TechSpot

Another SIREFEF.Y infected PC

By Eifelbaer
Jun 15, 2012
  1. Hello Broni,

    I have a Windows 7 64 bit system and got the trojan sirefef.y which disabled MSE and started Windows but shutting down after finding critical error. The pc does not allow (even in safe mode) time for the process to scan before the computer reboots after 60 seconds.

    I have downloaded the FRST file and attach the text output below - please help Broni!


    Scan result of Farbar Recovery Scan Tool Version: 10-06-2012 03
    Ran by SYSTEM at 15-06-2012 09:00:39
    Running from G:\
    Windows 7 Home Premium (X64) OS Language: German Standard
    The current controlset is ControlSet001
    ========================== Registry (Whitelisted) =============
    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16335392 2009-07-27] (NVIDIA Corporation)
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7938080 2009-07-24] (Realtek Semiconductor)
    HKLM\...\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-07-24] (Realtek Semiconductor Corp.)
    HKLM\...\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe [x]
    HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-06-16] (Adobe Systems Incorporated)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [538472 2009-06-17] (Symantec Corporation)
    HKLM-x32\...\Run: [MarketingTools] C:\Program Files (x86)\Sony\Marketing Tools\MarketingTools.exe [26624 2010-02-18] (Sony Corporation)
    HKLM-x32\...\Run: [SHTtray.exe] C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe [99624 2009-07-27] (Sony Corporation)
    HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [843776 2009-02-06] (SEIKO EPSON CORPORATION)
    HKLM-x32\...\Run: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe [669520 2009-01-12] (SEIKO EPSON CORPORATION)
    HKLM-x32\...\Run: [NPSStartup] [x]
    HKLM-x32\...\Run: [NapsterShell] C:\Program Files (x86)\Napster\napster.exe /systray [x]
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [FILSHtray] "C:\Program Files (x86)\FILSHtray\FILSHtray.exe" [597504 2012-02-06] (FILSH Media GmbH)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-04-04] (Adobe Systems Incorporated)
    HKU\Christine\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation)
    HKU\Christine\...\Run: [AutoStartNPSAgent] C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe [95576 2010-07-04] (Samsung Electronics Co., Ltd.)
    HKU\Christine\...\Run: [SansaDispatch] C:\Users\Christine\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2011-09-11] (SanDisk Corporation)
    HKU\Christine\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-03-05] (Google Inc.)
    HKU\Christine\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17148552 2012-02-29] (Skype Technologies S.A.)
    HKU\Christine\...\Run: [CAHeadless] C:\Program Files (x86)\Adobe\Elements 10 Organizer\CAHeadless\ElementsAutoAnalyzer.exe [835224 2011-09-14] (Adobe Systems Incorporated)
    HKU\Christine\...\Policies\system: [LogonHoursAction] 2
    HKU\Christine\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
    HKU\Jessica\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation)
    HKU\Jessica\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-03-05] (Google Inc.)
    HKU\Jessica\...\Policies\system: [LogonHoursAction] 2
    HKU\Jessica\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
    HKU\Nicole\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation)
    HKU\Nicole\...\Run: [Epson Stylus Photo PX810FW(Netzwerk)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFRE.EXE /FU "C:\Users\Nicole\AppData\Local\Temp\E_S356C.tmp" /EF "HKCU" [223232 2009-02-23] (SEIKO EPSON CORPORATION)
    HKU\Nicole\...\Policies\system: [LogonHoursAction] 2
    HKU\Nicole\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
    HKU\Svenja\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation)
    HKU\Svenja\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-03-05] (Google Inc.)
    HKU\Svenja\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [17148552 2012-02-29] (Skype Technologies S.A.)
    HKU\Svenja\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-14] (Microsoft Corporation)
    HKU\Svenja\...\Run: [CAHeadless] C:\Program Files (x86)\Adobe\Elements 10 Organizer\CAHeadless\ElementsAutoAnalyzer.exe [835224 2011-09-14] (Adobe Systems Incorporated)
    HKU\Svenja\...\Policies\system: [LogonHoursAction] 2
    HKU\Svenja\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
    HKU\Thomas\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation)
    HKU\Thomas\...\Run: [Epson Stylus Photo PX810FW(Netzwerk)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFRE.EXE /FU "C:\Windows\TEMP\E_S625B.tmp" /EF "HKCU" [223232 2009-02-23] (SEIKO EPSON CORPORATION)
    HKU\Thomas\...\Run: [SansaDispatch] C:\Users\Thomas\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2010-12-21] (SanDisk Corporation)
    HKU\Thomas\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-03-05] (Google Inc.)
    HKU\Thomas\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [17148552 2012-02-29] (Skype Technologies S.A.)
    HKU\Thomas\...\Policies\system: [LogonHoursAction] 2
    HKU\Thomas\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
    Tcpip\..\Interfaces\{D7584639-C672-4FCD-A118-BA34BF7EF593}: [NameServer]192.168.178.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
    ==================== Services (Whitelisted) ======
    3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
    2 AdobeActiveFileMonitor10.0; C:\Program Files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [169624 2011-09-14] (Adobe Systems Incorporated)
    2 AdobeActiveFileMonitor7.0; C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [169312 2008-12-08] (Adobe Systems Incorporated)
    3 FLEXnet Licensing Service; "C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [651720 2010-02-18] (Macrovision Europe Ltd.)
    3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
    3 Microsoft Office Groove Audit Service; "C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe" [64856 2009-02-26] (Microsoft Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    2 RapiMgr; C:\Windows\WindowsMobile\rapimgr.dll [225672 2007-05-31] (Microsoft Corporation)
    3 Roxio UPnP Renderer 10; "C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe" [313840 2009-06-26] (Sonic Solutions)
    2 Roxio Upnp Server 10; "C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe" [362992 2009-06-26] (Sonic Solutions)
    2 SOHDBSvr; "C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe" [70952 2009-07-27] (Sony Corporation)
    2 SOHDms; "C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe" [427304 2009-07-27] (Sony Corporation)
    2 SOHPlMgr; "C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe" [91432 2009-07-27] (Sony Corporation)
    2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe [104960 2008-09-18] (ArcSoft, Inc.)
    3 VAIO Entertainment TV Device Arbitration Service; "C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe" [69632 2009-07-23] (Sony Corporation)
    2 VAIO Event Service; "C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe" [204648 2009-08-03] (Sony Corporation)
    2 VAIO Power Management; "C:\Program Files\Sony\VAIO Power Management\SPMService.exe" [411496 2009-07-16] (Sony Corporation)
    2 VCFw; "C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe" [642920 2009-07-22] (Sony Corporation)
    2 VcmIAlzMgr; "C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe" [468264 2009-06-26] (Sony Corporation)
    3 VcmINSMgr; "C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe" [357672 2009-06-26] (Sony Corporation)
    3 VcmXmlIfHelper; "C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe" [110888 2009-06-17] (Sony Corporation)
    3 Vcsw; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -RunBySCM [313264 2009-07-23] (Sony Corporation)
    2 VSNService; "C:\Program Files\Sony\VAIO Smart Network\VSNService.exe" [522240 2009-08-12] (Sony Corporation)
    2 VzCdbSvc; "C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe" [206336 2009-07-23] (Sony Corporation)
    2 WcesComm; C:\Windows\WindowsMobile\wcescomm.dll [443784 2007-05-31] (Microsoft Corporation)
    ========================== Drivers (Whitelisted) =============
    3 ArcSoftKsUFilter; C:\Windows\System32\Drivers\ArcSoftKsUFilter.sys [19968 2009-05-26] (ArcSoft, Inc.)
    2 rimsptsk; C:\Windows\system32\DRIVERS\rimssn64.sys [86528 2009-07-31] (REDC)
    2 risdptsk; C:\Windows\system32\DRIVERS\risdsn64.sys [76288 2009-07-31] (REDC)
    3 ss_bbus; C:\Windows\System32\Drivers\ss_bbus.sys [127488 2010-04-27] (MCCI)
    3 ss_bmdfl; C:\Windows\System32\Drivers\ss_bmdfl.sys [18944 2010-04-27] (MCCI Corporation)
    3 ss_bmdm; C:\Windows\System32\Drivers\ss_bmdm.sys [161280 2010-04-27] (MCCI Corporation)
    1 StarOpen; C:\Windows\SysWow64\Drivers\StarOpen.sys [5632 2011-01-15] ()
    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============
    2012-06-14 12:51 - 2012-06-15 09:00 - 00000000 ____D C:\FRST
    2012-06-12 08:39 - 2012-06-12 08:39 - 00000000 ___AD C:\Users\Jessica\Documents\also kann ich das so schreiben.docx-copy2
    2012-06-11 13:59 - 2012-06-11 13:59 - 00000000 ____D C:\Users\Thomas\Documents\FILSHtray
    2012-06-11 13:59 - 2012-06-11 13:59 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\Apple Computer
    2012-06-11 13:59 - 2012-06-11 13:59 - 00000000 ____D C:\Users\Thomas\AppData\Local\FILSH_Media_GmbH
    2012-06-11 13:06 - 2012-06-11 13:07 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-06-11 13:06 - 2012-06-11 13:06 - 12633984 ____A (Microsoft Corporation) C:\Users\Christine\Downloads\mseinstall.exe
    2012-06-11 13:06 - 2012-06-11 13:06 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-06-11 10:49 - 2012-06-11 10:49 - 00002063 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
    2012-06-11 10:26 - 2012-06-11 10:26 - 00015120 ____A C:\Users\Christine\Desktop\SCANPST - Verknüpfung.lnk
    2012-06-08 08:44 - 2012-06-08 08:44 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-06-06 15:02 - 2012-06-06 15:02 - 00000000 ____D C:\Users\Christine\AppData\Local\Sonos,_Inc
    2012-06-06 14:10 - 2012-06-06 14:10 - 00000867 ____A C:\Users\Public\Desktop\WiMP.lnk
