vizdash\databackend.server\bin\debug\databackend.server.vshost.exe |

"UDP Query User{8C388DEB-DF96-411A-8CE0-67927AAEFBA6}C:\users\hci\desktop\zoil-demo\framework\branches\group3\databackend.server\bin\release\databackend.server.vshost.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\branches\group3\databackend.server\bin\release\databackend.server.vshost.exe |

"UDP Query User{8D3AD1B4-8113-496D-B237-4C645330BC8B}C:\users\hci\desktop\zoil-demo\framework\trunk\multifocallandscape\bin\debug\multifocallandscape.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\multifocallandscape\bin\debug\multifocallandscape.exe |

"UDP Query User{A97B88B3-4A31-4ED1-BF53-D4CC09DE51F9}C:\users\hci\desktop\jonastest\sampleclientmultifoci\bin\release\sampleclientmultifoci.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\jonastest\sampleclientmultifoci\bin\release\sampleclientmultifoci.exe |

"UDP Query User{B939679D-BA40-4E1B-96BF-1F569291E25F}C:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\debug\databackend.server.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\debug\databackend.server.exe |

"UDP Query User{D1F6C153-8EF5-445F-A97F-84C6C468B4A5}C:\users\hci\desktop\jonastest\sampleclientmultifoci\bin\release\sampleclientmultifoci.vshost.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\jonastest\sampleclientmultifoci\bin\release\sampleclientmultifoci.vshost.exe |

"UDP Query User{D276BDF0-F429-4BC6-80A5-49983B99C8CB}C:\squidyworkshop\eclipse\eclipse.exe" = protocol=17 | dir=in | app=c:\squidyworkshop\eclipse\eclipse.exe |

"UDP Query User{D74D014D-CDB0-4F15-9DBD-8EEB1745EAF5}C:\windows\system32\java.exe" = protocol=17 | dir=in | app=c:\windows\system32\java.exe |

"UDP Query User{DEEE6CD8-9AE1-4085-90E4-296AD6782208}C:\users\hci\desktop\server\databackend.server.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\server\databackend.server.exe |

"UDP Query User{E9F66816-BE97-4C4B-A121-5A63F66DB3EB}C:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\debug\databackend.server.vshost.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\databackend.server\bin\debug\databackend.server.vshost.exe |

"UDP Query User{ED54FF8F-8A30-4121-9441-9CD59FB59FB3}C:\users\hci\desktop\zoil-demo\framework\trunk\multifocallandscape\bin\debug\multifocallandscape.vshost.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\multifocallandscape\bin\debug\multifocallandscape.vshost.exe |

"UDP Query User{F8AF515A-1FDD-48B7-8BA3-D27A2B1B3A10}C:\users\hci\desktop\zoil-demo\framework\trunk\sampleclientmultifoci\bin\release\sampleclientmultifoci.exe" = protocol=17 | dir=in | app=c:\users\hci\desktop\zoil-demo\framework\trunk\sampleclientmultifoci\bin\release\sampleclientmultifoci.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32

"{05EC21B8-4593-3037-A781-A6B5AFFCB19D}" = Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools - enu

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant

"{0C19D563-5F25-4621-BF10-01F741BD283F}" = Microsoft SQL Server Compact 3.5 SP1 Design Tools English

"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer

"{0DF3AE91-E533-3960-8516-B23737F8B7A2}" = Visual C++ 2008 x64 Runtime - (v9.0.30729)

"{0DF3AE91-E533-3960-8516-B23737F8B7A2}.vc_x64runtime_30729_01" = Visual C++ 2008 x64 Runtime - v9.0.30729.01

"{0FFAC7BB-50DC-CB54-6CA7-A8B74513280B}" = CCC Help Chinese Traditional

"{1A2340AF-D9CD-4A5E-8E7D-1602AA73C18C}" = ANTS Profiler 4

"{1C802083-6D79-78ED-BF1C-601DDF908DD1}" = Catalyst Control Center Core Implementation

"{22E23C71-C27A-3F30-8849-BB6129E50679}" = Visual C++ 2008 IA64 Runtime - (v9.0.30729)

"{22E23C71-C27A-3F30-8849-BB6129E50679}.vc_i64runtime_30729_01" = Visual C++ 2008 IA64 Runtime - v9.0.30729.01

"{241F2BF7-69EB-42A4-9156-96B2426C7504}" = Microsoft SQL Server Compact 3.5 for Devices ENU

"{245F6C7A-0C22-4DE0-8202-2AAA620A1D3A}" = Microsoft XNA Framework Redistributable 2.0

