PDA

View Full Version : Ussrch google redirect



UssrchVictim
2011-07-13, 15:30
Hello dear analysts, I found myself to be infected with some Malware or Virus that keeps redirecting me when I click on google results. it still loads the URL into the URL-field but it displays a completely different page. Any help towards resolving this issue would be greatly appreciated. Here is what I did so far:

I ran Antivir's complete scan
I ran Spybot SD

both programs found things unknown to me, stupid as I am around such things I just clicked remove without noting any names or anything. Anyhow, the problem kept on occuring which made me assume that the removed stuff was not it.

here is my DDS-log:

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_26
Run by Schorsch at 14:08:14 on 2011-07-13
Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1031.18.4094.2770 [GMT 2:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
D:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
D:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe
C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe
C:\Windows\system32\svchost.exe -k imgsvc
D:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe
D:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
D:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
D:\Program Files (x86)\Winamp\winampa.exe
D:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
D:\games\LoL\RADS\system\rads_user_kernel.exe
C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
D:\games\LoL\RADS\projects\lol_launcher\releases\0.0.0.25\deploy\LoLLauncher.exe
D:\Program Files (x86)\QIP\qip.exe
D:\Program Files (x86)\Firefox\firefox.exe
D:\Program Files (x86)\Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.hotspotshield.com/g/?c=h
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [IpSharkk] "D:\Program Files\IpSharkk\IpSharkk.exe" /auto
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [WinampAgent] "D:\Program Files (x86)\Winamp\winampa.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [avgnt] "D:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Schorsch\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - D:\Program Files (x86)\ERUNT\AUTOBACK.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Free YouTube to MP3 Converter - C:\Users\Schorsch\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\24B4140294D637960234164736865627 : DhcpNameServer = 192.168.1.1 217.237.149.142
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\46C696E6B613639316 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\651474C4941474C494 : DhcpNameServer = 192.168.2.11
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\66279647A72323 : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\75C414E4D2030313643364932333832453 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\75C414E4D2736453442313 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\8656E6E65637E65647A7 : DhcpNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
{32099AAC-C132-4136-9E9A-4E364A424E17}
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [WinampAgent] "D:\Program Files (x86)\Winamp\winampa.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [avgnt] "D:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
IE-X64: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Schorsch\AppData\Roaming\Mozilla\Firefox\Profiles\khytt9qe.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search
FF - prefs.js: browser.startup.homepage - hxxp://search.hotspotshield.com/g/?c=h
FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Firefox\plugins\np_gp.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-4-19 365568]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;D:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-6-19 136360]
R2 AntiVirService;Avira AntiVir Guard;D:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-6-19 269480]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 hshld;Hotspot Shield Service;C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe [2011-6-3 298824]
R2 HssWd;Hotspot Shield Monitoring Service;C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS --> C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [2011-2-4 341296]
R2 SBSDWSCService;SBSD Security Center Service;D:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-6-23 1153368]
R2 TeamViewer5;TeamViewer 5;D:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe [2010-5-21 173352]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 yukonw7;NDIS6.2-Miniporttreiber für Marvell Yukon-Ethernet-Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\Windows\system32\drivers\sfdrv01a.sys --> C:\Windows\system32\drivers\sfdrv01a.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 StorSvc;Speicherdienst;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
.
=============== Created Last 30 ================
.
2011-06-23 11:38:20 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-06-19 21:15:11 -------- d-----w- C:\Users\Schorsch\AppData\Roaming\Avira
2011-06-19 21:08:41 88288 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2011-06-19 21:08:41 -------- d-----w- C:\ProgramData\Avira
2011-06-19 20:51:12 -------- d-----we C:\Windows\system64
2011-06-19 20:44:43 -------- d-----w- C:\ProgramData\PC Drivers HeadQuarters
2011-06-19 18:39:04 -------- d-----w- C:\Users\Schorsch\AppData\Roaming\GetRightToGo
.
==================== Find3M ====================
.
2011-05-04 02:52:22 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-04-20 02:44:48 9319936 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-04-20 02:30:16 22900736 ----a-w- C:\Windows\System32\atio6axx.dll
2011-04-20 02:09:18 151552 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-04-20 02:09:04 676864 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-04-20 02:07:46 795648 ----a-w- C:\Windows\System32\aticfx64.dll
2011-04-20 02:07:02 17693184 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-04-20 02:05:08 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-04-20 02:04:54 480256 ----a-w- C:\Windows\System32\atieclxx.exe
2011-04-20 02:04:18 203776 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-04-20 02:03:04 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-04-20 02:02:48 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-04-20 02:02:42 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-04-20 02:02:30 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-04-20 02:02:24 16384 ----a-w- C:\Windows\System32\atimuixx.dll
2011-04-20 02:02:20 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-04-20 02:02:16 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-04-20 01:59:20 4161536 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-04-20 01:49:30 4951552 ----a-w- C:\Windows\System32\atidxx64.dll
2011-04-20 01:46:16 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-04-20 01:46:14 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-04-20 01:46:04 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-04-20 01:46:02 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-04-20 01:45:52 7768064 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-04-20 01:42:04 6389760 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-04-20 01:40:48 1222656 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-04-20 01:40:14 1923584 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-04-20 01:40:02 3868672 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-04-20 01:38:04 4286464 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-04-20 01:31:12 5440000 ----a-w- C:\Windows\System32\atiumd64.dll
2011-04-20 01:30:36 4056576 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-04-20 01:27:00 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-04-20 01:23:12 366080 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-04-20 01:23:06 262144 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-04-20 01:22:54 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-04-20 01:22:52 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-04-20 01:22:52 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-04-20 01:22:48 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-04-20 01:22:40 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-04-20 01:22:32 306176 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-04-20 01:21:44 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-04-20 01:21:38 31232 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-04-20 01:21:32 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-04-20 01:21:24 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-04-20 01:20:50 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-04-20 01:13:36 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2011-04-20 01:13:36 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-04-20 01:13:28 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-04-20 01:13:28 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-04-19 20:10:34 61952 ----a-w- C:\Windows\System32\OVDecode64.dll
2011-04-19 20:10:32 59904 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2011-04-19 20:10:22 53760 ----a-w- C:\Windows\System32\OpenCL.dll
2011-04-19 20:10:18 51712 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2011-04-19 20:10:14 16116224 ----a-w- C:\Windows\System32\amdocl64.dll
2011-04-19 20:10:02 12385280 ----a-w- C:\Windows\SysWow64\amdocl.dll
.
============= FINISH: 14:09:11,88 ===============


attached you will find the attach.txt that ERUNT produced.


when I ran spybot SD there was nothing it could not remove. as the sticky post advises, I am only supposed to post its log when it cannot remove something, did I understand that correctly? If not, I can post that log in no time.

Thank you in advance for taking the time to help me.