    2012-06-06 14:10 - 2012-06-06 14:10 - 00000000 ____D C:\Users\Christine\AppData\Roaming\com.aspiro.wimp.de.25F5C0086CDE1F22CA0B92A487729991CA6CD013.1
    2012-06-06 14:10 - 2012-06-06 14:10 - 00000000 ____D C:\Program Files (x86)\WiMP
    2012-06-06 13:45 - 2012-06-06 13:45 - 00001991 ____A C:\Users\Public\Desktop\Sonos.lnk
    2012-06-06 13:44 - 2012-06-06 13:45 - 00000000 ____D C:\Users\All Users\Sonos,_Inc
    2012-06-06 12:45 - 2012-06-06 12:45 - 00000000 ____D C:\Users\Public\Documents\{F0489EF2-D393-4114-85BA-A94D71D89543}
    2012-06-06 12:44 - 2012-06-06 12:44 - 00000947 ____A C:\Users\Public\Desktop\Napster 5.0.lnk
    2012-06-06 12:44 - 2012-06-06 12:44 - 00000000 ____D C:\Users\Christine\AppData\Roaming\com.Rhapsody.Napster5
    2012-06-06 12:44 - 2012-06-06 12:44 - 00000000 ____D C:\Program Files (x86)\Napster 5.0
    2012-06-02 22:06 - 2012-06-02 22:06 - 00002099 ____A C:\Users\Public\Desktop\Lightroom 4 64-Bit.lnk
    2012-05-30 20:44 - 2012-05-30 20:44 - 00014549 ____A C:\Users\Christine\Downloads\Geschi.docx
    2012-05-27 17:40 - 2012-05-27 17:40 - 03930504 ____A (http://yourfiledownloader.com) C:\Users\Christine\Downloads\griet_s_theme_sheet_downloader_352a.exe
    2012-05-18 18:18 - 2012-05-18 18:18 - 00000000 ____D C:\Users\Christine\AppData\Local\Windows Live
    2012-05-18 18:18 - 2012-05-18 18:18 - 00000000 ____D C:\Users\Christine\AppData\Local\{F585D421-F89E-4860-9E66-47F708B70533}
    2012-05-17 16:16 - 2012-05-17 16:16 - 00000000 ____D C:\Users\Nicole\Documents\FILSHtray
    2012-05-17 16:16 - 2012-05-17 16:16 - 00000000 ____D C:\Users\Nicole\AppData\Local\FILSH_Media_GmbH
    ============ 3 Months Modified Files and Folders =============
    2012-06-15 09:00 - 2012-06-14 12:51 - 00000000 ____D C:\FRST
    2012-06-12 08:39 - 2012-06-12 08:39 - 00000000 ___AD C:\Users\Jessica\Documents\also kann ich das so schreiben.docx-copy2
    2012-06-11 14:39 - 2012-01-11 10:49 - 00000000 __SHD C:\Users\Christine\AppData\Local\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}
    2012-06-11 14:39 - 2010-02-21 16:47 - 00001106 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-06-11 14:39 - 2010-02-20 01:07 - 00000000 ____D C:\Users\Christine\Tracing
    2012-06-11 14:38 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-06-11 14:38 - 2009-07-14 05:51 - 00057458 ____A C:\Windows\setupact.log
    2012-06-11 14:02 - 2010-02-18 21:04 - 00000000 ____D C:\Users\Thomas\Tracing
    2012-06-11 13:59 - 2012-06-11 13:59 - 00000000 ____D C:\Users\Thomas\Documents\FILSHtray
    2012-06-11 13:59 - 2012-06-11 13:59 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\Apple Computer
    2012-06-11 13:59 - 2012-06-11 13:59 - 00000000 ____D C:\Users\Thomas\AppData\Local\FILSH_Media_GmbH
    2012-06-11 13:59 - 2011-01-28 11:08 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\Skype
    2012-06-11 13:59 - 2010-02-18 22:39 - 00000000 ____D C:\Users\Thomas\AppData\Local\Adobe
    2012-06-11 13:59 - 2010-02-18 21:41 - 00001330 _RASH C:\Users\Thomas\ntuser.pol
    2012-06-11 13:59 - 2010-02-18 18:49 - 00121040 ____A C:\Users\Thomas\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-06-11 13:59 - 2010-02-18 18:49 - 00000000 ____D C:\users\Thomas
    2012-06-11 13:56 - 2010-02-18 16:22 - 01257265 ____A C:\Windows\WindowsUpdate.log
    2012-06-11 13:27 - 2010-02-21 16:47 - 00001110 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-06-11 13:14 - 2009-08-17 13:18 - 00416500 ____A C:\Windows\PFRO.log
    2012-06-11 13:07 - 2012-06-11 13:06 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-06-11 13:07 - 2012-04-28 09:51 - 00000884 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-06-11 13:07 - 2012-01-07 16:54 - 00001912 ____A C:\Windows\epplauncher.mif
    2012-06-11 13:06 - 2012-06-11 13:06 - 12633984 ____A (Microsoft Corporation) C:\Users\Christine\Downloads\mseinstall.exe
    2012-06-11 13:06 - 2012-06-11 13:06 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-06-11 13:06 - 2011-03-06 19:18 - 01535576 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-06-11 13:06 - 2009-07-14 18:58 - 00659788 ____A C:\Windows\System32\perfh007.dat
    2012-06-11 13:06 - 2009-07-14 18:58 - 00132060 ____A C:\Windows\System32\perfc007.dat
    2012-06-11 12:47 - 2010-03-09 16:57 - 00000000 ____D C:\Users\Christine\AppData\Roaming\Skype
    2012-06-11 10:49 - 2012-06-11 10:49 - 00002063 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
    2012-06-11 10:49 - 2010-02-18 16:19 - 00000000 ____D C:\Users\All Users\Adobe
    2012-06-11 10:49 - 2010-02-18 16:19 - 00000000 ____D C:\Program Files (x86)\Adobe
    2012-06-11 10:35 - 2009-07-14 06:13 - 01513990 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-06-11 10:35 - 2009-07-14 05:45 - 00009888 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-06-11 10:35 - 2009-07-14 05:45 - 00009888 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-06-11 10:26 - 2012-06-11 10:26 - 00015120 ____A C:\Users\Christine\Desktop\SCANPST - Verknüpfung.lnk
    2012-06-11 10:14 - 2010-02-22 11:14 - 00000254 ____A C:\Windows\Tasks\Epson Printer Software Downloader.job
    2012-06-11 08:46 - 2010-02-18 21:37 - 00000000 ____D C:\Users\Christine\Documents\CD privat
    2012-06-10 17:33 - 2010-11-17 15:38 - 00000500 ___AH C:\Windows\Tasks\Norton Security Scan for Thomas.job
    2012-06-08 08:44 - 2012-06-08 08:44 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-06-08 08:40 - 2012-04-28 09:51 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-06-08 08:40 - 2011-10-24 18:59 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-06-06 15:02 - 2012-06-06 15:02 - 00000000 ____D C:\Users\Christine\AppData\Local\Sonos,_Inc
    2012-06-06 14:10 - 2012-06-06 14:10 - 00000867 ____A C:\Users\Public\Desktop\WiMP.lnk
    2012-06-06 14:10 - 2012-06-06 14:10 - 00000000 ____D C:\Users\Christine\AppData\Roaming\com.aspiro.wimp.de.25F5C0086CDE1F22CA0B92A487729991CA6CD013.1
    2012-06-06 14:10 - 2012-06-06 14:10 - 00000000 ____D C:\Program Files (x86)\WiMP
    2012-06-06 13:45 - 2012-06-06 13:45 - 00001991 ____A C:\Users\Public\Desktop\Sonos.lnk
    2012-06-06 13:45 - 2012-06-06 13:44 - 00000000 ____D C:\Users\All Users\Sonos,_Inc
    2012-06-06 13:45 - 2010-02-18 21:31 - 00000000 ____D C:\Program Files (x86)\Sonos
    2012-06-06 13:44 - 2011-03-06 19:09 - 00000000 ____D C:\Users\Christine\AppData\Local\Downloaded Installations
    2012-06-06 13:44 - 2010-11-28 17:07 - 00000000 ____D C:\Windows\Downloaded Installations
    2012-06-06 12:45 - 2012-06-06 12:45 - 00000000 ____D C:\Users\Public\Documents\{F0489EF2-D393-4114-85BA-A94D71D89543}
    2012-06-06 12:44 - 2012-06-06 12:44 - 00000947 ____A C:\Users\Public\Desktop\Napster 5.0.lnk
    2012-06-06 12:44 - 2012-06-06 12:44 - 00000000 ____D C:\Users\Christine\AppData\Roaming\com.Rhapsody.Napster5
    2012-06-06 12:44 - 2012-06-06 12:44 - 00000000 ____D C:\Program Files (x86)\Napster 5.0
    2012-06-06 12:24 - 2010-11-25 19:51 - 00000000 ____D C:\Users\All Users\Napster
    2012-06-06 10:05 - 2012-01-11 17:33 - 00045378 ____A C:\Users\Christine\Documents\Haushaltsbuch2012.xlsx
    2012-06-06 10:04 - 2010-02-18 21:37 - 00000000 ____D C:\Users\Christine\Documents\kinder
    2012-06-05 13:53 - 2010-02-20 00:24 - 00000680 _RASH C:\Users\Christine\ntuser.pol
    2012-06-05 13:53 - 2010-02-20 00:24 - 00000000 ____D C:\users\Christine
    2012-06-04 19:23 - 2010-02-21 10:59 - 00000000 ____D C:\Users\Jessica\Tracing
    2012-06-03 09:55 - 2010-02-20 00:27 - 00000000 ____D C:\Users\Christine\AppData\Local\Google
    2012-06-02 22:59 - 2012-03-05 07:39 - 00000000 ____D C:\Users\Christine\Documents\Adobe
    2012-06-02 22:59 - 2010-02-22 07:46 - 00000000 ____D C:\Users\Christine\AppData\Local\Adobe
    2012-06-02 22:59 - 2010-02-20 00:45 - 00000000 ____D C:\Users\Christine\AppData\Roaming\Adobe
    2012-06-02 22:06 - 2012-06-02 22:06 - 00002099 ____A C:\Users\Public\Desktop\Lightroom 4 64-Bit.lnk
    2012-06-02 22:06 - 2012-03-04 13:33 - 00000000 ____D C:\Users\All Users\SmartSound Software Inc
    2012-06-02 22:06 - 2012-03-04 12:48 - 00000000 ____D C:\Program Files\Common Files\Adobe
    2012-06-02 22:04 - 2012-03-04 13:27 - 00000000 ____D C:\Program Files\Adobe
    2012-06-02 17:46 - 2010-02-19 16:49 - 00001332 _RASH C:\Users\Jessica\ntuser.pol
    2012-06-02 17:46 - 2010-02-19 16:49 - 00000000 ____D C:\users\Jessica
    2012-06-02 14:59 - 2011-01-28 13:47 - 00000000 ____D C:\Users\Svenja\AppData\Roaming\Skype
    2012-06-02 13:56 - 2010-02-19 07:14 - 00004682 _RASH C:\Users\Svenja\ntuser.pol
    2012-06-02 13:56 - 2010-02-19 07:14 - 00000000 ____D C:\users\Svenja
    2012-05-31 13:16 - 2010-02-22 10:36 - 00000000 ____D C:\Users\Svenja\Tracing
    2012-05-30 20:44 - 2012-05-30 20:44 - 00014549 ____A C:\Users\Christine\Downloads\Geschi.docx
    2012-05-30 16:07 - 2011-11-04 13:59 - 00000000 ____D C:\Users\Nicole\AppData\Roaming\Skype
    2012-05-30 15:12 - 2010-02-22 09:51 - 00000000 ____D C:\Users\Nicole\Tracing
    2012-05-27 17:40 - 2012-05-27 17:40 - 03930504 ____A (http://yourfiledownloader.com) C:\Users\Christine\Downloads\griet_s_theme_sheet_downloader_352a.exe
    2012-05-23 10:01 - 2012-04-03 19:05 - 00011978 ____A C:\Users\Christine\Documents\Svenja Mitteilungsblatt.xlsx
    2012-05-18 18:18 - 2012-05-18 18:18 - 00000000 ____D C:\Users\Christine\AppData\Local\Windows Live
    2012-05-18 18:18 - 2012-05-18 18:18 - 00000000 ____D C:\Users\Christine\AppData\Local\{F585D421-F89E-4860-9E66-47F708B70533}
    2012-05-17 16:16 - 2012-05-17 16:16 - 00000000 ____D C:\Users\Nicole\Documents\FILSHtray
    2012-05-17 16:16 - 2012-05-17 16:16 - 00000000 ____D C:\Users\Nicole\AppData\Local\FILSH_Media_GmbH
    2012-05-17 16:16 - 2010-02-19 15:13 - 00001330 _RASH C:\Users\Nicole\ntuser.pol
    2012-05-17 16:16 - 2010-02-19 15:13 - 00000000 ____D C:\users\Nicole
    2012-05-15 20:44 - 2012-05-15 20:44 - 00013085 ____A C:\Users\Jessica\Documents\Spiele.docx
    2012-05-15 18:40 - 2010-02-18 21:37 - 00000000 ____D C:\Users\Christine\Documents\schule
    2012-05-15 14:02 - 2012-05-15 14:02 - 00011176 ____A C:\Users\Svenja\Documents\Quiz.docx
    2012-05-15 06:45 - 2010-02-19 16:49 - 00000000 ____D C:\Users\Jessica\AppData\LocalLow
    2012-05-11 02:33 - 2011-02-01 19:19 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