"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java 6 Update 16

"{282C4EAA-F162-F52F-7BAF-C7B50DAAA00A}" = ccc-utility

"{28728178-FF15-218B-0B63-012692F42C28}" = CCC Help Danish

"{291B3A3B-F808-45B8-8113-DF232FCB6C82}" = Microsoft .NET Compact Framework 3.5

"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper

"{32851025-1E46-83A3-1320-471619254E39}" = Catalyst Control Center Localization All

"{32A3A4F4-B792-11D6-A78A-00B0D0160160}" = Java SE Development Kit 6 Update 16

"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types

"{36A0B7B6-9514-4D15-AC1C-767AC198116D}" = Microsoft Surface SDK 1.0 SP1

"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime

"{3891E1C9-8E9E-43E2-B009-6D008BCD7669}" = Microsoft Expression Blend 2

"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729

"{40217B2F-462B-94A4-E84E-6A1C6EDBCE2F}" = CCC Help Swedish

"{43CA0633-28E1-4099-BD9E-1DA8804622AF}" = Snoop

"{47FDEFC7-BFE6-FD75-41D1-28DD572BD2D9}" = ATI Catalyst Install Manager

"{4EED97C0-D5A2-4D7A-9DDB-38DA5FB9BD8A}" = Microsoft Windows Performance Toolkit

"{5343A801-92E5-C234-9F27-AB27EC738BF6}" = CCC Help Japanese

"{57EC5BFE-7CB7-3057-8385-C9D72918511C}" = Microsoft .NET Framework 4 Client Profile Beta 2

"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu

"{5D22226D-EBC1-C95F-7746-2E3A9F4C97BA}" = CCC Help Russian

"{600C37F2-098B-A165-C1DB-6AE2B89D8D49}" = Catalyst Control Center Graphics Previews Common

"{61F8CA2C-9A80-8A1B-D3B9-347530CB387F}" = CCC Help Norwegian

"{64c5b887-b5ee-42b8-8596-78905a6b5f1f}" = Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense

"{674B407D-EAB1-B6B6-F9BF-C34CEE4CD83F}" = Catalyst Control Center Graphics Light

"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{69F411C5-4851-6DA9-EA4C-160BEF8788AA}" = CCC Help French

"{6C9F6D23-E9AD-43C9-B43A-011562AAF876}" = Windows Mobile 5.0 SDK R2 for Pocket PC

"{6DD27E54-2598-0FEC-7CE1-BE00924C0570}" = Catalyst Control Center Graphics Previews Vista

"{6E405B40-3879-3C9B-9286-8D5E71258C35}" = Microsoft .NET Framework 4 Extended Beta 2

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7B33F480-496D-334A-BAC2-205DEC0CBC2D}" = Visual C++ 2008 x86 Runtime - (v9.0.30729.4148)

"{7B33F480-496D-334A-BAC2-205DEC0CBC2D}.vc_x86runtime_30729_4148" = Visual C++ 2008 x86 Runtime - v9.0.30729.4148

"{7C27114E-6FC8-21F5-E501-FE48F09243DF}" = CCC Help Dutch

"{80237C20-CBF3-F841-4AD5-E727AA86FBD1}" = CCC Help Italian

"{802EE127-D32A-1447-09DC-77419772BCDC}" = CCC Help Portuguese

"{836AFA32-7B8B-2C19-99D9-36EF32B42EB8}" = CCC Help Thai

"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries

"{84ED5482-CFB0-4DD9-BF18-489FFDACD18A}" = Microsoft Antimalware Service DE-DE Language Pack

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding

"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime

"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007

"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007

"{90120000-0015-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007

"{90120000-0016-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007

"{90120000-0018-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007

"{90120000-0019-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007

"{90120000-001A-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007

"{90120000-001B-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007

"{90120000-001F-0407-0000-0000000FF1CE}_PROPLUS_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007

"{90120000-001F-0410-0000-0000000FF1CE}_PROPLUS_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007

"{90120000-0021-0000-0000-0000000FF1CE}_VisualWebDeveloper_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007

"{90120000-0021-0409-0000-0000000FF1CE}_VisualWebDeveloper_{E1044ED2-E4AD-4B39-B500-31109750F6B4}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)

"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007

"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007

"{90120000-0044-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007

"{90120000-006E-0407-0000-0000000FF1CE}_PROPLUS_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_VisualWebDeveloper_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_VisualWebDeveloper_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{926C96FB-9D0A-4504-8000-C6D3A4A3118E}" = Java DB 10.4.2.1