Sincerely,

Adrian

ken545
2011-07-18, 23:59
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Lets see if there is a rootkit involved

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

UssrchVictim
2011-07-19, 15:03
Thank you for replying. I downloaded the aswMBR.exe and ran it. It asked me if I would want it to download the newest avast! definitions. I thought it won't hurt and did so, was that correct? Optional? A mistake?

Here is my aswMBR-Log.

aswMBR version 0.9.7.777 Copyright(c) 2011 AVAST Software
Run date: 2011-07-19 13:37:52
-----------------------------
13:37:52.110 OS Version: Windows x64 6.1.7600
13:37:52.110 Number of processors: 2 586 0x301
13:37:52.111 ComputerName: SCHORSCH-PC UserName: Schorsch
13:37:52.779 Initialize success
13:38:41.176 AVAST engine defs: 11071900
13:38:51.596 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
13:38:51.599 Disk 0 Vendor: SAMSUNG_HM320JI 2SS00_01 Size: 305245MB BusType: 11
13:38:51.612 Disk 0 MBR read successfully
13:38:51.615 Disk 0 MBR scan
13:38:51.622 Disk 0 Windows 7 default MBR code
13:38:51.627 Service scanning
13:38:52.694 Disk 0 trace - called modules:
13:38:52.758 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80048512c0]<<
13:38:52.762 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b7a060]
13:38:52.767 3 CLASSPNP.SYS[fffff8800145143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004958060]
13:38:52.772 \Driver\atapi[0xfffffa8004934060] -> IRP_MJ_CREATE -> 0xfffffa80048512c0
13:38:57.237 AVAST engine scan C:\Windows
13:39:00.481 AVAST engine scan C:\Windows\system32
13:39:18.746 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Malware-gen
13:41:41.126 AVAST engine scan C:\Windows\system32\drivers
13:41:57.061 AVAST engine scan C:\Users\Schorsch
13:50:50.685 AVAST engine scan C:\ProgramData
13:51:38.613 Scan finished successfully
13:56:48.137 Disk 0 MBR has been saved successfully to "C:\Users\Schorsch\Desktop\MBR.dat"
13:56:48.144 The log file has been saved successfully to "C:\Users\Schorsch\Desktop\aswMBR.txt"


Again, thank you for helping me. :)

ken545
2011-07-19, 16:07
Hello Adrian,

You did just fine, looks like a Rootkit is involved

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)

UssrchVictim
2011-07-19, 17:46
Hello Ken,

thank you for the quick reply.

I did the scan, it said that it found 1 thread but just gave me a data window with information that I cannot process due to lack of knowledge. So nothing malicious according to the program. Log follows, please tell me if you need data from that thread window at the end of the scan then I will repeat the scan.