    2012-05-11 02:33 - 2009-07-14 05:45 - 00453752 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-05-11 02:13 - 2010-02-18 20:29 - 57848688 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-05-11 02:13 - 2010-02-18 16:29 - 00000000 ____D C:\Users\All Users\Microsoft Help
    2012-05-11 02:01 - 2009-07-14 19:18 - 00000000 ____D C:\Program Files\Windows Journal
    2012-05-09 13:56 - 2012-05-09 13:56 - 00089239 ____A C:\Users\Svenja\Documents\bild von ronja.jpg
    2012-05-09 13:31 - 2012-05-09 13:31 - 00013607 ____A C:\Users\Svenja\Documents\Christi Himmelfahrt.docx
    2012-05-08 14:27 - 2010-02-18 21:37 - 00000000 ____D C:\Users\Christine\Documents\handball
    2012-05-04 07:55 - 2012-05-01 22:54 - 00002447 ____A C:\Users\Christine\Downloads\tdausend2114816027.xml
    2012-04-30 19:01 - 2011-01-10 13:08 - 06366208 ____A C:\Users\Svenja\Documents\Svenja.pst
    2012-04-29 11:57 - 2012-04-29 11:57 - 01191936 ____A C:\Users\Christine\Documents\Posten.accdb
    2012-04-28 22:18 - 2011-11-04 19:41 - 00000000 ____D C:\Users\Jessica\AppData\Roaming\Skype
    2012-04-22 13:03 - 2012-04-22 13:03 - 00010161 ____A C:\Users\Svenja\Documents\b-day gäste.docx
    2012-04-22 13:02 - 2012-04-22 12:42 - 00011196 ____A C:\Users\Svenja\Documents\Einladung!.docx
    2012-04-15 19:39 - 2012-04-15 19:39 - 00003584 ____A C:\Users\Christine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-04-12 20:23 - 2012-04-12 20:23 - 00000000 ____D C:\Users\Jessica\AppData\Local\Apple
    2012-04-04 15:43 - 2012-04-04 15:43 - 00000000 __RSD C:\Users\Christine\Documents\My Stationery
    2012-04-03 13:19 - 2012-03-12 17:26 - 00583013 ____A C:\Users\Svenja\Documents\Rock'n'Roll.pptx
    2012-04-03 12:09 - 2012-03-05 15:30 - 00000000 ___RD C:\Program Files (x86)\Skype
    2012-04-02 17:51 - 2010-02-18 21:37 - 00000000 ____D C:\Users\Christine\Documents\urlaub
    2012-03-31 07:05 - 2012-05-10 11:48 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-03-31 05:39 - 2012-05-10 11:48 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-03-31 05:39 - 2012-05-10 11:48 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-03-31 04:10 - 2012-05-10 11:48 - 03146240 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-03-30 12:35 - 2012-05-10 11:48 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
    2012-03-30 11:14 - 2011-11-21 13:36 - 00187910 ____A C:\Users\Svenja\Documents\Wunschliste (13 Geburtsatg).docx
    2012-03-30 11:14 - 2011-11-21 13:33 - 00014435 ____A C:\Users\Svenja\Documents\Wunschliste (weihnachten).docx
    2012-03-28 12:50 - 2012-03-28 12:50 - 00014336 __ASH C:\Users\Svenja\Documents\Thumbs.db
    2012-03-28 12:03 - 2010-02-22 10:39 - 00000000 ____D C:\Users\Svenja\AppData\Roaming\Adobe
    2012-03-28 11:22 - 2010-02-19 07:14 - 00000000 ____D C:\Users\Svenja\AppData\LocalLow
    2012-03-28 11:20 - 2010-02-24 12:28 - 00000000 ____D C:\Users\Svenja\AppData\Local\Adobe
    2012-03-28 11:14 - 2012-03-28 11:13 - 00000000 ____D C:\Users\Svenja\Desktop\Svenja's Bilder
    2012-03-26 13:03 - 2012-03-26 13:03 - 00000000 ____D C:\Users\Svenja\Documents\Adobe
    2012-03-24 21:48 - 2012-03-24 20:44 - 1361023584 ____A C:\Users\Christine\Downloads\Slumdog_Millionaer_2012-02-26_2015_52500.mp4
    2012-03-24 21:34 - 2012-03-24 20:42 - 1250785878 ____A C:\Users\Christine\Downloads\City_Slickers_Die_Grossstadthelden_2012-02-26_1545_52500.mp4
    2012-03-24 21:34 - 2012-03-24 20:42 - 1056166378 ____A C:\Users\Christine\Downloads\Good_Night_and_Good_Luck_Der_Fall_McCa_2012-02-22_2315_52500.mp4
    2012-03-24 21:14 - 2012-03-24 20:43 - 542940860 ____A C:\Users\Christine\Downloads\Die_Story_im_Ersten_2012-02-23_0730_52500.mp4
    2012-03-24 20:51 - 2012-03-05 16:04 - 00000000 ____D C:\Users\All Users\regid.1986-12.com.adobe
    2012-03-24 15:36 - 2012-03-24 15:36 - 00000000 ____D C:\Users\Christine\Documents\NewBlueFX
    2012-03-24 15:19 - 2012-03-24 15:19 - 00000000 ____D C:\Users\Christine\AppData\Roaming\Mozilla
    2012-03-23 15:10 - 2012-03-23 15:10 - 05637699 ____A C:\Users\Christine\Unheilig - So wie Du warst.wma
    2012-03-23 15:09 - 2012-03-23 15:09 - 05653415 ____A C:\Users\Christine\Jason Derulo - Breathing.wma
    2012-03-23 15:08 - 2012-03-23 15:08 - 05510247 ____A C:\Users\Christine\Nickelback - Lullaby.wma
    2012-03-23 15:07 - 2012-03-23 15:07 - 05411819 ____A C:\Users\Christine\Secondhand Serenade - Your Call.wma
    2012-03-23 15:00 - 2012-03-23 15:00 - 05948699 ____A C:\Users\Christine\Christina Perri - jar of hearts.wma
    2012-03-23 15:00 - 2012-03-23 15:00 - 05179719 ____A C:\Users\Christine\DEICHKIND - Partnerlook.wma
    2012-03-23 15:00 - 2012-03-23 15:00 - 04883379 ____A C:\Users\Christine\DEICHKIND - Illegale Fans.wma
    2012-03-23 15:00 - 2012-03-23 14:59 - 05947509 ____A C:\Users\Christine\DEICHKIND - Bück dich hoch.wma
    2012-03-23 15:00 - 2012-03-23 14:59 - 05727499 ____A C:\Users\Christine\DEICHKIND - Befehl von ganz unten.wma
    2012-03-23 14:59 - 2012-03-23 14:59 - 06127109 ____A C:\Users\Christine\DEICHKIND - Pferd aus Glas.wma
    2012-03-23 14:59 - 2012-03-23 14:59 - 05772399 ____A C:\Users\Christine\DEICHKIND - Egolution.wma
    2012-03-23 14:59 - 2012-03-23 14:59 - 05529939 ____A C:\Users\Christine\Party Hit Kings - Read All About It.wma
    2012-03-23 14:59 - 2012-03-23 14:59 - 05489529 ____A C:\Users\Christine\Shontelle - Impossible [Main].wma
    2012-03-23 14:54 - 2012-03-23 14:53 - 04636429 ____A C:\Users\Christine\DEICHKIND - Leider geil (Leider geil).wma
    2012-03-23 14:53 - 2012-03-23 14:53 - 05794849 ____A C:\Users\Christine\Far East Movement - Live My Life.wma
    2012-03-23 14:53 - 2012-03-23 14:52 - 05116859 ____A C:\Users\Christine\Tribute Mega Stars - Starships.wma
    2012-03-23 14:53 - 2012-03-23 14:52 - 04910319 ____A C:\Users\Christine\Olly Murs feat. Rizzle Kicks - Heart Skips A Beat.wma
    2012-03-23 14:52 - 2012-03-23 14:52 - 05256049 ____A C:\Users\Christine\Sean Paul - Temperature [Album Version].wma
    2012-03-23 14:49 - 2012-03-23 14:49 - 00000000 ____D C:\Users\Nicole\AppData\Roaming\Apple Computer
    2012-03-23 14:49 - 2010-02-19 15:13 - 00121040 ____A C:\Users\Nicole\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-03-23 14:48 - 2010-02-23 19:47 - 00000000 ____D C:\Users\Nicole\AppData\Local\Adobe
    2012-03-20 19:44 - 2012-03-20 19:44 - 00203888 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
    2012-03-20 19:44 - 2012-03-20 19:44 - 00098688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
    2012-03-19 18:26 - 2012-03-19 18:26 - 00046080 ____A C:\Users\Christine\Documents\für 3.Englisch-Arbeit.doc
    ZeroAccess:
    C:\Windows\Installer\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}
    C:\Windows\Installer\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}\@
    C:\Windows\Installer\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}\L
    C:\Windows\Installer\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}\n
    C:\Windows\Installer\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}\U
    ZeroAccess:
    C:\Users\Christine\AppData\Local\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}
    C:\Users\Christine\AppData\Local\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}\@
    C:\Users\Christine\AppData\Local\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}\L
    C:\Users\Christine\AppData\Local\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}\n
    C:\Users\Christine\AppData\Local\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}\U
    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe
    [2009-07-14 00:19] - [2009-07-14 02:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ========================= Memory info ======================
    Percentage of memory in use: 16%
    Total physical RAM: 4031.18 MB
    Available physical RAM: 3384.26 MB
    Total Pagefile: 4029.33 MB
    Available Pagefile: 3374.87 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB
    ======================= Partitions =========================
    1 Drive c: () (Fixed) (Total:454.94 GB) (Free:345.82 GB) NTFS
    2 Drive e: (Recovery) (Fixed) (Total:10.73 GB) (Free:0.82 GB) NTFS
    4 Drive g: (KINGSTON) (Removable) (Total:0.93 GB) (Free:0.67 GB) FAT
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Datentr„ger ### Status Gr”áe Frei Dyn GPT
    --------------- ------------- ------- ------- --- ---
    Datentr„ger 0 Online 465 GB 0 B
    Datentr„ger 1 Online 954 MB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Typ GrӇe Offset
    ------------- ---------------- ------- -------
    Partition 1 Wiederherstellun 10 GB 1024 KB
    Partition 2 Prim„r 100 MB 10 GB
    Partition 3 Prim„r 454 GB 10 GB
    ======================================================================================================
    Disk: 0
    Partition 1
    Typ : 27
    Versteckt: Ja
    Aktiv : Nein
    Volume ### Bst Bezeichnung DS Typ GrӇe Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E Recovery NTFS Partition 10 GB Fehlerfre Versteck
    ======================================================================================================
    Disk: 0
    Partition 2
    Typ : 07
    Versteckt: Nein
    Aktiv : Ja
    Volume ### Bst Bezeichnung DS Typ GrӇe Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Fehlerfre
    ======================================================================================================
    Disk: 0
    Partition 3
    Typ : 07
    Versteckt: Nein
    Aktiv : Nein
    Volume ### Bst Bezeichnung DS Typ GrӇe Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 454 GB Fehlerfre
    ======================================================================================================
    Partitions of Disk 1:
    ===============
    Partition ### Typ GrӇe Offset
    ------------- ---------------- ------- -------
    Partition 1 Prim„r 953 MB 16 KB
    ======================================================================================================
    Disk: 1
    Partition 1
    Typ : 0E
    Versteckt: Nein
    Aktiv : Ja
    Volume ### Bst Bezeichnung DS Typ GrӇe Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G KINGSTON FAT Wechselmed 953 MB Fehlerfre
    ======================================================================================================
    ==========================================================
    Last Boot: 2012-06-07 23:14
    ======================= End Of Log ==========================
     