"{946942CB-D078-F33A-A3CD-27E0393507FD}" = CCC Help Turkish

"{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}" = Windows Mobile 5.0 SDK R2 for Smartphone

"{9682B99B-BB28-AD37-CA50-C1CB5BFF0FA6}" = Catalyst Control Center Graphics Full New

"{96E3139B-E306-470C-9B6B-79770C229D9D}" = WPF Performance Suite

"{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}" = Microsoft SQL Server Database Publishing Wizard 1.3

"{9DBCF44B-77AC-81D8-0F8E-1E60D6330AC2}" = Catalyst Control Center InstallProxy

"{A02CC93A-134F-0319-1438-B1E895B52577}" = CCC Help German

"{A4418082-E601-3954-805B-D56A2B50EC8B}" = Microsoft Visual C# 2008 Express Edition with SP1 - ENU

"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT

"{A7E1ADB8-162B-7C33-60FB-0561A17BD876}" = CCC Help Spanish

"{A96EEF55-155C-552E-ABB1-6FDAEF5BD944}" = CCC Help Polish

"{AA467959-A1D6-4F45-90CD-11DC57733F32}" = Crystal Reports Basic for Visual Studio 2008

"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.2 - Deutsch

"{ADB25FF0-AEC4-2CFB-130C-2C60D80C5934}" = CCC Help Greek

"{B04D5DA5-11DA-830C-85C6-0FF9185787E7}" = Skins

"{B268E9A1-04A9-40D0-9866-846BE2B74BA7}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Win32 Tools

"{B32E7732-B2FB-3FD0-81AC-6025B1104C66}" = Microsoft Device Emulator version 3.0 - ENU

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{BB603E9F-ECE8-7713-B0AC-7E0614E8C058}" = Catalyst Control Center HydraVision Full

"{BE232D60-AEA5-502F-ACBF-9AC188A82C21}" = CCC Help Finnish

"{C15C4AB5-EF5D-5050-273C-4636E3FBE301}" = CCC Help Czech

"{CAA376AF-0DE8-4FCA-942E-C6AC579B94B3}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Tools

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D7DAD1E4-45F4-3B2B-899A-EA728167EC4F}" = Microsoft Visual Studio 2008 Professional Edition - ENU

"{DFAA3D2B-7087-464E-823B-738A23C29C27}" = Microsoft Visual J# 2.0 Redistributable Package - SE

"{E09CD13D-7CE3-351C-1625-8DC7F21A99C0}" = ccc-core-static

"{E2E30BC1-5451-4D65-AA3E-DFF3ED3BCB5C}" = Anoto SPCD 1.2.0.19

"{E373E0E2-20F5-90DF-B315-615EA6E52101}" = Catalyst Control Center Graphics Full Existing

"{E590FD1C-E8C6-4D2E-8CA9-77B403F7EE01}" = Microsoft Antimalware

"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English

"{E6DA746E-1175-88BD-2B16-1DC62018E060}" = CCC Help Chinese Standard

"{EDDF99D9-9FE3-4871-A7DB-D1522C51EE9A}" = Microsoft .NET Compact Framework 2.0 SP2

"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials

"{F053BFD9-4357-6A82-6042-CF919667448F}" = CCC Help English

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F17EB02C-DA0D-EDEF-2E16-501FB700A710}" = CCC Help Hungarian

"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01

"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5

"{F5DDC0CD-F13A-83F0-5103-563A17EA306F}" = CCC Help Korean

"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects

"{FCA37CD2-7BA4-4A5A-8979-B64EA712F4CB}" = TortoiseSVN 1.6.2.16344 (32 bit)

"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner

"{FF29527A-44CD-3422-945E-981A13584000}" = VC Runtimes MSI

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus

"Blend_2.0.1523.0" = Microsoft Expression Blend 2

"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2008-09-21 16:18

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile Beta 2" = Microsoft .NET Framework 4 Client Profile Beta 2

"Microsoft .NET Framework 4 Extended Beta 2" = Microsoft .NET Framework 4 Extended Beta 2

"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008

"Microsoft Security Essentials" = Microsoft Security Essentials

"Microsoft Visual C# 2008 Express Edition with SP1 - ENU" = Microsoft Visual C# 2008 Express Edition with SP1 - ENU

"Microsoft Visual J# 2.0 Redistributable Package - SE" = Microsoft Visual J# 2.0 Redistributable Package - SE

"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime

"Microsoft Visual Studio 2008 Professional Edition - ENU" = Microsoft Visual Studio 2008 Professional Edition - ENU

"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)

"MySQL-Front_is1" = MySQL-Front

"PROPLUS" = Microsoft Office Professional Plus 2007

"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime

"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component

"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Link to post
Share on other sites

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

Hi, find attached the Combofix Logfile.