2011/07/19 16:42:18.0282 1980 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/19 16:42:18.0475 1980 ================================================================================
2011/07/19 16:42:18.0475 1980 SystemInfo:
2011/07/19 16:42:18.0475 1980
2011/07/19 16:42:18.0475 1980 OS Version: 6.1.7600 ServicePack: 0.0
2011/07/19 16:42:18.0475 1980 Product type: Workstation
2011/07/19 16:42:18.0475 1980 ComputerName: SCHORSCH-PC
2011/07/19 16:42:18.0475 1980 UserName: Schorsch
2011/07/19 16:42:18.0475 1980 Windows directory: C:\Windows
2011/07/19 16:42:18.0475 1980 System windows directory: C:\Windows
2011/07/19 16:42:18.0475 1980 Running under WOW64
2011/07/19 16:42:18.0475 1980 Processor architecture: Intel x64
2011/07/19 16:42:18.0476 1980 Number of processors: 2
2011/07/19 16:42:18.0476 1980 Page size: 0x1000
2011/07/19 16:42:18.0476 1980 Boot type: Normal boot
2011/07/19 16:42:18.0476 1980 ================================================================================
2011/07/19 16:42:20.0050 1980 Initialize success
2011/07/19 16:42:21.0840 1100 ================================================================================
2011/07/19 16:42:21.0840 1100 Scan started
2011/07/19 16:42:21.0840 1100 Mode: Manual;
2011/07/19 16:42:21.0840 1100 ================================================================================
2011/07/19 16:42:23.0505 1100 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
2011/07/19 16:42:23.0587 1100 acedrv05 (056faaff049ca7237194065423307189) C:\Windows\system32\drivers\acedrv05.sys
2011/07/19 16:42:23.0634 1100 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
2011/07/19 16:42:23.0691 1100 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
2011/07/19 16:42:23.0756 1100 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/07/19 16:42:23.0814 1100 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2011/07/19 16:42:23.0860 1100 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2011/07/19 16:42:23.0952 1100 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys
2011/07/19 16:42:24.0004 1100 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
2011/07/19 16:42:24.0047 1100 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
2011/07/19 16:42:24.0110 1100 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
2011/07/19 16:42:24.0175 1100 amdiox64 (6a2eeb0c4133b20773bb3dd0b7b377b4) C:\Windows\system32\DRIVERS\amdiox64.sys
2011/07/19 16:42:24.0228 1100 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
2011/07/19 16:42:24.0502 1100 amdkmdag (60216b0e704584de6d5a9f59e9c34c47) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/07/19 16:42:24.0897 1100 amdkmdap (6b4e9261b613b047a9a145f328889968) C:\Windows\system32\DRIVERS\atikmpag.sys
2011/07/19 16:42:24.0997 1100 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
2011/07/19 16:42:25.0051 1100 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys
2011/07/19 16:42:25.0093 1100 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/07/19 16:42:25.0139 1100 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys
2011/07/19 16:42:25.0273 1100 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
2011/07/19 16:42:25.0337 1100 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
2011/07/19 16:42:25.0367 1100 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
2011/07/19 16:42:25.0436 1100 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/07/19 16:42:25.0469 1100 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
2011/07/19 16:42:25.0553 1100 athr (e857eee6b92aaa473ebb3465add8f7e7) C:\Windows\system32\DRIVERS\athrx.sys
2011/07/19 16:42:25.0857 1100 atikmdag (60216b0e704584de6d5a9f59e9c34c47) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/07/19 16:42:26.0098 1100 avgntflt (b1224e6b086cd6548315b04ab575a23e) C:\Windows\system32\DRIVERS\avgntflt.sys
2011/07/19 16:42:26.0147 1100 avipbb (ed45f12cfa62b83765c9c1496758cc87) C:\Windows\system32\DRIVERS\avipbb.sys
2011/07/19 16:42:26.0226 1100 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
2011/07/19 16:42:26.0281 1100 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2011/07/19 16:42:26.0341 1100 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2011/07/19 16:42:26.0407 1100 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/07/19 16:42:26.0464 1100 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
2011/07/19 16:42:26.0504 1100 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/07/19 16:42:26.0536 1100 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/07/19 16:42:26.0584 1100 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2011/07/19 16:42:26.0622 1100 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/07/19 16:42:26.0656 1100 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/07/19 16:42:26.0693 1100 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/07/19 16:42:26.0738 1100 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/07/19 16:42:26.0789 1100 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/07/19 16:42:26.0844 1100 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
2011/07/19 16:42:26.0937 1100 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
2011/07/19 16:42:26.0979 1100 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2011/07/19 16:42:27.0080 1100 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/07/19 16:42:27.0127 1100 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
2011/07/19 16:42:27.0190 1100 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
2011/07/19 16:42:27.0245 1100 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
2011/07/19 16:42:27.0273 1100 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/07/19 16:42:27.0324 1100 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/07/19 16:42:27.0413 1100 CSC (4a6173c2279b498cd8f57cae504564cb) C:\Windows\system32\drivers\csc.sys
2011/07/19 16:42:27.0796 1100 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys
2011/07/19 16:42:27.0831 1100 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2011/07/19 16:42:27.0890 1100 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
2011/07/19 16:42:27.0991 1100 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2011/07/19 16:42:28.0044 1100 DXGKrnl (7cb7d2b73813ce05c7bc0f5f95d27cec) C:\Windows\System32\drivers\dxgkrnl.sys
2011/07/19 16:42:28.0191 1100 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
2011/07/19 16:42:28.0325 1100 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
2011/07/19 16:42:28.0400 1100 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
2011/07/19 16:42:28.0503 1100 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2011/07/19 16:42:28.0548 1100 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2011/07/19 16:42:28.0606 1100 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
2011/07/19 16:42:28.0671 1100 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2011/07/19 16:42:28.0697 1100 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2011/07/19 16:42:28.0740 1100 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/07/19 16:42:28.0827 1100 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
2011/07/19 16:42:28.0890 1100 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2011/07/19 16:42:28.0929 1100 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2011/07/19 16:42:28.0966 1100 fvevol (b8b2a6e1558f8f5de5ce431c5b2c7b09) C:\Windows\system32\DRIVERS\fvevol.sys
2011/07/19 16:42:29.0046 1100 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/07/19 16:42:29.0111 1100 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2011/07/19 16:42:29.0225 1100 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys
2011/07/19 16:42:29.0283 1100 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/07/19 16:42:29.0310 1100 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/07/19 16:42:29.0358 1100 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
2011/07/19 16:42:29.0388 1100 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
2011/07/19 16:42:29.0442 1100 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
2011/07/19 16:42:29.0517 1100 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
2011/07/19 16:42:29.0615 1100 HssDrv (a60c877e1cd3aa2e4e5ccd8af305c0f1) C:\Windows\system32\DRIVERS\HssDrv.sys
2011/07/19 16:42:29.0752 1100 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
2011/07/19 16:42:29.0798 1100 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
2011/07/19 16:42:29.0845 1100 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/07/19 16:42:29.0901 1100 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys
2011/07/19 16:42:29.0961 1100 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
2011/07/19 16:42:30.0009 1100 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
2011/07/19 16:42:30.0075 1100 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2011/07/19 16:42:30.0130 1100 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/07/19 16:42:30.0165 1100 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2011/07/19 16:42:30.0202 1100 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2011/07/19 16:42:30.0335 1100 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2011/07/19 16:42:30.0384 1100 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
2011/07/19 16:42:30.0450 1100 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/07/19 16:42:30.0509 1100 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/07/19 16:42:30.0583 1100 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/07/19 16:42:30.0643 1100 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
2011/07/19 16:42:30.0717 1100 KSecPkg (bbe1bf6d9b661c354d4857d5fadb943b) C:\Windows\system32\Drivers\ksecpkg.sys
2011/07/19 16:42:30.0825 1100 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2011/07/19 16:42:30.0913 1100 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2011/07/19 16:42:31.0073 1100 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/07/19 16:42:31.0108 1100 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/07/19 16:42:31.0157 1100 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/07/19 16:42:31.0226 1100 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/07/19 16:42:31.0280 1100 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2011/07/19 16:42:31.0319 1100 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
2011/07/19 16:42:31.0363 1100 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/07/19 16:42:31.0410 1100 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2011/07/19 16:42:31.0480 1100 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2011/07/19 16:42:31.0523 1100 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
2011/07/19 16:42:31.0584 1100 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2011/07/19 16:42:31.0613 1100 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
2011/07/19 16:42:31.0650 1100 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
2011/07/19 16:42:31.0681 1100 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2011/07/19 16:42:31.0741 1100 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
2011/07/19 16:42:31.0789 1100 mrxsmb (cfdcd8ca87c2a657debc150ac35b5e08) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/07/19 16:42:31.0824 1100 mrxsmb10 (1bee517b220b7f024f411aec1571dd5a) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/07/19 16:42:31.0864 1100 mrxsmb20 (6b2d5fef385828b6e485c1c90afb8195) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/07/19 16:42:31.0900 1100 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
2011/07/19 16:42:31.0944 1100 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
2011/07/19 16:42:32.0028 1100 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2011/07/19 16:42:32.0080 1100 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2011/07/19 16:42:32.0120 1100 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
2011/07/19 16:42:32.0191 1100 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2011/07/19 16:42:32.0251 1100 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/07/19 16:42:32.0301 1100 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2011/07/19 16:42:32.0350 1100 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