  2. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    To speed up the process and just in case you want me to search for services.exe I did this already and here are the results:

    Farbar Recovery Scan Tool Version: 10-06-2012 03
    Ran by SYSTEM at 2012-06-15 09:03:22
    Running from G:\
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-14 00:19] - [2009-07-14 02:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
    C:\Windows\System32\services.exe
    [2009-07-14 00:19] - [2009-07-14 02:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06
    ====== End Of Search ======
     
  3. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ========================================================

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the BartPE CD.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
     

    Attached Files:

  4. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    Here comes the fixlog.txt:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 10-06-2012 03
    Ran by SYSTEM at 2012-06-16 00:07:14 Run:1
    Running from G:\
    ==============================================
    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
    C:\Windows\System32\consrv.dll not found.
    C:\Windows\Installer\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4} moved successfully.
    C:\Users\Christine\AppData\Local\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe
    ==== End of Fixlog ====
     
  5. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Try to boot normally.
     
  6. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    You are the man!!! It boots just fine!!! :)
     
  7. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Good news :)

    We need to run some more tools to make sure you're clean.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  8. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    All run fine. Here is the report ComboFix.txt:

    ComboFix 12-06-15.06 - Christine 16.06.2012 0:48.1.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.49.1031.18.4031.2376 [GMT 2:00]
    ausgeführt von:: c:\users\Christine\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Christine\Documents\~WRL0001.tmp
    .
    .
    ((((((((((((((((((((((( Dateien erstellt von 2012-05-15 bis 2012-06-15 ))))))))))))))))))))))))))))))
    .
    .
    2012-06-15 22:57 . 2012-06-15 22:57 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{91FD48A7-5101-42BA-8E8C-811A5B679E5A}\offreg.dll
    2012-06-15 22:54 . 2012-06-15 22:54 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-06-15 22:54 . 2012-06-15 22:54 -------- d-----w- c:\users\Thomas\AppData\Local\temp
    2012-06-15 22:54 . 2012-06-15 22:54 -------- d-----w- c:\users\Svenja\AppData\Local\temp
    2012-06-15 22:54 . 2012-06-15 22:54 -------- d-----w- c:\users\Nicole\AppData\Local\temp
    2012-06-15 22:54 . 2012-06-15 22:54 -------- d-----w- c:\users\Jessica\AppData\Local\temp
    2012-06-15 22:33 . 2012-06-11 12:08 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-06-15 22:33 . 2012-06-11 12:08 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0155FD44-6778-4716-9FAE-879E66541B47}\gapaengine.dll
    2012-06-15 22:33 . 2012-05-08 08:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{91FD48A7-5101-42BA-8E8C-811A5B679E5A}\mpengine.dll
    2012-06-14 11:51 . 2012-06-15 08:01 -------- d-----w- C:\FRST
    2012-06-11 12:59 . 2012-06-11 12:59 -------- d-----w- c:\users\Thomas\AppData\Roaming\Apple Computer
    2012-06-11 12:59 . 2012-06-11 12:59 -------- d-----w- c:\users\Thomas\AppData\Local\FILSH_Media_GmbH
    2012-06-11 12:08 . 2012-05-08 08:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-06-11 12:06 . 2012-06-11 12:06 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-06-11 12:06 . 2012-06-11 12:07 -------- d-----w- c:\program files\Microsoft Security Client
    2012-06-08 07:44 . 2012-06-08 07:44 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-06-06 14:02 . 2012-06-06 14:02 -------- d-----w- c:\users\Christine\AppData\Local\Sonos,_Inc
    2012-06-06 13:10 . 2012-06-06 13:10 -------- d-----w- c:\users\Christine\AppData\Roaming\com.aspiro.wimp.de.25F5C0086CDE1F22CA0B92A487729991CA6CD013.1
    2012-06-06 13:10 . 2012-06-06 13:10 -------- d-----w- c:\program files (x86)\WiMP
    2012-06-06 12:44 . 2012-06-06 12:45 -------- d-----w- c:\programdata\Sonos,_Inc
    2012-06-06 11:44 . 2012-06-06 11:44 -------- d-----w- c:\users\Christine\AppData\Roaming\com.Rhapsody.Napster5
    2012-06-06 11:44 . 2012-06-06 11:44 -------- d-----w- c:\program files (x86)\Napster 5.0
    2012-05-18 17:18 . 2012-05-18 17:18 -------- d-----w- c:\users\Christine\AppData\Local\Windows Live
    2012-05-17 15:16 . 2012-05-17 15:16 -------- d-----w- c:\users\Nicole\AppData\Local\FILSH_Media_GmbH
    .
    .
    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-08 07:40 . 2012-04-28 08:51 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-08 07:40 . 2011-10-24 17:59 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-03-31 06:05 . 2012-05-10 10:48 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-03-31 04:39 . 2012-05-10 10:48 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-03-31 04:39 . 2012-05-10 10:48 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-03-31 03:10 . 2012-05-10 10:48 3146240 ----a-w- c:\windows\system32\win32k.sys
    2012-03-30 11:35 . 2012-05-10 10:48 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-03-20 18:44 . 2012-03-20 18:44 98688 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
    2012-03-20 18:44 . 2012-03-20 18:44 203888 ----a-w- c:\windows\system32\drivers\MpFilter.sys
    .
    .
    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
    "AutoStartNPSAgent"="c:\program files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe" [2010-07-04 95576]
    "SansaDispatch"="c:\users\Christine\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-09-11 79872]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-03-05 39408]
    "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-02-29 17148552]
    "CAHeadless"="c:\program files (x86)\Adobe\Elements 10 Organizer\CAHeadless\ElementsAutoAnalyzer.exe" [2011-09-14 835224]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-06-17 538472]
    "MarketingTools"="c:\program files (x86)\Sony\Marketing Tools\MarketingTools.exe" [2010-02-18 26624]
    "SHTtray.exe"="c:\program files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe" [2009-07-27 99624]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-02-05 843776]
    "EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "FILSHtray"="c:\program files (x86)\FILSHtray\FILSHtray.exe" [2012-02-06 597504]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    .
    c:\users\Jessica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\users\Svenja\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-1 1079584]
    McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2009-08-03 16:00 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-21 135664]
    R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-06-26 362992]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-15 158856]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-08 257224]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-21 135664]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft-Netzwerkinspektion;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-06-26 313840]
    R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [x]
    R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [x]
    R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [x]
    R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2010-06-14 16448]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2009-06-26 357672]
    R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2009-06-17 110888]
    R3 WSDPrintDevice;WSD-Druckunterstützung durch UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
    R3 WSDScan;WSD-Scanunterstützung durch UMB;c:\windows\system32\DRIVERS\WSDScan.sys [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;c:\program files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [2011-09-14 169624]
    S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-12-08 169312]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    S2 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2009-07-27 120104]
    S2 SOHDBSvr;VAIO Media plus Database Manager;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe [2009-07-27 70952]
    S2 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2009-07-27 427304]
    S2 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2009-07-27 75048]
    S2 SOHPlMgr;VAIO Media plus Playlist Manager;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe [2009-07-27 91432]
    S2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe [2008-09-18 104960]
    S2 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2009-07-16 411496]
    S2 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2009-07-22 642920]
    S2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2009-06-26 468264]
    S2 VSNService;VSNService;c:\program files\Sony\VAIO Smart Network\VSNService.exe [2009-08-12 522240]
    S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [x]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y62x64.sys [x]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [x]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    .
    .
    --- Andere Dienste/Treiber im Speicher ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Inhalt des "geplante Tasks" Ordners
    .
    2012-06-11 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 07:40]
    .
    2012-06-11 c:\windows\Tasks\Epson Printer Software Downloader.job
    - c:\program files (x86)\EPSON\EPAPDL\E_SAPDL2.EXE [2009-01-23 14:03]
    .
    2012-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-21 15:47]
    .
    2012-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-21 15:47]
    .
    2012-06-10 c:\windows\Tasks\Norton Security Scan for Thomas.job
    - c:\program files (x86)\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-11-17 08:48]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-27 16335392]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-24 7938080]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-07-24 1833504]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 660360]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-06-16 499608]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Zusätzlicher Suchlauf -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.focus.de/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: Bild an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Nach Microsoft E&xel exportieren - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Seite an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.178.1
    TCP: Interfaces\{D7584639-C672-4FCD-A118-BA34BF7EF593}: NameServer = 192.168.178.1
    DPF: {E9B39AC7-B9FB-48CA-84A0-1659A05C0008} - hxxp://www.wohnmoebel.de/priess/install/KPSA-home%20Priess.cab
    .
    - - - - Entfernte verwaiste Registrierungseinträge - - - -
    .
    Wow6432Node-HKLM-Run-NPSStartup - (no file)
    Wow6432Node-HKLM-Run-NapsterShell - c:\program files (x86)\Napster\napster.exe
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    .
    .
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Weitere laufende Prozesse ------------------------
    .
    c:\program files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
    c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files (x86)\Sony\VAIO Event Service\VESMgr.exe
    c:\windows\SysWOW64\DllHost.exe
    c:\program files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
    c:\program files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    c:\program files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    .
    **************************************************************************
    .
    Zeit der Fertigstellung: 2012-06-16 01:04:06 - PC wurde neu gestartet
    ComboFix-quarantined-files.txt 2012-06-15 23:04
    .
    Vor Suchlauf: 16 Verzeichnis(se), 372.404.375.552 Bytes frei
    Nach Suchlauf: 20 Verzeichnis(se), 379.412.127.744 Bytes frei
    .
    - - End Of File - - 51075CDC75A919DC5A3B75A2F48E83C0
     
  9. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Looks good :)

    Any current issues?

    Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    =============================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
  10. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    Malwarebytes showed no infections:

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org
    Datenbank Version: v2012.06.15.08
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Christine :: FAMILY-PC [Administrator]
    16.06.2012 01:24:19
    mbam-log-2012-06-16 (01-24-19).txt
    Art des Suchlaufs: Quick-Scan
    Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
    Deaktivierte Suchlaufeinstellungen: P2P
    Durchsuchte Objekte: 297817
    Laufzeit: 5 Minute(n), 3 Sekunde(n)
    Infizierte Speicherprozesse: 0
    (Keine bösartigen Objekte gefunden)
    Infizierte Speichermodule: 0
    (Keine bösartigen Objekte gefunden)
    Infizierte Registrierungsschlüssel: 0
    (Keine bösartigen Objekte gefunden)
    Infizierte Registrierungswerte: 0
    (Keine bösartigen Objekte gefunden)
    Infizierte Dateiobjekte der Registrierung: 0
    (Keine bösartigen Objekte gefunden)
    Infizierte Verzeichnisse: 0
    (Keine bösartigen Objekte gefunden)
    Infizierte Dateien: 0
    (Keine bösartigen Objekte gefunden)
    (Ende)
     
  11. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    I ran aswMBR but it took quite long. It was late and I went to bed. When I came in this morning, the system had automatically installed windows updates and then automatically rebooted :oops:. Hopefully this caused no problems. I ran aswMBR again and it went fine. Here is the report:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-06-16 08:00:39
    -----------------------------
    08:00:39.332 OS Version: Windows x64 6.1.7601 Service Pack 1
    08:00:39.332 Number of processors: 2 586 0x170A
    08:00:39.332 ComputerName: FAMILY-PC UserName: Christine
    08:00:42.202 Initialize success
    08:00:46.851 AVAST engine defs: 12061501
    08:00:55.634 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    08:00:55.634 Disk 0 Vendor: ST3500418AS CC44 Size: 476940MB BusType: 3
    08:00:55.634 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000005f
    08:00:55.634 Disk 1 Vendor: RICOH 01 Size: 476940MB BusType: 0
    08:00:55.649 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000060
    08:00:55.649 Disk 2 Vendor: RICOH 02 Size: 476940MB BusType: 0
    08:00:55.665 Disk 0 MBR read successfully
    08:00:55.665 Disk 0 MBR scan
    08:00:55.712 Disk 0 Windows 7 default MBR code
    08:00:55.727 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10984 MB offset 2048
    08:00:55.758 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 22497280
    08:00:55.790 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 465854 MB offset 22702080
    08:00:55.836 Disk 0 scanning C:\Windows\system32\drivers
    08:01:08.878 Service scanning
    08:01:34.368 Modules scanning
    08:01:34.368 Disk 0 trace - called modules:
    08:01:34.400 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
    08:01:34.400 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004ae3060]
    08:01:34.400 3 CLASSPNP.SYS[fffff8800198c43f] -> nt!IofCallDriver -> [0xfffffa800450ee40]
    08:01:34.400 5 ACPI.sys[fffff88000f337a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80045e7060]
    08:01:38.783 AVAST engine scan C:\Windows
    08:01:42.480 AVAST engine scan C:\Windows\system32
    08:05:18.841 AVAST engine scan C:\Windows\system32\drivers
    08:05:34.176 AVAST engine scan C:\Users\Christine
    08:11:17.691 AVAST engine scan C:\ProgramData
    08:23:25.477 Scan finished successfully
    08:45:49.875 Disk 0 MBR has been saved successfully to "C:\Users\Christine\Desktop\MBR.dat"
    08:45:49.938 The log file has been saved successfully to "C:\Users\Christine\Desktop\aswMBR.txt"
     
  12. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    Is there anything else you want me to do? And one more question: Which programm should I use to scan the other computers in our house to make sure, that there are no further infections? Any ideas are highly appreciated. And thanks a lot for your professional help so far. :)
     
  13. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    AV + MBAM is always a good combination.

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /I " " /c
    dir /b "%systemroot%\*.exe" | find /I " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  14. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    I remember MBAM. But which program do you mean by AV?

    Ok, here comes the OTL.TXT log:

    OTL logfile created on: 16.06.2012 17:57:16 - Run 1
    OTL by OldTimer - Version 3.2.49.0 Folder = C:\Users\Christine\Desktop
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

    3,94 Gb Total Physical Memory | 1,55 Gb Available Physical Memory | 39,30% Memory free
    7,87 Gb Paging File | 5,30 Gb Available in Paging File | 67,32% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 454,94 Gb Total Space | 352,36 Gb Free Space | 77,45% Space Free | Partition Type: NTFS

    Computer Name: FAMILY-PC | User Name: Christine | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012.06.16 17:51:00 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Christine\Desktop\OTL.exe
    PRC - [2012.04.04 07:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2012.03.05 16:28:23 | 000,307,824 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    PRC - [2011.09.14 23:06:38 | 000,169,624 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe
    PRC - [2011.09.11 12:10:40 | 000,079,872 | ---- | M] (SanDisk Corporation) -- C:\Users\Christine\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
    PRC - [2010.07.04 20:13:56 | 000,095,576 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe
    PRC - [2010.02.18 17:33:41 | 000,026,624 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Sony\Marketing Tools\MarketingTools.exe
    PRC - [2010.01.15 14:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
    PRC - [2009.08.03 18:00:16 | 000,204,648 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
    PRC - [2009.08.03 18:00:16 | 000,112,488 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
    PRC - [2009.07.27 17:58:40 | 000,091,432 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe
    PRC - [2009.07.27 17:58:38 | 000,427,304 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe
    PRC - [2009.07.27 17:58:38 | 000,075,048 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe
    PRC - [2009.07.27 17:58:38 | 000,070,952 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe
    PRC - [2009.07.27 17:58:36 | 000,120,104 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe
    PRC - [2009.07.27 17:58:36 | 000,099,624 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe
    PRC - [2009.07.23 11:39:38 | 000,313,264 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    PRC - [2009.07.23 11:39:36 | 000,206,336 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    PRC - [2009.07.22 16:03:04 | 000,642,920 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
    PRC - [2009.06.26 15:35:04 | 000,468,264 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
    PRC - [2009.02.06 01:00:00 | 000,843,776 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
    PRC - [2009.01.12 10:54:02 | 000,669,520 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
    PRC - [2008.12.08 16:16:56 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) -- c:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
    PRC - [2008.09.18 11:59:10 | 000,104,960 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files (x86)\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe
    PRC - [2006.12.19 19:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012.06.16 03:32:39 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\69ca4a43ba14b66689715ad62aed70e6\System.ServiceProcess.ni.dll
    MOD - [2012.06.16 03:32:09 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll
    MOD - [2012.06.16 03:32:03 | 001,591,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll
    MOD - [2012.05.11 03:38:50 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
    MOD - [2012.05.11 03:38:47 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
    MOD - [2012.05.11 03:38:46 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
    MOD - [2012.05.11 03:38:39 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
    MOD - [2010.11.13 02:08:41 | 000,315,392 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll
    MOD - [2008.12.22 10:50:28 | 000,135,168 | ---- | M] () -- C:\PROGRA~2\EPSONS~1\EVENTM~1\ASSIST~1\SCANAS~1\SCANEN~1.DLL
    MOD - [2008.11.21 14:58:42 | 000,057,344 | ---- | M] () -- C:\PROGRA~2\EPSONS~1\EVENTM~1\ASSIST~1\SCANAS~1\SATWAIN.dll