As a side note: The PC rebootet once during the process - after logging back into the system, Combofix was "still" running somehow and finished the process without any complains.

The MS Malware protection was turned off, nevertheless the Combofix logfile states it as running process (and the process is indeed running, although it was turned off in security center).

LOG

ComboFix 10-06-14.03 - HCI Admin 15.06.2010 18:02:51.1.2 - x86

Microsoft

Link to post
Share on other sites

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

hi, here are the next logs.

Unfortunatly the scans didn't find something (but unruy.d is still there):

----------------------------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Datenbank Version: 4204

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18928

16.06.2010 16:04:03

mbam-log-2010-06-16 (16-04-03).txt

Art des Suchlaufs: Quick-Scan

Durchsuchte Objekte: 144173

Laufzeit: 5 Minute(n), 6 Sekunde(n)

Infizierte Speicherprozesse: 0

Infizierte Speichermodule: 0

Infizierte Registrierungsschl

Link to post
Share on other sites

Hi ok what is detecting it and if it still detects it please post what it is detecting such as file path.

Also since you have 2 antivirus programs running please remove one then post what that one finds.

Hi,

only one AntiVirus program is running - Microsoft Security Essentials. AntiVir was uninstalled prior to installing the Security Essentials, but also detected the trojan.

The Security Essentials detect the following:

Trojan Downloader:Win32/Unruy.D

The path for infection is:

C:\System Volume Information\Microsoft\smss.exe

The security essentials actually report that they are able to fix it and state the system as clean again - but require a reboot after finishing the removal process. After reboot, the trojan reappears. Therefore, I think that it must stay in the MBR and gets reloaded into the above mentioned file on every restart.

So perhaps fixing the MBR might be a solution?

Link to post
Share on other sites

Yes most definitely Unruy is usually not that location.

This is a new variant of the mbr infection.

Please do the following.

Please download and save MBR.exe by GMER to your desktop.

http://www2.gmer.net/mbr/mbr.exe

Once there go to Start then Start search then type in cmd when it comes up right click on it and choose "Run as Administrator"

Then once the black box opens please copy\paste in the following:

"%userprofile%\Desktop\MBR.EXE" -f

then press Enter.

Then Immediately reboot the system and see if it is still detected.

If it is we will go another route.

Let me know.

Link to post
Share on other sites

Well, I have one. But the PC we are talking about actually is a Microsoft Surface Multitouch table - this does not have a DVD drive and I currently don't have an external one. I could however try to create an image of a Vista DVD on a usb flash drive - do I have to boot from it?

The other alternative I'm starting to consider is to use the recovery partition to reset the system to its factory defaults, which hopefully would also erase the trojan.

Link to post
Share on other sites

The other alternative I'm starting to consider is to use the recovery partition to reset the system to its factory defaults, which hopefully would also erase the trojan.
Well this is what would be the most secure way to remove it.

This infection is a backdoor and can steal personal information.

A factory restore is the best way to deal with it.

If that is what you want to do let me know.

Link to post
Share on other sites

ok this is strange. Doing the recovery installation (boot up with F8, repair console, thereby access to otherwise hidden recovery partition and started recovery installation from there) did NOT solve the issue. The Unruy.D is still there after the system is up again.

Do you have any idea how I can make sure that the MBR get's "formatted" as well?

Link to post
Share on other sites

Was this a destructive recovery if so it would wipe the mbr you can also fix it in the Vista recovery environment but you will need to get a vista disk and some way to boot from it in order to overwrite the mbr.

It's actually less painful to simply write a new mbr with the vista disk.

Or you can do a destructive system recovery and that should do the trick.

If you were not given that option then I suggest using a bootable vista disk to fix it.

Link to post
Share on other sites

well, I thought it would be destructive recovery. Nevertheless, after doing the recovery installation, it was impossible to boot up to the repair console again. After some time, I managed to boot Vista DVD from a external hard disk (the BIOS did not really make this one easy and updating the BIOS is not possible). Then I first did a repair of the MBR and then started the recovery installation once more. This time, it worked and the trojan did not appear again.

So finally, case solved. Thanks for your help!

Best,

Jens

Link to post
Share on other sites

Great glad it is sorted and you are welcome ;)

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.