2011/07/19 16:42:32.0393 1100 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/07/19 16:42:32.0461 1100 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2011/07/19 16:42:32.0498 1100 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/07/19 16:42:32.0551 1100 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2011/07/19 16:42:32.0678 1100 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2011/07/19 16:42:32.0767 1100 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
2011/07/19 16:42:32.0842 1100 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/07/19 16:42:32.0904 1100 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/07/19 16:42:32.0939 1100 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/07/19 16:42:32.0973 1100 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/07/19 16:42:33.0012 1100 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
2011/07/19 16:42:33.0055 1100 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2011/07/19 16:42:33.0107 1100 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
2011/07/19 16:42:33.0253 1100 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/07/19 16:42:33.0316 1100 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2011/07/19 16:42:33.0361 1100 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2011/07/19 16:42:33.0456 1100 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys
2011/07/19 16:42:33.0504 1100 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2011/07/19 16:42:33.0553 1100 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys
2011/07/19 16:42:33.0595 1100 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys
2011/07/19 16:42:33.0647 1100 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
2011/07/19 16:42:33.0687 1100 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/07/19 16:42:33.0738 1100 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2011/07/19 16:42:33.0793 1100 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
2011/07/19 16:42:33.0830 1100 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
2011/07/19 16:42:33.0864 1100 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
2011/07/19 16:42:33.0911 1100 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/07/19 16:42:33.0964 1100 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2011/07/19 16:42:34.0014 1100 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2011/07/19 16:42:34.0194 1100 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
2011/07/19 16:42:34.0221 1100 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
2011/07/19 16:42:34.0312 1100 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
2011/07/19 16:42:34.0391 1100 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
2011/07/19 16:42:34.0455 1100 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/07/19 16:42:34.0501 1100 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2011/07/19 16:42:34.0538 1100 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2011/07/19 16:42:34.0608 1100 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/07/19 16:42:34.0646 1100 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/07/19 16:42:34.0687 1100 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/07/19 16:42:34.0729 1100 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2011/07/19 16:42:34.0776 1100 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
2011/07/19 16:42:34.0809 1100 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/07/19 16:42:34.0838 1100 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/07/19 16:42:34.0889 1100 RDPDR (9706b84dbabfc4b4ca46c5a82b14dfa3) C:\Windows\system32\drivers\rdpdr.sys
2011/07/19 16:42:34.0972 1100 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2011/07/19 16:42:35.0009 1100 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2011/07/19 16:42:35.0050 1100 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
2011/07/19 16:42:35.0089 1100 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
2011/07/19 16:42:35.0215 1100 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2011/07/19 16:42:35.0295 1100 s3cap (88af6e02ab19df7fd07ecdf9c91e9af6) C:\Windows\system32\DRIVERS\vms3cap.sys
2011/07/19 16:42:35.0354 1100 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
2011/07/19 16:42:35.0465 1100 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
2011/07/19 16:42:35.0526 1100 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2011/07/19 16:42:35.0586 1100 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2011/07/19 16:42:35.0630 1100 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2011/07/19 16:42:35.0662 1100 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
2011/07/19 16:42:35.0771 1100 sfdrv01a (dda1b38a59de5096e2619d4cfde01f4a) C:\Windows\system32\drivers\sfdrv01a.sys
2011/07/19 16:42:35.0813 1100 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/07/19 16:42:35.0853 1100 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2011/07/19 16:42:35.0877 1100 sffp_sd (5588b8c6193eb1522490c122eb94dffa) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/07/19 16:42:35.0977 1100 sfhlp02 (17f6bd95bf04b924f4c05ce78bef8ae6) C:\Windows\system32\drivers\sfhlp02.sys
2011/07/19 16:42:36.0012 1100 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/07/19 16:42:36.0117 1100 sfsync04 (5322b5366fc315e1b4c03633a1331cd1) C:\Windows\system32\drivers\sfsync04.sys
2011/07/19 16:42:36.0180 1100 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/07/19 16:42:36.0233 1100 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/07/19 16:42:36.0300 1100 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2011/07/19 16:42:36.0370 1100 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2011/07/19 16:42:36.0479 1100 sptd (602884696850c86434530790b110e8eb) C:\Windows\system32\Drivers\sptd.sys
2011/07/19 16:42:36.0479 1100 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: 602884696850c86434530790b110e8eb
2011/07/19 16:42:36.0487 1100 sptd - detected LockedFile.Multi.Generic (1)
2011/07/19 16:42:36.0534 1100 srv (ec8f67289105bf270498095f14963464) C:\Windows\system32\DRIVERS\srv.sys
2011/07/19 16:42:36.0576 1100 srv2 (f773d2ed090b7baa1c1a034f3ca476c8) C:\Windows\system32\DRIVERS\srv2.sys
2011/07/19 16:42:36.0611 1100 srvnet (26e84d3649019c3244622e654dfcd75b) C:\Windows\system32\DRIVERS\srvnet.sys
2011/07/19 16:42:36.0660 1100 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
2011/07/19 16:42:36.0722 1100 storflt (ffd7a6f15b14234b5b0e5d49e7961895) C:\Windows\system32\DRIVERS\vmstorfl.sys
2011/07/19 16:42:36.0766 1100 storvsc (8fccbefc5c440b3c23454656e551b09a) C:\Windows\system32\DRIVERS\storvsc.sys
2011/07/19 16:42:36.0799 1100 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
2011/07/19 16:42:36.0895 1100 taphss (f33fdc72298df4bf9813a55d21f4eb31) C:\Windows\system32\DRIVERS\taphss.sys
2011/07/19 16:42:37.0002 1100 Tcpip (912107716bab424c7870e8e6af5e07e1) C:\Windows\system32\drivers\tcpip.sys
2011/07/19 16:42:37.0096 1100 TCPIP6 (912107716bab424c7870e8e6af5e07e1) C:\Windows\system32\DRIVERS\tcpip.sys
2011/07/19 16:42:37.0147 1100 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
2011/07/19 16:42:37.0191 1100 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2011/07/19 16:42:37.0224 1100 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2011/07/19 16:42:37.0289 1100 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
2011/07/19 16:42:37.0351 1100 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
2011/07/19 16:42:37.0430 1100 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/07/19 16:42:37.0491 1100 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
2011/07/19 16:42:37.0524 1100 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
2011/07/19 16:42:37.0582 1100 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
2011/07/19 16:42:37.0660 1100 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
2011/07/19 16:42:37.0698 1100 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
2011/07/19 16:42:37.0733 1100 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
2011/07/19 16:42:37.0792 1100 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/07/19 16:42:37.0845 1100 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
2011/07/19 16:42:37.0882 1100 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys
2011/07/19 16:42:37.0935 1100 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\Windows\system32\DRIVERS\usbhub.sys
2011/07/19 16:42:37.0986 1100 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
2011/07/19 16:42:38.0026 1100 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
2011/07/19 16:42:38.0085 1100 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/07/19 16:42:38.0128 1100 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/07/19 16:42:38.0210 1100 usbvideo (d501e12614b00a3252073101d6a1a74b) C:\Windows\system32\Drivers\usbvideo.sys
2011/07/19 16:42:38.0312 1100 VBoxDrv (55e98518b8bf10bd3475607804e3b325) C:\Windows\system32\DRIVERS\VBoxDrv.sys
2011/07/19 16:42:38.0372 1100 VBoxNetAdp (f06b5dba15aa87541f1ed6cc17251913) C:\Windows\system32\DRIVERS\VBoxNetAdp.sys
2011/07/19 16:42:38.0417 1100 VBoxNetFlt (08267d8e073e0d056c154fb71de772d0) C:\Windows\system32\DRIVERS\VBoxNetFlt.sys
2011/07/19 16:42:38.0467 1100 VBoxUSBMon (4aaf4085761676489b316162f99554d9) C:\Windows\system32\DRIVERS\VBoxUSBMon.sys
2011/07/19 16:42:38.0529 1100 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
2011/07/19 16:42:38.0571 1100 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/07/19 16:42:38.0607 1100 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2011/07/19 16:42:38.0656 1100 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
2011/07/19 16:42:38.0706 1100 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
2011/07/19 16:42:38.0758 1100 vmbus (1501699d7eda984abc4155a7da5738d1) C:\Windows\system32\DRIVERS\vmbus.sys
2011/07/19 16:42:38.0797 1100 VMBusHID (ae10c35761889e65a6f7176937c5592c) C:\Windows\system32\DRIVERS\VMBusHID.sys
2011/07/19 16:42:38.0832 1100 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
2011/07/19 16:42:38.0885 1100 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
2011/07/19 16:42:38.0943 1100 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
2011/07/19 16:42:38.0999 1100 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/07/19 16:42:39.0052 1100 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
2011/07/19 16:42:39.0107 1100 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
2011/07/19 16:42:39.0165 1100 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
2011/07/19 16:42:39.0225 1100 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/19 16:42:39.0248 1100 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/19 16:42:39.0320 1100 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
2011/07/19 16:42:39.0374 1100 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2011/07/19 16:42:39.0472 1100 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/07/19 16:42:39.0515 1100 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2011/07/19 16:42:39.0642 1100 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\Windows\system32\DRIVERS\WinUsb.sys
2011/07/19 16:42:39.0691 1100 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/07/19 16:42:39.0763 1100 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2011/07/19 16:42:39.0827 1100 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
2011/07/19 16:42:39.0896 1100 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/07/19 16:42:40.0004 1100 yukonw7 (b3eeacf62445e24fbb2cd4b0fb4db026) C:\Windows\system32\DRIVERS\yk62x64.sys
2011/07/19 16:42:40.0073 1100 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
2011/07/19 16:42:40.0090 1100 Boot (0x1200) (3548e250159c460c66dc751b0a1c6e85) \Device\Harddisk0\DR0\Partition0
2011/07/19 16:42:40.0131 1100 Boot (0x1200) (64a04edcbe255100ef611117336e36aa) \Device\Harddisk0\DR0\Partition1
2011/07/19 16:42:40.0140 1100 ================================================================================
2011/07/19 16:42:40.0140 1100 Scan finished
2011/07/19 16:42:40.0140 1100 ================================================================================
2011/07/19 16:42:40.0157 3844 Detected object count: 1
2011/07/19 16:42:40.0157 3844 Actual detected object count: 1
2011/07/19 16:42:53.0082 3844 LockedFile.Multi.Generic(sptd) - User select action: Skip
2011/07/19 16:43:26.0289 2652 Deinitialize success