    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2012.03.26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV:64bit: - [2012.03.26 18:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV:64bit: - [2009.08.13 00:11:54 | 000,522,240 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Smart Network\VSNService.exe -- (VSNService)
    SRV:64bit: - [2009.07.16 10:36:56 | 000,411,496 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Power Management\SPMService.exe -- (VAIO Power Management)
    SRV:64bit: - [2009.07.14 03:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend)
    SRV:64bit: - [2009.07.01 18:54:02 | 000,864,032 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
    SRV:64bit: - [2009.06.26 15:56:10 | 000,357,672 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe -- (VcmINSMgr)
    SRV:64bit: - [2009.06.26 15:35:04 | 000,468,264 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe -- (VcmIAlzMgr)
    SRV:64bit: - [2009.06.17 19:50:30 | 000,110,888 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe -- (VcmXmlIfHelper)
    SRV - [2012.06.08 09:40:45 | 000,257,224 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012.04.04 07:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2012.02.15 14:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
    SRV - [2011.09.14 23:06:38 | 000,169,624 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor10.0)
    SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2010.03.18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
    SRV - [2010.02.18 17:19:33 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2010.01.15 14:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
    SRV - [2009.08.03 18:00:16 | 000,204,648 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
    SRV - [2009.07.27 17:58:40 | 000,091,432 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe -- (SOHPlMgr)
    SRV - [2009.07.27 17:58:38 | 000,427,304 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe -- (SOHDms)
    SRV - [2009.07.27 17:58:38 | 000,075,048 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe -- (SOHDs)
    SRV - [2009.07.27 17:58:38 | 000,070,952 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe -- (SOHDBSvr)
    SRV - [2009.07.27 17:58:36 | 000,120,104 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe -- (SOHCImp)
    SRV - [2009.07.23 11:39:38 | 000,313,264 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -- (Vcsw)
    SRV - [2009.07.23 11:39:38 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe -- (VAIO Entertainment TV Device Arbitration Service)
    SRV - [2009.07.23 11:39:36 | 000,206,336 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe -- (VzCdbSvc)
    SRV - [2009.07.22 16:03:04 | 000,642,920 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe -- (VCFw)
    SRV - [2009.06.26 12:25:36 | 000,362,992 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe -- (Roxio Upnp Server 10)
    SRV - [2009.06.26 12:25:24 | 000,313,840 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe -- (Roxio UPnP Renderer 10)
    SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
    SRV - [2008.12.08 16:16:56 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- c:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor7.0)
    SRV - [2008.09.18 11:59:10 | 000,104,960 | ---- | M] (ArcSoft, Inc.) [Auto | Running] -- C:\Program Files (x86)\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe -- (uCamMonitor)
    SRV - [2007.05.31 18:11:54 | 000,443,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
    SRV - [2007.05.31 18:11:46 | 000,225,672 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
    SRV - [2006.12.19 19:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe -- (EpsonBidirectionalService)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012.03.20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2010.11.20 15:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010.11.20 13:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010.11.20 11:37:42 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
    DRV:64bit: - [2010.06.14 10:32:54 | 000,016,448 | ---- | M] (Teruten Inc) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TFsExDisk.sys -- (TFsExDisk)
    DRV:64bit: - [2010.04.27 04:25:16 | 000,161,280 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ss_bmdm.sys -- (ss_bmdm)
    DRV:64bit: - [2010.04.27 04:25:16 | 000,127,488 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ss_bbus.sys -- (ss_bbus) SAMSUNG USB Mobile Device (WDM)
    DRV:64bit: - [2010.04.27 04:25:16 | 000,018,944 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ss_bmdfl.sys -- (ss_bmdfl) SAMSUNG USB Mobile Modem (Filter)
    DRV:64bit: - [2010.03.19 04:00:00 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
    DRV:64bit: - [2009.10.05 17:34:00 | 001,542,656 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
    DRV:64bit: - [2009.08.06 00:24:16 | 000,061,280 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
    DRV:64bit: - [2009.07.31 22:14:14 | 000,076,288 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\risdsn64.sys -- (risdptsk)
    DRV:64bit: - [2009.07.31 22:13:51 | 000,086,528 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimssn64.sys -- (rimsptsk)
    DRV:64bit: - [2009.07.31 22:08:57 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64) Intel(R)
    DRV:64bit: - [2009.07.30 22:42:16 | 000,021,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwrchid.sys -- (btwrchid)
    DRV:64bit: - [2009.07.30 22:42:15 | 000,132,648 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwavdt.sys -- (btwavdt)
    DRV:64bit: - [2009.07.30 22:42:15 | 000,098,344 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwaudio.sys -- (btwaudio)
    DRV:64bit: - [2009.07.30 22:41:41 | 000,035,104 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwl2cap.sys -- (btwl2cap)
    DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009.07.14 02:39:20 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WSDPrint.sys -- (WSDPrintDevice)
    DRV:64bit: - [2009.07.14 02:35:37 | 000,025,088 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WSDScan.sys -- (WSDScan)
    DRV:64bit: - [2009.07.14 02:09:50 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usb8023x.sys -- (usb_rndisx)
    DRV:64bit: - [2009.06.30 22:12:21 | 000,287,960 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1y62x64.sys -- (e1yexpress) Intel(R)
    DRV:64bit: - [2009.06.11 22:19:09 | 000,011,392 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SFEP.sys -- (SFEP)
    DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2009.05.26 15:32:04 | 000,019,968 | ---- | M] (ArcSoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ArcSoftKsUFilter.sys -- (ArcSoftKsUFilter)
    DRV - [2011.01.15 14:44:22 | 000,005,632 | ---- | M] () [File_System | System | Stopped] -- C:\Windows\SysWow64\drivers\StarOpen.sys -- (StarOpen)
    DRV - [2010.06.14 10:32:54 | 000,016,448 | ---- | M] (Teruten Inc) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\TFsExDisk.Sys -- (TFsExDisk)
    DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2612669


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.focus.de/
    IE - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\..\SearchScopes,DefaultScope = {A5100AAD-8562-4FED-9907-F10B1CD800F3}
    IE - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\..\SearchScopes\{715FF213-5185-40F0-B93E-5F87AB4ECE18}: "URL" = http://rover.ebay.com/rover/1/707-37276-16609-0/4?satitle={searchTerms}
    IE - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\..\SearchScopes\{8B63A8D6-BBED-4341-8867-790E5F524C96}: "URL" = http://mystart.incredimail.com/mb5/?search={searchTerms}&loc=search_box
    IE - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\..\SearchScopes\{A5100AAD-8562-4FED-9907-F10B1CD800F3}: "URL" = http://www.google.de/search?hl=de&q={searchTerms}&rlz=1I7GGHP_deDE416
    IE - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2661025
    IE - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\..\SearchScopes\{B8B16562-9999-4597-B4A3-4AF845914292}: "URL" = http://services.zinio.com/search?s={selection}&rf=sonyslices
    IE - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



    O1 HOSTS File: ([2012.06.16 00:57:44 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    O3:64bit: - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
    O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\SysNative\NvCpl.dll (NVIDIA Corporation)
    O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
    O4:64bit: - HKLM..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe (Realtek Semiconductor Corp.)
    O4:64bit: - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdcBase.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe (SEIKO EPSON CORPORATION)
    O4 - HKLM..\Run: [FILSHtray] C:\Program Files (x86)\FILSHtray\FILSHtray.exe (FILSH Media GmbH)
    O4 - HKLM..\Run: [FUFAXSTM] C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe (SEIKO EPSON CORPORATION)
    O4 - HKLM..\Run: [MarketingTools] C:\Program Files (x86)\Sony\Marketing Tools\MarketingTools.exe (Sony Corporation)
    O4 - HKLM..\Run: [NortonOnlineBackupReminder] C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe (Symantec Corporation)
    O4 - HKLM..\Run: [SHTtray.exe] C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe (Sony Corporation)
    O4 - HKU\S-1-5-21-3002679033-3836784735-729753035-1004..\Run: [AutoStartNPSAgent] C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.)
    O4 - HKU\S-1-5-21-3002679033-3836784735-729753035-1004..\Run: [CAHeadless] C:\Program Files (x86)\Adobe\Elements 10 Organizer\CAHeadless\ElementsAutoAnalyzer.exe (Adobe Systems Incorporated)
    O4 - HKU\S-1-5-21-3002679033-3836784735-729753035-1004..\Run: [SansaDispatch] C:\Users\Christine\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
    O7 - HKU\S-1-5-21-3002679033-3836784735-729753035-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
    O8:64bit: - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
    O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
    O8:64bit: - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
    O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
    O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O9:64bit: - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O9:64bit: - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL (Microsoft Corporation)
    O9 - Extra Button: Senden an Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O9 - Extra 'Tools' menuitem : Senden an &Bluetooth-Gerät... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {6E718D87-6909-4FCE-92D4-EDCB2F725727} http://www.navigram.com/engine/v911/Navigram.cab (Navigram Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: {E9B39AC7-B9FB-48CA-84A0-1659A05C0008} http://www.wohnmoebel.de/priess/install/KPSA-home Priess.cab (ActiveFormX Element)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D7584639-C672-4FCD-A118-BA34BF7EF593}: DhcpNameServer = 192.168.178.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D7584639-C672-4FCD-A118-BA34BF7EF593}: NameServer = 192.168.178.1
    O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
    O18:64bit: - Protocol\Handler\livecall - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O18:64bit: - Protocol\Handler\msnim - No CLSID value found
    O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
    O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
    O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
    O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
    O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - Winlogon\Notify\VESWinlogon: DllName - (VESWinlogon.dll) - C:\Windows\SysWow64\VESWinlogon.dll (Sony Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)


    Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012.06.16 17:51:00 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Christine\Desktop\OTL.exe
    [2012.06.16 01:23:26 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Roaming\Malwarebytes
    [2012.06.16 01:23:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012.06.16 01:23:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012.06.16 01:23:15 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2012.06.16 01:23:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2012.06.16 01:21:17 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Christine\Desktop\aswMBR.exe
    [2012.06.16 01:18:21 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Christine\Desktop\mbam-setup-1.61.0.1400.exe
    [2012.06.16 01:04:08 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012.06.16 00:57:56 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012.06.16 00:45:45 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012.06.16 00:45:45 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012.06.16 00:45:45 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012.06.16 00:45:38 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012.06.16 00:45:17 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012.06.16 00:29:51 | 004,559,503 | R--- | C] (Swearware) -- C:\Users\Christine\Desktop\ComboFix.exe
    [2012.06.14 13:51:08 | 000,000,000 | ---D | C] -- C:\FRST
    [2012.06.11 14:06:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
    [2012.06.11 14:06:54 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2012.06.11 12:54:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Live Add-in
    [2012.06.08 09:44:12 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
    [2012.06.06 16:02:09 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Local\Sonos,_Inc
    [2012.06.06 15:10:58 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Roaming\com.aspiro.wimp.de.25F5C0086CDE1F22CA0B92A487729991CA6CD013.1
    [2012.06.06 15:10:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WiMP
    [2012.06.06 14:45:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sonos
    [2012.06.06 14:44:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Sonos,_Inc
    [2012.06.06 13:45:07 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\{F0489EF2-D393-4114-85BA-A94D71D89543}
    [2012.06.06 13:44:37 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Roaming\com.Rhapsody.Napster5
    [2012.06.06 13:44:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Napster 5.0
    [2012.05.18 19:18:05 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Local\Windows Live
    [2012.05.18 19:18:04 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Local\{F585D421-F89E-4860-9E66-47F708B70533}
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012.06.16 17:57:07 | 000,000,716 | ---- | M] () -- C:\Users\Christine\Desktop\[Active] - Another SIREFEF.Y infected PC - TechSpot Forums#post-1187841.url
    [2012.06.16 17:51:00 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Christine\Desktop\OTL.exe
    [2012.06.16 17:27:00 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012.06.16 17:07:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012.06.16 11:14:00 | 000,000,254 | ---- | M] () -- C:\Windows\tasks\Epson Printer Software Downloader.job
    [2012.06.16 08:45:49 | 000,000,512 | ---- | M] () -- C:\Users\Christine\Desktop\MBR.dat
    [2012.06.16 07:59:02 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012.06.16 03:36:21 | 000,009,888 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012.06.16 03:36:21 | 000,009,888 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012.06.16 03:35:53 | 001,513,990 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2012.06.16 03:35:53 | 000,659,788 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
    [2012.06.16 03:35:53 | 000,621,064 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2012.06.16 03:35:53 | 000,132,060 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
    [2012.06.16 03:35:53 | 000,108,284 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2012.06.16 03:28:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012.06.16 03:28:21 | 000,453,752 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
    [2012.06.16 03:27:37 | 3170,246,656 | -HS- | M] () -- C:\hiberfil.sys
    [2012.06.16 01:23:20 | 000,001,153 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012.06.16 01:21:17 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Christine\Desktop\aswMBR.exe
    [2012.06.16 01:18:21 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Christine\Desktop\mbam-setup-1.61.0.1400.exe
    [2012.06.16 00:57:44 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2012.06.16 00:29:51 | 004,559,503 | R--- | M] (Swearware) -- C:\Users\Christine\Desktop\ComboFix.exe
    [2012.06.11 14:07:04 | 000,001,912 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2012.06.11 14:06:58 | 001,535,576 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2012.06.11 11:49:47 | 000,002,063 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
    [2012.06.11 11:26:47 | 000,015,120 | ---- | M] () -- C:\Users\Christine\Desktop\SCANPST - Verknüpfung.lnk
    [2012.06.10 18:33:47 | 000,000,500 | -H-- | M] () -- C:\Windows\tasks\Norton Security Scan for Thomas.job
    [2012.06.06 15:10:56 | 000,000,867 | ---- | M] () -- C:\Users\Public\Desktop\WiMP.lnk
    [2012.06.06 14:45:02 | 000,001,991 | ---- | M] () -- C:\Users\Public\Desktop\Sonos.lnk
    [2012.06.06 13:44:35 | 000,000,947 | ---- | M] () -- C:\Users\Public\Desktop\Napster 5.0.lnk
    [2012.06.05 14:53:29 | 000,000,680 | RHS- | M] () -- C:\Users\Christine\ntuser.pol
    [2012.06.02 23:06:02 | 000,002,099 | ---- | M] () -- C:\Users\Public\Desktop\Lightroom 4 64-Bit.lnk
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012.06.16 17:57:07 | 000,000,716 | ---- | C] () -- C:\Users\Christine\Desktop\[Active] - Another SIREFEF.Y infected PC - TechSpot Forums#post-1187841.url
    [2012.06.16 08:45:49 | 000,000,512 | ---- | C] () -- C:\Users\Christine\Desktop\MBR.dat
    [2012.06.16 01:23:20 | 000,001,153 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012.06.16 00:45:45 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012.06.16 00:45:45 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012.06.16 00:45:45 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012.06.16 00:45:45 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012.06.16 00:45:45 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012.06.11 14:07:01 | 000,001,959 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012.06.11 11:49:47 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
    [2012.06.11 11:49:47 | 000,002,063 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
    [2012.06.11 11:26:47 | 000,015,120 | ---- | C] () -- C:\Users\Christine\Desktop\SCANPST - Verknüpfung.lnk
    [2012.06.06 15:10:56 | 000,000,879 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WiMP.lnk
    [2012.06.06 15:10:56 | 000,000,867 | ---- | C] () -- C:\Users\Public\Desktop\WiMP.lnk
    [2012.06.06 14:45:02 | 000,001,991 | ---- | C] () -- C:\Users\Public\Desktop\Sonos.lnk
    [2012.06.06 13:44:35 | 000,000,959 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Napster 5.0.lnk
    [2012.06.06 13:44:35 | 000,000,947 | ---- | C] () -- C:\Users\Public\Desktop\Napster 5.0.lnk
    [2012.06.02 23:06:02 | 000,002,107 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop Lightroom 4 64-Bit.lnk
    [2012.06.02 23:06:02 | 000,002,099 | ---- | C] () -- C:\Users\Public\Desktop\Lightroom 4 64-Bit.lnk
    [2012.04.15 20:39:52 | 000,003,584 | ---- | C] () -- C:\Users\Christine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012.01.06 13:38:07 | 000,000,000 | ---- | C] () -- C:\Windows\HPMProp.INI
    [2011.11.11 02:45:44 | 000,316,928 | ---- | C] () -- C:\Windows\SysWow64\hpcc3118.dll
    [2011.05.19 11:25:22 | 000,012,970 | ---- | C] () -- C:\Users\Christine\AppData\Roaming\Microsoft Excel 97-2003.CAL
    [2011.03.06 20:18:51 | 001,535,576 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2011.01.15 14:04:22 | 000,000,000 | ---- | C] () -- C:\ProgramData\LauncherAccess.dt
    [2011.01.15 14:00:13 | 000,005,632 | ---- | C] () -- C:\Windows\SysWow64\drivers\StarOpen.sys
    [2010.08.12 19:30:29 | 000,262,144 | ---- | C] () -- C:\Windows\SysWow64\lame_enc.dll

    ========== LOP Check ==========

    [2012.03.08 23:13:00 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2012.03.04 12:48:00 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
    [2012.06.06 15:10:58 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\com.aspiro.wimp.de.25F5C0086CDE1F22CA0B92A487729991CA6CD013.1
    [2012.06.06 13:44:37 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\com.Rhapsody.Napster5
    [2010.09.26 11:26:51 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\Cornelsen
    [2010.02.22 13:29:14 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\Epson
    [2011.08.03 20:10:05 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\Reitpass
    [2011.03.06 20:11:30 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\Samsung
    [2011.09.11 12:10:20 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\SanDisk
    [2011.01.30 11:10:52 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\Windows Live Writer
    [2010.02.22 13:24:42 | 000,000,000 | ---D | M] -- C:\Users\Jessica\AppData\Roaming\Epson
    [2011.02.16 19:38:57 | 000,000,000 | ---D | M] -- C:\Users\Jessica\AppData\Roaming\IMVU
    [2011.02.16 19:08:48 | 000,000,000 | ---D | M] -- C:\Users\Jessica\AppData\Roaming\IMVUClient
    [2011.03.11 18:08:32 | 000,000,000 | ---D | M] -- C:\Users\Jessica\AppData\Roaming\Samsung
    [2011.09.12 14:18:00 | 000,000,000 | ---D | M] -- C:\Users\Nicole\AppData\Roaming\Cornelsen
    [2010.02.22 13:26:37 | 000,000,000 | ---D | M] -- C:\Users\Nicole\AppData\Roaming\Epson
    [2011.08.05 14:30:00 | 000,000,000 | ---D | M] -- C:\Users\Nicole\AppData\Roaming\Reitpass
    [2012.02.24 14:29:38 | 000,000,000 | ---D | M] -- C:\Users\Svenja\AppData\Roaming\Cornelsen
    [2010.02.22 13:27:46 | 000,000,000 | ---D | M] -- C:\Users\Svenja\AppData\Roaming\Epson
    [2011.08.06 13:31:19 | 000,000,000 | ---D | M] -- C:\Users\Svenja\AppData\Roaming\Reitpass
    [2010.10.24 13:26:34 | 000,000,000 | ---D | M] -- C:\Users\Thomas\AppData\Roaming\ASCON Installer
    [2010.03.07 11:58:29 | 000,000,000 | ---D | M] -- C:\Users\Thomas\AppData\Roaming\Epson
    [2011.01.15 14:49:14 | 000,000,000 | ---D | M] -- C:\Users\Thomas\AppData\Roaming\PC Suite
    [2010.11.28 18:15:00 | 000,000,000 | ---D | M] -- C:\Users\Thomas\AppData\Roaming\SanDisk
    [2012.06.16 11:14:00 | 000,000,254 | ---- | M] () -- C:\Windows\Tasks\Epson Printer Software Downloader.job
    [2010.12.15 11:53:10 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========
     
  15. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    and part 2 of OTL.TXT:

    ========== Purity Check ==========



    ========== Custom Scans ==========

    < %SYSTEMDRIVE%\*.* >
    [2012.06.16 01:04:07 | 000,016,850 | ---- | M] () -- C:\ComboFix.txt
    [2012.06.16 03:27:37 | 3170,246,656 | -HS- | M] () -- C:\hiberfil.sys
    [2010.02.18 17:23:30 | 000,000,187 | ---- | M] () -- C:\Installer_Setup.log
    [2011.11.21 10:25:32 | 000,000,405 | ---- | M] () -- C:\InstallHelper.log
    [2007.03.12 18:59:00 | 000,299,008 | ---- | M] () -- C:\navigram_register.exe
    [2010.11.28 18:21:38 | 000,262,144 | ---- | M] () -- C:\ntuser.dat
    [2010.11.28 18:21:38 | 000,005,120 | -HS- | M] () -- C:\ntuser.dat.LOG1
    [2010.11.28 18:21:38 | 000,000,000 | -HS- | M] () -- C:\ntuser.dat.LOG2
    [2010.11.28 18:21:38 | 000,065,536 | -HS- | M] () -- C:\ntuser.dat{9a0e8cc3-fac7-11df-8c96-0024be445739}.TM.blf
    [2010.11.28 18:21:38 | 000,524,288 | -HS- | M] () -- C:\ntuser.dat{9a0e8cc3-fac7-11df-8c96-0024be445739}.TMContainer00000000000000000001.regtrans-ms
    [2010.11.28 18:21:38 | 000,524,288 | -HS- | M] () -- C:\ntuser.dat{9a0e8cc3-fac7-11df-8c96-0024be445739}.TMContainer00000000000000000002.regtrans-ms
    [2012.06.16 03:27:43 | 4226,998,272 | -HS- | M] () -- C:\pagefile.sys
    [2009.08.17 14:19:27 | 000,002,212 | ---- | M] () -- C:\RHDSetup.log

    < %systemroot%\Fonts\*.com >
    [2009.07.14 07:32:31 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2009.07.14 07:32:31 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2009.07.14 07:32:31 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009.07.14 07:32:31 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009.06.10 22:49:50 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2010.04.17 02:45:28 | 000,307,056 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009.07.14 06:54:24 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2012.03.05 08:42:14 | 000,000,221 | -HS- | M] () -- C:\Users\Christine\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2012.06.16 01:21:17 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Christine\Desktop\aswMBR.exe
    [2012.06.16 00:29:51 | 004,559,503 | R--- | M] (Swearware) -- C:\Users\Christine\Desktop\ComboFix.exe
    [2012.06.16 01:18:21 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Christine\Desktop\mbam-setup-1.61.0.1400.exe
    [2012.06.16 17:51:00 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Christine\Desktop\OTL.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\tasks\*.* >
    [2012.06.16 17:07:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012.06.16 11:14:00 | 000,000,254 | ---- | M] () -- C:\Windows\tasks\Epson Printer Software Downloader.job
    [2012.06.16 07:59:02 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012.06.16 17:27:00 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012.06.10 18:33:47 | 000,000,500 | -H-- | M] () -- C:\Windows\tasks\Norton Security Scan for Thomas.job
    [2012.06.16 03:28:38 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2010.12.15 11:53:10 | 000,032,632 | ---- | M] () -- C:\Windows\tasks\SCHEDLGU.TXT

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2009.06.10 23:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\ADDINS\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >
    [2012.01.07 18:34:53 | 000,008,192 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.chk
    [2012.01.07 18:34:53 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.log
    [2011.01.15 17:22:34 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00001.jrs
    [2011.01.15 17:22:34 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00002.jrs
    [2012.01.07 18:34:53 | 001,056,768 | ---- | M] () -- C:\Windows\SECURITY\Database\tmp.edb

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2012.03.05 11:11:49 | 000,000,402 | -HS- | M] () -- C:\Users\Christine\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2011.01.15 14:12:09 | 000,000,000 | ---- | M] () -- C:\ProgramData\LauncherAccess.dt

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /I " " /c >

    < dir /b "%systemroot%\*.exe" | find /I " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\LastSuccessTime /rs >

    < >
     
  16. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    now EXTRAS.TXT:

    OTL Extras logfile created on: 16.06.2012 17:57:16 - Run 1
    OTL by OldTimer - Version 3.2.49.0 Folder = C:\Users\Christine\Desktop
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

    3,94 Gb Total Physical Memory | 1,55 Gb Available Physical Memory | 39,30% Memory free
    7,87 Gb Paging File | 5,30 Gb Available in Paging File | 67,32% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 454,94 Gb Total Space | 352,36 Gb Free Space | 77,45% Space Free | Partition Type: NTFS

    Computer Name: FAMILY-PC | User Name: Christine | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L"
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L"
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
    "{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
    "{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
    "{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
    "{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "TCP Query User{47E8DB32-8123-4C61-8F71-4AC164DCAC40}C:\program files (x86)\epson software\event manager\eeventmanager.exe" = protocol=6 | dir=in | app=c:\program files (x86)\epson software\event manager\eeventmanager.exe |
    "UDP Query User{9F3B699E-0A6F-4D6A-903B-AE518A38AD84}C:\program files (x86)\epson software\event manager\eeventmanager.exe" = protocol=17 | dir=in | app=c:\program files (x86)\epson software\event manager\eeventmanager.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
    "{1280E900-35DA-4E08-A700-B79A5B2B8532}" = Microsoft Antimalware Service DE-DE Language Pack
    "{17B77355-3934-4D0E-8FAC-C420482C8E7D}" = Windows Live Family Safety
    "{26F481C6-8DBE-4F8B-9D8D-715081C23ADE}" = Adobe Premiere Elements 10
    "{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
    "{3DAE9A67-DD8D-4EDB-91F7-7B5132B1864D}" = SmartSound Premiere Elements 10 x64 Plugin
    "{669A82E0-43E2-4645-8A2E-1A3DE78F8312}" = Adobe Photoshop Lightroom 4 64-bit
    "{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
    "{90120000-002A-0407-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (German) 2007
    "{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}" = Microsoft Security Client
    "{9E9D49A4-1DF4-4138-B7DB-5D87A893088E}" = WIDCOMM Bluetooth Software
    "{BC741628-0AFC-405C-8946-DD46D1005A0A}" = 64 Bit HP CIO Components Installer
    "{D035FBF6-FDEF-487D-89CA-6F9DD07B783F}" = Dolby Control Center
    "{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
    "{DC911ADF-7B60-40F2-A112-FB1EB6402D07}" = Microsoft Security Client DE-DE Language Pack
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "{F83779DF-E1F5-43A2-A7BE-732F856FADB7}" = Microsoft SQL Server Compact 3.5 SP1 x64 English
    "EPSON PX810FW Series" = EPSON PX810FW Series Printer Uninstall
    "HECI" = Intel(R) Management Engine Interface
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
    "Microsoft Security Client" = Microsoft Security Essentials
    "NVIDIA Drivers" = NVIDIA Drivers
    "PremElem100" = Adobe Premiere Elements 10