ken545
2011-07-19, 18:15
You need to run TDSSkiller again and make sure you select Cure or Delete, the wording may be different, thats a rootkit infection that we need to remove

UssrchVictim
2011-07-19, 18:30
I completely missed the dropdown-menu for deleting it. ran it again and deleted it, rebooted the pc. Ran another scan, no threats found.

What did strike me as odd was that upon rebooting my pc told me that Daemon Tools Lite encountered some problem because it requires at least Win 2000 with an installed SPTD-Driver v1.60. Additionally it states that Kerneldebugger (I hope its more or less the right translation) need to be deactivated. My question is: Is that at all related to the problem we are working on right now? If not please discard this information because I am planning on deleting it anyways.

Do you need a new DDS-Log now?

ken545
2011-07-19, 19:52
I would uninstall Daemon Tools Lite as the driver was infected and removed.

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

UssrchVictim
2011-07-24, 20:38
Sorry for my delayed response. I downloaded the program, moved it to the desktop, ran it. Antivir was disabled. It demanded a restart, I acted upon that and then W7 said "I cannot start the system, try recovery mode?" I said no, it tried to start, failed, jumped back to booting, asked me the same question. I, hesitantingly, told it to go ahead, denied its request to restore earlier system settings, let it run for a long period of time. The end result was "Could not fix your problem, shut me down and retry or find professional help." I initiated a rerun of the recovery program and told it to restore to earlier settings. It did, W7 worked again but ComboFix.exe was not on my desktop. Do we have to redo past steps because W7 suffered a rollback or can we just proceed as before? I am at a loss here.

ken545
2011-07-24, 21:59
Sorry your having problems, let me ask you, when TDSKiller was done, did you reboot your system to have it remove that Rookit ????

No biggie, accidents happen and all systems are different and act differently with the programs we run.

Lets do this

Rerun DDS and post a new log and then rerun aswMBR and lets see whats going on, if there not on your deskop any longer just go back to my prior posts and redownload them

UssrchVictim
2011-07-25, 00:08
Thank you for your fast reply. yes, I did reboot my system after running the TDSkiller.

here is the DDS log:


.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_26
Run by Schorsch at 22:39:01 on 2011-07-24
Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1031.18.4094.2828 [GMT 2:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\spoolsv.exe
D:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
D:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe
C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
D:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe
C:\Windows\system32\svchost.exe -k imgsvc
D:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe
D:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
D:\Program Files (x86)\Winamp\winampa.exe
D:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
D:\Program Files (x86)\Firefox\firefox.exe
D:\Program Files (x86)\Firefox\plugin-container.exe
D:\Program Files (x86)\QIP\qip.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.hotspotshield.com/g/?c=h
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [IpSharkk] "D:\Program Files\IpSharkk\IpSharkk.exe" /auto
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [WinampAgent] "D:\Program Files (x86)\Winamp\winampa.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [avgnt] "D:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Schorsch\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - D:\Program Files (x86)\ERUNT\AUTOBACK.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Free YouTube to MP3 Converter - C:\Users\Schorsch\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 83.169.185.33 83.169.185.97
TCP: Interfaces\{52433529-BF7E-41F0-AA6E-29103F7FD496} : DhcpNameServer = 83.169.185.33 83.169.185.97
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\24B4140294D637960234164736865627 : DhcpNameServer = 192.168.1.1 217.237.149.142
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\46C696E6B613639316 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\5416379724F687D2243334635383 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\651474C4941474C494 : DhcpNameServer = 192.168.2.11
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\66279647A72323 : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\75C414E4D2030313643364932333832453 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\75C414E4D2736453442313 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{AD26FD8C-AD16-48C5-9753-44C9BD0E9301}\8656E6E65637E65647A7 : DhcpNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
{32099AAC-C132-4136-9E9A-4E364A424E17}
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [WinampAgent] "D:\Program Files (x86)\Winamp\winampa.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [avgnt] "D:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
IE-X64: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Schorsch\AppData\Roaming\Mozilla\Firefox\Profiles\khytt9qe.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search
FF - prefs.js: browser.startup.homepage - hxxp://search.hotspotshield.com/g/?c=h
FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Firefox\plugins\np_gp.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-4-19 365568]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;D:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-6-19 136360]
R2 AntiVirService;Avira AntiVir Guard;D:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-6-19 269480]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 hshld;Hotspot Shield Service;C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe [2011-6-3 298824]
R2 HssWd;Hotspot Shield Monitoring Service;C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS --> C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [2011-2-4 341296]
R2 SBSDWSCService;SBSD Security Center Service;D:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-6-23 1153368]
R2 TeamViewer5;TeamViewer 5;D:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe [2010-5-21 173352]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 yukonw7;NDIS6.2-Miniporttreiber für Marvell Yukon-Ethernet-Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\Windows\system32\drivers\sfdrv01a.sys --> C:\Windows\system32\drivers\sfdrv01a.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 StorSvc;Speicherdienst;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
.
=============== Created Last 30 ================
.
2011-08-14 21:32:20 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-24 12:47:23 -------- d-s---w- C:\ComboFix
.
==================== Find3M ====================
.
2011-06-28 13:55:59 88288 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2011-05-04 02:52:22 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
.
============= FINISH: 22:39:41,15 ===============