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0899D75A-C2FC-42EA-A702-5B9A5F24EAD5}" = VAIO Smart Network
    "{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data
    "{0A5F02E5-1A52-4F85-892C-A35227641C75}" = VAIO Content Metadata Intelligent Analyzing Manager
    "{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}" = Epson FAX Utility
    "{11D08055-939C-432b-98C3-E072478A0CD7}" = PSE10 STI Installer
    "{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{1C10CA62-E88D-8B6E-8F2E-0FC1BEC07985}" = WiMP 1.5.48
    "{1D273D91-D7D5-4036-8B84-EB4615FF5F81}" = SmartSound Sonicfire Pro 5
    "{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{22D3A614-482C-444A-932C-9DA1B8ECDFD2}" = Elements 10 Organizer
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{23825B69-36DF-4DAD-9CFD-118D11D80F16}" = Einstellungen für VAIO-Inhaltsüberwachung
    "{24638AD1-5F7E-9900-147E-B3EEA1B84EAE}" = Napster 5.0 Beta
    "{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java(TM) 6 Update 24
    "{2BE51320-174A-44EC-8041-50E35E091283}" = VAIO Content Metadata Intelligent Analyzing Manager
    "{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
    "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
    "{340C0246-975B-420F-8ADD-DEA69B16FDEE}" = Adobe Premiere Elements 10 Content 1
    "{3B1168DE-1F8C-471C-AC49-0CA52F096170}" = VAIO Content Metadata Intelligent Network Service Manager
    "{3E31400D-274E-4647-916C-2CACC3741799}" = EpsonNet Print
    "{47FA2C44-D148-4DBC-AF60-B91934AA4842}" = Adobe AIR
    "{48E91AD2-2A80-4E70-98E6-450A189F6048}" = VAIO Movie Story
    "{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = Epson Event Manager
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4DCEA9C1-4D6E-41BF-A854-28CFA8B56DBF}" = Click to Disc Editor
    "{4F29521F-7338-4D15-8691-8FEEB987780C}" = Adobe Premiere Elements 10 HD Content 3
    "{51BEF30C-58E4-490F-BA40-A2F12AB8B5F9}" = VAIO Content Metadata Manager Settings
    "{537BF16E-7412-448C-95D8-846E85A1D817}" = Roxio Easy Media Creator 10 LJ
    "{5511C07D-A83C-45AD-92B6-42DF99729A3C}" = Adobe Photoshop Elements 7.0
    "{57AABF73-E17F-4212-A103-13A9794F0869}" = VAIO Content Metadata XML Interface Library
    "{57B955CE-B5D3-495D-AF1B-FAEE0540BFEF}" = VAIO Data Restore Tool
    "{586509F0-350D-48B5-B763-9CC2F8D96C4C}" = Windows Live Sync
    "{5928359F-BF46-4646-BF19-B64E55171EB5}_is1" = FILSHtray Version 0.10
    "{596BED91-A1D8-4DF1-8CD1-1C777F7588AC}" = VAIO DVD Menu Data Basic
    "{5D037ECA-B00A-466F-848C-D21B4DB69DEA}" = Adobe Premiere Elements 10 HD Content 1
    "{5DDAFB4B-C52E-468A-9E23-3B0CEEB671BF}" = VAIO-Support für Übertragungen
    "{5F2D882B-A663-4EB5-9851-48CC6C75FD2D}" = VAIO Content Metadata Intelligent Network Service Manager
    "{5F5867F0-2D23-4338-A206-01A76C823924}" = VAIO Energie Verwaltung
    "{68A69CFF-130D-4CDE-AB0E-7374ECB144C8}" = Click to Disc
    "{6B1F20F2-6321-4669-A58C-33DF8E7517FF}" = VAIO Entertainment Platform
    "{6FA8BA2C-052B-4072-B8E2-2302C268BE9E}" = VAIO Movie Story Template Data
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{72042FA6-5609-489F-A8EA-3C2DD650F667}" = VAIO Control Center
    "{7395DD51-0D1A-47A7-9993-742073ECF4CE}" = VAIO Content Metadata Manager Settings
    "{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{7A512C74-7780-43A1-93DA-29C23D0DF374}" = VAIO Content Metadata XML Interface Library
    "{7BB90344-0647-468E-925A-7F69F7983421}" = ArcSoft Magic-I Visual Effects 2
    "{7BBA9BF8-05DF-47D8-8880-82A9B99505B9}" = Sonos Controller
    "{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
    "{7E8DE539-B044-48B3-BC76-4F0A089ABE2F}" = VAIO Content Metadata Intelligent Analyzing Manager
    "{83CDA18E-0BF3-4ACA-872C-B4CDABF2360E}" = VAIO Update 4
    "{83E2CFA9-E0EB-4E08-9F85-43E577FF3D60}" = Windows Live Anmelde-Assistent
    "{850C7BD3-9F3F-46AD-9396-E7985B38C55E}" = Windows Live Fotogalerie
    "{87C2248A-C7DD-49ED-9BCD-B312A9D0819E}" = Epson Easy Photo Print 2
    "{8927E07C-97F7-4A54-88FB-D976F50DD46E}" = Turbo Lister 2
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8DE50158-80AA-4FF2-9E9F-0A7C46F71FCD}" = VAIO Media plus
    "{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
    "{8F47B673-8D71-49E3-98B6-BCF547C82F57}" = Click to Disc
    "{90024193-9F13-4877-89D5-A1CDF0CBBF28}" = Feedback Tool
    "{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
    "{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
    "{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
    "{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
    "{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
    "{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
    "{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
    "{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISER_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
    "{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISER_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
    "{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISER_{664655D8-B9BB-455D-8A58-7EAF7B0B2862}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-002A-0407-1000-0000000FF1CE}_ENTERPRISER_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
    "{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
    "{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
    "{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISER_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
    "{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
    "{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{9238E8A4-BEBA-43A3-B926-769BDBF194C5}" = VAIO Media plus Opening Movie
    "{949419DF-F4AF-4693-B60A-522B24F233C6}" = VAIO Content Metadata XML Interface Library
    "{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
    "{95140000-007F-0407-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
    "{969E11AA-8F3A-F162-1A5A-0965E216B6CE}" = Adobe Download Assistant
    "{96D0B6C6-5A72-4B47-8583-A87E55F5FE81}" =
    "{99C7D73D-E201-4D03-B8A4-5EDBA529B505}" = Adobe Premiere Elements 10 Content 3
    "{9C8D1290-0A4C-446C-AD86-0590812660CC}" = Adobe Premiere Elements 10 Content
    "{9D912275-85FD-45F6-9AF3-388A0F8AADB2}" = VAIO Content Metadata Intelligent Network Service Manager
    "{9E39EA0D-38CD-4739-9E28-DEA4A1155522}" = Sony Home Network Library
    "{9F06F464-479A-403E-AF92-70CBB8D674A1}" = PRE10STI64Installer
    "{A127C3C0-055E-38CF-B38F-1E85F8BBBFFE}" = Adobe Community Help
    "{A568DFBD-4A04-484E-86BB-165AA6C53E2B}" = VAIO Content Monitoring Settings
    "{A63E7492-A0BC-4BB9-89A7-352965222380}" = VAIO Original Funktion Einstellungen
    "{A7496F46-78AE-4DB2-BCF5-95F210FA6F96}" = Windows Live Movie Maker
    "{A7C30414-2382-4086-B0D6-01A88ABA21C3}" = VAIO Gate
    "{A7DA438C-2E43-4C20-BFDA-C1F4A6208558}" = Setting Utility Series
    "{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.3) - Deutsch
    "{AED2DD42-9853-407E-A6BC-8A1D6B715909}" = Windows Live Messenger
    "{B25563A0-41F4-4A81-A6C1-6DBC0911B1F3}" = VAIO Movie Story
    "{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy
    "{B6A98E5F-D6A7-46FB-9E9D-1F7BF4434001}" = Epson Printer Software Downloader
    "{B8A2869E-30CA-40C5-9CF8-BD7354E57EF8}" = SmartSound Common Data
    "{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail
    "{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}" = Norton Online Backup
    "{C7477742-DDB4-43E5-AC8D-0259E1E661B1}" = VAIO Event Service
    "{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials
    "{CB6075D9-F912-40AE-BEA6-E590DA24F16B}" = Adobe Photoshop Elements 7.0
    "{CE2121C6-C94D-4A73-8EA4-6943F33EE335}" = Music Transfer
    "{D03D02D8-AB64-4785-A48E-5AA8B0FB8C14}" = Sony Home Network Library
    "{D16A31F9-276D-4968-A753-FFEAC56995D0}" = Epson Print CD
    "{D1CE6204-061A-43B5-830F-6A8A35C4E0C6}" = Adobe Premiere Elements 10 HD Content 2
    "{D2041A37-5FEC-49F0-AE5C-3F2FFDFAA4F4}" = Windows Live Call
    "{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
    "{D564B5E2-CCB5-4A5C-B35E-2FC30BBC9336}" = Adobe Premiere Elements 7.0
    "{D60F97EC-EF06-4E1E-B0D1-C2CBABA62FA3}" = VAIO Wallpaper Contents
    "{D66A42BA-3747-4628-9CE4-9E7C18C3ED95}" = Adobe Premiere Elements 10 Content 2
    "{D8AE7D4E-BA8B-4F7B-BF50-8D2F090034F0}" = VAIO Content Metadata Intelligent Analyzing Manager
    "{DABF43D9-1104-4764-927B-5BED1274A3B0}" = Runtime
    "{DE8AAC73-6D8D-483E-96EA-CAEDDADB9079}" = ArcSoft WebCam Companion 3
    "{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer
    "{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
    "{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core
    "{EE549AF9-8FAA-4584-83B2-ECF1BC9DC1FF}" = Adobe Photoshop Elements 10
    "{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F1432614-6183-49E6-98E8-674485463CFE}" = VAIO Original Function Settings
    "{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
    "{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
    "{FB77DB0C-6951-47B6-9D80-A0FDBEE0334C}" =
    "{FBBF5D9C-1989-4933-AE4E-19EE368385B4}" = VAIO Entertainment Platform
    "{FC053571-8507-44E4-8B6D-AACEAB8CA57C}" = Sansa Media Converter
    "{FE51662F-D8F6-43B5-99D9-D4894AF00F83}" = Roxio Easy Media Creator Home
    "{FFFAE01B-466F-4C07-9821-A94FD753BDDA}" = EpsonNet Setup
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe Photoshop Elements 10" = Adobe Photoshop Elements 10
    "Adobe Photoshop Elements 7" = Adobe Photoshop Elements 7.0
    "Adobe Premiere Elements 10 Content" = Adobe Premiere Elements 10 Content
    "Adobe Premiere Elements 10 Content 1" = Adobe Premiere Elements 10 Content 1
    "Adobe Premiere Elements 10 Content 2" = Adobe Premiere Elements 10 Content 2
    "Adobe Premiere Elements 10 Content 3" = Adobe Premiere Elements 10 Content 3
    "Adobe Premiere Elements 10 HD Content 1" = Adobe Premiere Elements 10 HD Content 1
    "Adobe Premiere Elements 10 HD Content 2" = Adobe Premiere Elements 10 HD Content 2
    "Adobe Premiere Elements 10 HD Content 3" = Adobe Premiere Elements 10 HD Content 3
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
    "com.adobe.downloadassistant.AdobeDownloadAssistant" = Adobe Download Assistant
    "com.aspiro.wimp.de.25F5C0086CDE1F22CA0B92A487729991CA6CD013.1" = WiMP 1.5.48
    "com.Rhapsody.Napster5" = Napster 5.0 Beta
    "ENTERPRISER" = Microsoft Office Enterprise 2007
    "EPSON PC-FAX Driver 2" = Epson PC-FAX Driver
    "Epson Printer Software Downloader" = Epson Printer Software Downloader
    "EPSON Scanner" = EPSON Scan
    "Epson Stylus Photo PX710W_PX810FW_TX710W_TX810FW Benutzerhandbuch" = Epson Stylus Photo PX710W_PX810FW_TX710W_TX810FW Handbuch
    "Forte Standard" = Forte Standard 2.0
    "InstallShield_{1D273D91-D7D5-4036-8B84-EB4615FF5F81}" = SmartSound Sonicfire Pro 5
    "InstallShield_{4DCEA9C1-4D6E-41BF-A854-28CFA8B56DBF}" = Click to Disc Editor
    "InstallShield_{B8A2869E-30CA-40C5-9CF8-BD7354E57EF8}" = SmartSound Common Data
    "InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.61.0.1400
    "MarketingTools" = VAIO Marketing Tools
    "McAfee Security Scan" = McAfee Security Scan Plus
    "MFU Module" =
    "NSS" = Norton Security Scan
    "PremElem70" = Adobe Premiere Elements 7.0
    "Reitpass - Trainer" = Reitpass - Trainer
    "VAIO Help and Support" =
    "VAIO Premium Partners 1.00" = VAIO Premium Partners 1.00
    "Voctra Azura" = Voctra Azura
    "WinLiveSuite_Wave3" = Windows Live Essentials

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-3002679033-3836784735-729753035-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Sansa Updater" = Sansa Updater

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 16.06.2012 02:46:51 | Computer Name = Family-PC | Source = Application Error | ID = 1000
    Description = Name der fehlerhaften Anwendung: aswMBR.exe, Version: 0.9.9.1665,
    Zeitstempel: 0x4f5f9c86 Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
    Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x0878fcec ID des fehlerhaften
    Prozesses: 0x1be8 Startzeit der fehlerhaften Anwendung: 0x01cd4b855af58064 Pfad der
    fehlerhaften Anwendung: C:\Users\Christine\Desktop\aswMBR.exe Pfad des fehlerhaften
    Moduls: unknown Berichtskennung: 0d18eb4f-b77f-11e1-b008-0024be445739

    Error - 16.06.2012 05:21:44 | Computer Name = Family-PC | Source = Family Safety Service | ID = 0
    Description = Startup failure. Failed to get driver handle. Error code: 80070002

    Error - 16.06.2012 05:21:44 | Computer Name = Family-PC | Source = Family Safety Service | ID = 0
    Description = Startup failure. Failed to Initialize Mandalay. Error code: 80070002

    Error - 16.06.2012 05:21:44 | Computer Name = Family-PC | Source = Family Safety Service | ID = 0
    Description = Startup failure. Failed to create FamilySafetyService: 80070002

    Error - 16.06.2012 05:22:14 | Computer Name = Family-PC | Source = Family Safety Service | ID = 0
    Description = Startup failure. Failed to get driver handle. Error code: 80070002

    Error - 16.06.2012 05:22:14 | Computer Name = Family-PC | Source = Family Safety Service | ID = 0
    Description = Startup failure. Failed to Initialize Mandalay. Error code: 80070002

    Error - 16.06.2012 05:22:14 | Computer Name = Family-PC | Source = Family Safety Service | ID = 0
    Description = Startup failure. Failed to create FamilySafetyService: 80070002

    Error - 16.06.2012 05:22:44 | Computer Name = Family-PC | Source = Family Safety Service | ID = 0
    Description = Startup failure. Failed to get driver handle. Error code: 80070002

    Error - 16.06.2012 05:22:44 | Computer Name = Family-PC | Source = Family Safety Service | ID = 0
    Description = Startup failure. Failed to Initialize Mandalay. Error code: 80070002

    Error - 16.06.2012 05:22:44 | Computer Name = Family-PC | Source = Family Safety Service | ID = 0
    Description = Startup failure. Failed to create FamilySafetyService: 80070002

    [ OSession Events ]
    Error - 19.07.2011 08:14:04 | Computer Name = Family-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 61877
    seconds with 1080 seconds of active time. This session ended with a crash.

    Error - 19.07.2011 18:36:35 | Computer Name = Family-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 20832
    seconds with 480 seconds of active time. This session ended with a crash.

    Error - 24.08.2011 14:09:33 | Computer Name = Family-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 86602
    seconds with 1980 seconds of active time. This session ended with a crash.

    Error - 26.08.2011 01:39:26 | Computer Name = Family-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 38561
    seconds with 600 seconds of active time. This session ended with a crash.

    Error - 03.09.2011 09:30:44 | Computer Name = Family-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 67295
    seconds with 300 seconds of active time. This session ended with a crash.

    Error - 01.10.2011 13:54:36 | Computer Name = Family-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 2508
    seconds with 480 seconds of active time. This session ended with a crash.

    Error - 14.11.2011 08:20:40 | Computer Name = Family-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
    12.0.6565.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 88
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 25.12.2011 07:13:06 | Computer Name = Family-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 91219
    seconds with 660 seconds of active time. This session ended with a crash.

    Error - 30.12.2011 17:08:14 | Computer Name = Family-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 37305
    seconds with 420 seconds of active time. This session ended with a crash.

    Error - 04.01.2012 12:49:48 | Computer Name = Family-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
    Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session
    lasted 9366 seconds with 6780 seconds of active time. This session ended with a
    crash.

    [ System Events ]
    Error - 15.06.2012 19:18:32 | Computer Name = Family-PC | Source = DCOM | ID = 10010
    Description =

    Error - 15.06.2012 19:18:32 | Computer Name = Family-PC | Source = Service Control Manager | ID = 7023
    Description = Der Dienst "Windows Live Family Safety-Dienst" wurde mit folgendem
    Fehler beendet: %%-2147024894

    Error - 15.06.2012 19:19:02 | Computer Name = Family-PC | Source = Service Control Manager | ID = 7023
    Description = Der Dienst "Windows Live Family Safety-Dienst" wurde mit folgendem
    Fehler beendet: %%-2147024894

    Error - 15.06.2012 21:27:36 | Computer Name = Family-PC | Source = Application Popup | ID = 1060
    Description = Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\Drivers\StarOpen.SYS
    nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version
    des Treibers zu erhalten.

    Error - 15.06.2012 21:28:46 | Computer Name = Family-PC | Source = Service Control Manager | ID = 7009
    Description = Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst
    Roxio Upnp Server 10 erreicht.

    Error - 15.06.2012 21:29:03 | Computer Name = Family-PC | Source = Service Control Manager | ID = 7026
    Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
    StarOpen

    Error - 16.06.2012 05:21:44 | Computer Name = Family-PC | Source = Service Control Manager | ID = 7023
    Description = Der Dienst "Windows Live Family Safety-Dienst" wurde mit folgendem
    Fehler beendet: %%-2147024894

    Error - 16.06.2012 05:22:14 | Computer Name = Family-PC | Source = DCOM | ID = 10010
    Description =

    Error - 16.06.2012 05:22:14 | Computer Name = Family-PC | Source = Service Control Manager | ID = 7023
    Description = Der Dienst "Windows Live Family Safety-Dienst" wurde mit folgendem
    Fehler beendet: %%-2147024894

    Error - 16.06.2012 05:22:44 | Computer Name = Family-PC | Source = Service Control Manager | ID = 7023
    Description = Der Dienst "Windows Live Family Safety-Dienst" wurde mit folgendem
    Fehler beendet: %%-2147024894


    < End of report >
     
  17. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    AV = antivirus program.

    ==============================================================

    Uninstall McAfee Security Scan, typical foistware.

    ==============================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      [2012.06.10 18:33:47 | 000,000,500 | -H-- | M] () -- C:\Windows\tasks\Norton Security Scan for Thomas.job
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =========================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ==========================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  18. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    OTL FIX ran just fine. PC rebooted and presented this log:

    I am performing the other tasks now.

    All processes killed
    ========== OTL ==========
    64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Starting removal of ActiveX control {A8F2B9BD-A6A0-486A-9744-18920D898429}
    C:\Windows\Downloaded Program Files\SETUP.INF moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A8F2B9BD-A6A0-486A-9744-18920D898429}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8F2B9BD-A6A0-486A-9744-18920D898429}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A8F2B9BD-A6A0-486A-9744-18920D898429}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8F2B9BD-A6A0-486A-9744-18920D898429}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    C:\Windows\Tasks\Norton Security Scan for Thomas.job moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Christine
    ->Temp folder emptied: 57666965 bytes
    ->Temporary Internet Files folder emptied: 454374978 bytes
    ->Java cache emptied: 57513567 bytes
    ->Flash cache emptied: 126067 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56466 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Jessica
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 148496073 bytes
    ->Java cache emptied: 32860870 bytes
    ->Flash cache emptied: 530 bytes

    User: Nicole
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 532707907 bytes
    ->Java cache emptied: 32694770 bytes
    ->Flash cache emptied: 157090 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Svenja
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 412529703 bytes
    ->Java cache emptied: 37926179 bytes
    ->Flash cache emptied: 509841 bytes

    User: Thomas
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 410657428 bytes
    ->Java cache emptied: 24142071 bytes
    ->Flash cache emptied: 612526 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 58238539 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 63297605 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 749 bytes
    RecycleBin emptied: 278 bytes

    Total Files Cleaned = 2.217,00 mb


    [EMPTYJAVA]

    User: All Users

    User: Christine
    ->Java cache emptied: 0 bytes

    User: Default

    User: Default User

    User: Jessica
    ->Java cache emptied: 0 bytes

    User: Nicole
    ->Java cache emptied: 0 bytes

    User: Public

    User: Svenja
    ->Java cache emptied: 0 bytes

    User: Thomas
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0,00 mb


    [EMPTYFLASH]

    User: All Users

    User: Christine
    ->Flash cache emptied: 0 bytes

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Jessica
    ->Flash cache emptied: 0 bytes

    User: Nicole
    ->Flash cache emptied: 0 bytes

    User: Public

    User: Svenja
    ->Flash cache emptied: 0 bytes

    User: Thomas
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0,00 mb


    OTL by OldTimer - Version 3.2.49.0 log created on 06162012_185038
    Files\Folders moved on Reboot...
    C:\Users\Christine\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    Registry entries deleted on Reboot...
     
  19. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    Checkup.txt:

    Results of screen317's Security Check version 0.99.24
    Windows 7 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    JavaFX 2.1.1
    Java(TM) 7 Update 5
    Out of date Java installed!
    Adobe Flash Player ( 10.0.12.36) Flash Player Out of Date!
    Adobe Reader X (10.1.3)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    ``````````End of Log````````````
     
  20. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    Farbar Service Scanner Version: 09-06-2012
    Ran by Christine (administrator) on 16-06-2012 at 19:34:33
    Running from "C:\Users\Christine\Desktop"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.

    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll
    [2012-06-16 00:30] - [2012-04-24 07:37] - 0184320 ____A (Microsoft Corporation) 4F5414602E2544A4554D95517948B705
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit

    **** End of log ****
     
  21. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    And finally the ESET Report:

    C:\FRST\Quarantine\services.exe Win64/Patched.B.Gen trojan deleted - quarantined
    C:\FRST\Quarantine\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}\n Win64/Sirefef.W trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}\{4bdf890a-c9ab-d7ec-e71a-32795ead45f4}\n Win64/Sirefef.W trojan cleaned by deleting - quarantined
    C:\Users\Jessica\Desktop\PageRage-SilentInstaller.exe probably a variant of Win32/Adware.LXVWVIE application cleaned by deleting - quarantined
     
  22. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Uninstall JavaFX 2.1.1

    ====================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  23. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    Everything looks works great. Thanks for your help again. You are really an expert!!! Here the OTL Log:

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Christine
    ->Temp folder emptied: 15209964 bytes
    ->Temporary Internet Files folder emptied: 20974258 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 681 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Jessica
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Nicole
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Svenja
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Thomas
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 52719 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 35,00 mb


    [EMPTYFLASH]

    User: All Users

    User: Christine
    ->Flash cache emptied: 0 bytes

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Jessica
    ->Flash cache emptied: 0 bytes

    User: Nicole
    ->Flash cache emptied: 0 bytes

    User: Public

    User: Svenja
    ->Flash cache emptied: 0 bytes

    User: Thomas
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0,00 mb


    [EMPTYJAVA]

    User: All Users

    User: Christine
    ->Java cache emptied: 0 bytes

    User: Default

    User: Default User

    User: Jessica
    ->Java cache emptied: 0 bytes

    User: Nicole
    ->Java cache emptied: 0 bytes

    User: Public

    User: Svenja
    ->Java cache emptied: 0 bytes

    User: Thomas
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0,00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.49.0 log created on 06162012_235310
    Files\Folders moved on Reboot...
    C:\Users\Christine\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    Registry entries deleted on Reboot...
     
  24. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Yes!! [​IMG]
    Good luck and stay safe :)
     
  25. Eifelbaer

    Eifelbaer TS Rookie Topic Starter Posts: 21

    Hi Broni, please let me ask one final question if you dont mind:

    Which AV software would you recommend? is MS Security Essentials ok or should I use something else?

    Thanks again (y) and have a great weekend. :)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...