here is the aswMBR log:

aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-24 22:42:55
-----------------------------
22:42:55.293 OS Version: Windows x64 6.1.7600
22:42:55.294 Number of processors: 2 586 0x301
22:42:55.295 ComputerName: SCHORSCH-PC UserName: Schorsch
22:42:56.806 Initialize success
22:45:34.217 AVAST engine defs: 11072401
22:47:12.863 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
22:47:12.866 Disk 0 Vendor: SAMSUNG_HM320JI 2SS00_01 Size: 305245MB BusType: 11
22:47:12.887 Disk 0 MBR read successfully
22:47:12.891 Disk 0 MBR scan
22:47:12.897 Disk 0 Windows 7 default MBR code
22:47:12.902 Service scanning
22:47:14.067 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
22:47:14.659 Modules scanning
22:47:14.663 Disk 0 trace - called modules:
22:47:14.728 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80048532c0]<<
22:47:14.733 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b796f0]
22:47:14.738 3 CLASSPNP.SYS[fffff880013c143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80049ff1f0]
22:47:14.743 \Driver\atapi[0xfffffa80049b8e70] -> IRP_MJ_CREATE -> 0xfffffa80048532c0
22:47:15.458 AVAST engine scan C:\Windows
22:47:18.369 AVAST engine scan C:\Windows\system32
22:47:35.260 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Malware-gen
22:50:01.627 AVAST engine scan C:\Windows\system32\drivers
22:50:15.203 AVAST engine scan C:\Users\Schorsch
22:55:32.921 AVAST engine scan C:\ProgramData
22:56:13.595 Scan finished successfully
23:02:58.727 Disk 0 MBR has been saved successfully to "C:\Users\Schorsch\Desktop\MBR.dat"
23:02:58.734 The log file has been saved successfully to "C:\Users\Schorsch\Desktop\aswMBR.txt"



Thank you again for helping me out with this annoying virus. If it weren't for you and this forum, I would have to reinstall my complete system. I appreciate to not have to do so.

ken545
2011-07-25, 00:46
Looks like the rootkit may have come back

DAEMON Tools Toolbar <-- This falls somewhere in the grey area, if you dont use it you should uninstall it via Programs and Features in the Control Panel

Lets drag TDSSkiller and the old log to the trash and download a fresh updated copy and run the program again


Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)

UssrchVictim
2011-07-25, 02:34
Actually I thought to have uninstalled that toolbar AND Daemon Tools itself. Both proved to be false. That appeared very suspicious. To be honest, I could not believe to have had that toolbar installed in the first place, I always select custom install and uncheck all that garbage they want you to use. Both is gone now.

Now a question about the wording. It says to only delete the findings if it is malicious. Such word did not appear on my screen, instead it was talking about 1 threat. There was no "cure" option but I recalled that you said it could be named differently. Therefore I chose to "delete" the "1 threat". Rebooted and here is the log:

2011/07/25 01:21:05.0209 3564 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/25 01:21:05.0507 3564 ================================================================================
2011/07/25 01:21:05.0507 3564 SystemInfo:
2011/07/25 01:21:05.0507 3564
2011/07/25 01:21:05.0508 3564 OS Version: 6.1.7600 ServicePack: 0.0
2011/07/25 01:21:05.0508 3564 Product type: Workstation
2011/07/25 01:21:05.0508 3564 ComputerName: SCHORSCH-PC
2011/07/25 01:21:05.0508 3564 UserName: Schorsch
2011/07/25 01:21:05.0508 3564 Windows directory: C:\Windows
2011/07/25 01:21:05.0508 3564 System windows directory: C:\Windows
2011/07/25 01:21:05.0508 3564 Running under WOW64
2011/07/25 01:21:05.0508 3564 Processor architecture: Intel x64
2011/07/25 01:21:05.0508 3564 Number of processors: 2
2011/07/25 01:21:05.0508 3564 Page size: 0x1000
2011/07/25 01:21:05.0508 3564 Boot type: Normal boot
2011/07/25 01:21:05.0508 3564 ================================================================================
2011/07/25 01:21:07.0309 3564 Initialize success
2011/07/25 01:21:10.0964 3156 ================================================================================
2011/07/25 01:21:10.0964 3156 Scan started
2011/07/25 01:21:10.0964 3156 Mode: Manual;
2011/07/25 01:21:10.0964 3156 ================================================================================
2011/07/25 01:21:12.0265 3156 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
2011/07/25 01:21:12.0357 3156 acedrv05 (056faaff049ca7237194065423307189) C:\Windows\system32\drivers\acedrv05.sys
2011/07/25 01:21:12.0426 3156 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
2011/07/25 01:21:12.0472 3156 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
2011/07/25 01:21:12.0530 3156 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/07/25 01:21:12.0579 3156 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2011/07/25 01:21:12.0618 3156 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2011/07/25 01:21:12.0689 3156 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys
2011/07/25 01:21:12.0735 3156 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
2011/07/25 01:21:12.0795 3156 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
2011/07/25 01:21:12.0845 3156 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
2011/07/25 01:21:13.0187 3156 amdiox64 (6a2eeb0c4133b20773bb3dd0b7b377b4) C:\Windows\system32\DRIVERS\amdiox64.sys
2011/07/25 01:21:13.0238 3156 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
2011/07/25 01:21:13.0524 3156 amdkmdag (60216b0e704584de6d5a9f59e9c34c47) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/07/25 01:21:13.0931 3156 amdkmdap (6b4e9261b613b047a9a145f328889968) C:\Windows\system32\DRIVERS\atikmpag.sys
2011/07/25 01:21:13.0999 3156 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
2011/07/25 01:21:14.0053 3156 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys
2011/07/25 01:21:14.0089 3156 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/07/25 01:21:14.0119 3156 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys
2011/07/25 01:21:14.0226 3156 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
2011/07/25 01:21:14.0307 3156 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
2011/07/25 01:21:14.0343 3156 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
2011/07/25 01:21:14.0405 3156 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/07/25 01:21:14.0438 3156 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
2011/07/25 01:21:14.0522 3156 athr (e857eee6b92aaa473ebb3465add8f7e7) C:\Windows\system32\DRIVERS\athrx.sys
2011/07/25 01:21:14.0825 3156 atikmdag (60216b0e704584de6d5a9f59e9c34c47) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/07/25 01:21:15.0066 3156 avgntflt (b1224e6b086cd6548315b04ab575a23e) C:\Windows\system32\DRIVERS\avgntflt.sys
2011/07/25 01:21:15.0137 3156 avipbb (ed45f12cfa62b83765c9c1496758cc87) C:\Windows\system32\DRIVERS\avipbb.sys
2011/07/25 01:21:15.0213 3156 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
2011/07/25 01:21:15.0270 3156 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2011/07/25 01:21:15.0332 3156 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2011/07/25 01:21:15.0387 3156 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/07/25 01:21:15.0433 3156 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
2011/07/25 01:21:15.0484 3156 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/07/25 01:21:15.0526 3156 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/07/25 01:21:15.0599 3156 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2011/07/25 01:21:15.0622 3156 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/07/25 01:21:15.0657 3156 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/07/25 01:21:15.0695 3156 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/07/25 01:21:15.0754 3156 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/07/25 01:21:15.0846 3156 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/07/25 01:21:15.0912 3156 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
2011/07/25 01:21:15.0966 3156 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
2011/07/25 01:21:16.0014 3156 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2011/07/25 01:21:16.0093 3156 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/07/25 01:21:16.0151 3156 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
2011/07/25 01:21:16.0225 3156 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
2011/07/25 01:21:16.0280 3156 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
2011/07/25 01:21:16.0319 3156 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/07/25 01:21:16.0356 3156 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/07/25 01:21:16.0414 3156 CSC (4a6173c2279b498cd8f57cae504564cb) C:\Windows\system32\drivers\csc.sys
2011/07/25 01:21:16.0489 3156 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys
2011/07/25 01:21:16.0536 3156 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2011/07/25 01:21:16.0583 3156 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
2011/07/25 01:21:16.0662 3156 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2011/07/25 01:21:16.0714 3156 DXGKrnl (7cb7d2b73813ce05c7bc0f5f95d27cec) C:\Windows\System32\drivers\dxgkrnl.sys
2011/07/25 01:21:16.0861 3156 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
2011/07/25 01:21:16.0996 3156 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
2011/07/25 01:21:17.0049 3156 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
2011/07/25 01:21:17.0119 3156 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2011/07/25 01:21:17.0164 3156 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2011/07/25 01:21:17.0211 3156 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
2011/07/25 01:21:17.0264 3156 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2011/07/25 01:21:17.0302 3156 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2011/07/25 01:21:17.0345 3156 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/07/25 01:21:17.0454 3156 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
2011/07/25 01:21:17.0517 3156 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2011/07/25 01:21:17.0643 3156 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2011/07/25 01:21:17.0681 3156 fvevol (b8b2a6e1558f8f5de5ce431c5b2c7b09) C:\Windows\system32\DRIVERS\fvevol.sys
2011/07/25 01:21:17.0739 3156 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/07/25 01:21:17.0782 3156 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2011/07/25 01:21:17.0852 3156 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys
2011/07/25 01:21:17.0909 3156 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/07/25 01:21:17.0933 3156 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/07/25 01:21:17.0973 3156 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
2011/07/25 01:21:18.0005 3156 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
2011/07/25 01:21:18.0084 3156 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
2011/07/25 01:21:18.0155 3156 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
2011/07/25 01:21:18.0661 3156 HssDrv (a60c877e1cd3aa2e4e5ccd8af305c0f1) C:\Windows\system32\DRIVERS\HssDrv.sys
2011/07/25 01:21:18.0798 3156 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
2011/07/25 01:21:18.0833 3156 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
2011/07/25 01:21:18.0879 3156 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/07/25 01:21:18.0935 3156 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys
2011/07/25 01:21:18.0996 3156 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
2011/07/25 01:21:19.0031 3156 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
2011/07/25 01:21:19.0077 3156 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2011/07/25 01:21:19.0106 3156 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/07/25 01:21:19.0138 3156 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2011/07/25 01:21:19.0192 3156 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2011/07/25 01:21:19.0237 3156 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2011/07/25 01:21:19.0276 3156 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
2011/07/25 01:21:19.0308 3156 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/07/25 01:21:19.0367 3156 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/07/25 01:21:19.0420 3156 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/07/25 01:21:19.0457 3156 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
2011/07/25 01:21:19.0496 3156 KSecPkg (bbe1bf6d9b661c354d4857d5fadb943b) C:\Windows\system32\Drivers\ksecpkg.sys
2011/07/25 01:21:19.0529 3156 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2011/07/25 01:21:19.0606 3156 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2011/07/25 01:21:19.0700 3156 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/07/25 01:21:19.0746 3156 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/07/25 01:21:19.0783 3156 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/07/25 01:21:19.0842 3156 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/07/25 01:21:19.0896 3156 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2011/07/25 01:21:19.0946 3156 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
2011/07/25 01:21:20.0000 3156 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/07/25 01:21:20.0048 3156 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2011/07/25 01:21:20.0095 3156 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2011/07/25 01:21:20.0139 3156 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
2011/07/25 01:21:20.0188 3156 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2011/07/25 01:21:20.0229 3156 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
2011/07/25 01:21:20.0266 3156 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
2011/07/25 01:21:20.0296 3156 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2011/07/25 01:21:20.0345 3156 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
2011/07/25 01:21:20.0383 3156 mrxsmb (cfdcd8ca87c2a657debc150ac35b5e08) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/07/25 01:21:20.0429 3156 mrxsmb10 (1bee517b220b7f024f411aec1571dd5a) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/07/25 01:21:20.0469 3156 mrxsmb20 (6b2d5fef385828b6e485c1c90afb8195) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/07/25 01:21:20.0505 3156 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
2011/07/25 01:21:20.0560 3156 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
2011/07/25 01:21:20.0644 3156 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2011/07/25 01:21:20.0674 3156 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2011/07/25 01:21:20.0703 3156 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
2011/07/25 01:21:20.0763 3156 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2011/07/25 01:21:20.0800 3156 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/07/25 01:21:20.0851 3156 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2011/07/25 01:21:20.0899 3156 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
2011/07/25 01:21:20.0943 3156 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/07/25 01:21:20.0988 3156 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2011/07/25 01:21:21.0025 3156 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/07/25 01:21:21.0078 3156 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2011/07/25 01:21:21.0184 3156 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2011/07/25 01:21:21.0251 3156 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
2011/07/25 01:21:21.0292 3156 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/07/25 01:21:21.0344 3156 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/07/25 01:21:21.0379 3156 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/07/25 01:21:21.0413 3156 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/07/25 01:21:21.0451 3156 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
2011/07/25 01:21:21.0484 3156 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2011/07/25 01:21:21.0525 3156 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
2011/07/25 01:21:21.0626 3156 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/07/25 01:21:21.0679 3156 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2011/07/25 01:21:21.0723 3156 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2011/07/25 01:21:21.0795 3156 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys
2011/07/25 01:21:21.0856 3156 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2011/07/25 01:21:21.0915 3156 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys
2011/07/25 01:21:21.0957 3156 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys
2011/07/25 01:21:22.0009 3156 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
2011/07/25 01:21:22.0050 3156 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/07/25 01:21:22.0100 3156 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2011/07/25 01:21:22.0155 3156 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
2011/07/25 01:21:22.0203 3156 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
2011/07/25 01:21:22.0237 3156 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
2011/07/25 01:21:22.0273 3156 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/07/25 01:21:22.0305 3156 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2011/07/25 01:21:22.0353 3156 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2011/07/25 01:21:22.0512 3156 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
2011/07/25 01:21:22.0550 3156 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
2011/07/25 01:21:22.0630 3156 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
2011/07/25 01:21:22.0709 3156 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
2011/07/25 01:21:22.0773 3156 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/07/25 01:21:22.0830 3156 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2011/07/25 01:21:22.0868 3156 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2011/07/25 01:21:22.0926 3156 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/07/25 01:21:22.0965 3156 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/07/25 01:21:23.0027 3156 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/07/25 01:21:23.0058 3156 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2011/07/25 01:21:23.0094 3156 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
2011/07/25 01:21:23.0126 3156 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/07/25 01:21:23.0156 3156 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/07/25 01:21:23.0207 3156 RDPDR (9706b84dbabfc4b4ca46c5a82b14dfa3) C:\Windows\system32\drivers\rdpdr.sys
2011/07/25 01:21:23.0257 3156 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2011/07/25 01:21:23.0294 3156 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2011/07/25 01:21:23.0335 3156 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
2011/07/25 01:21:23.0396 3156 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
2011/07/25 01:21:23.0467 3156 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2011/07/25 01:21:23.0514 3156 s3cap (88af6e02ab19df7fd07ecdf9c91e9af6) C:\Windows\system32\DRIVERS\vms3cap.sys
2011/07/25 01:21:23.0562 3156 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
2011/07/25 01:21:23.0640 3156 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
2011/07/25 01:21:23.0932 3156 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2011/07/25 01:21:23.0992 3156 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2011/07/25 01:21:24.0047 3156 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2011/07/25 01:21:24.0124 3156 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
2011/07/25 01:21:24.0222 3156 sfdrv01a (dda1b38a59de5096e2619d4cfde01f4a) C:\Windows\system32\drivers\sfdrv01a.sys
2011/07/25 01:21:24.0253 3156 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/07/25 01:21:24.0292 3156 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2011/07/25 01:21:24.0314 3156 sffp_sd (5588b8c6193eb1522490c122eb94dffa) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/07/25 01:21:24.0405 3156 sfhlp02 (17f6bd95bf04b924f4c05ce78bef8ae6) C:\Windows\system32\drivers\sfhlp02.sys
2011/07/25 01:21:24.0440 3156 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/07/25 01:21:24.0534 3156 sfsync04 (5322b5366fc315e1b4c03633a1331cd1) C:\Windows\system32\drivers\sfsync04.sys
2011/07/25 01:21:24.0608 3156 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/07/25 01:21:24.0650 3156 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/07/25 01:21:24.0717 3156 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2011/07/25 01:21:24.0776 3156 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2011/07/25 01:21:24.0878 3156 sptd (602884696850c86434530790b110e8eb) C:\Windows\system32\Drivers\sptd.sys
2011/07/25 01:21:24.0878 3156 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: 602884696850c86434530790b110e8eb
2011/07/25 01:21:24.0886 3156 sptd - detected LockedFile.Multi.Generic (1)
2011/07/25 01:21:24.0930 3156 srv (ec8f67289105bf270498095f14963464) C:\Windows\system32\DRIVERS\srv.sys
2011/07/25 01:21:24.0982 3156 srv2 (f773d2ed090b7baa1c1a034f3ca476c8) C:\Windows\system32\DRIVERS\srv2.sys
2011/07/25 01:21:25.0018 3156 srvnet (26e84d3649019c3244622e654dfcd75b) C:\Windows\system32\DRIVERS\srvnet.sys
2011/07/25 01:21:25.0077 3156 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
2011/07/25 01:21:25.0128 3156 storflt (ffd7a6f15b14234b5b0e5d49e7961895) C:\Windows\system32\DRIVERS\vmstorfl.sys
2011/07/25 01:21:25.0173 3156 storvsc (8fccbefc5c440b3c23454656e551b09a) C:\Windows\system32\DRIVERS\storvsc.sys
2011/07/25 01:21:25.0205 3156 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
2011/07/25 01:21:25.0302 3156 taphss (f33fdc72298df4bf9813a55d21f4eb31) C:\Windows\system32\DRIVERS\taphss.sys
2011/07/25 01:21:25.0419 3156 Tcpip (912107716bab424c7870e8e6af5e07e1) C:\Windows\system32\drivers\tcpip.sys
2011/07/25 01:21:25.0518 3156 TCPIP6 (912107716bab424c7870e8e6af5e07e1) C:\Windows\system32\DRIVERS\tcpip.sys
2011/07/25 01:21:25.0564 3156 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
2011/07/25 01:21:25.0608 3156 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2011/07/25 01:21:25.0642 3156 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2011/07/25 01:21:25.0696 3156 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
2011/07/25 01:21:25.0757 3156 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
2011/07/25 01:21:25.0836 3156 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/07/25 01:21:25.0898 3156 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
2011/07/25 01:21:25.0930 3156 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
2011/07/25 01:21:25.0977 3156 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
2011/07/25 01:21:26.0055 3156 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
2011/07/25 01:21:26.0093 3156 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
2011/07/25 01:21:26.0128 3156 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
2011/07/25 01:21:26.0187 3156 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/07/25 01:21:26.0240 3156 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
2011/07/25 01:21:26.0278 3156 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys
2011/07/25 01:21:26.0330 3156 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\Windows\system32\DRIVERS\usbhub.sys
2011/07/25 01:21:26.0381 3156 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
2011/07/25 01:21:26.0421 3156 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
2011/07/25 01:21:26.0469 3156 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/07/25 01:21:26.0502 3156 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/07/25 01:21:26.0606 3156 usbvideo (d501e12614b00a3252073101d6a1a74b) C:\Windows\system32\Drivers\usbvideo.sys
2011/07/25 01:21:26.0718 3156 VBoxDrv (55e98518b8bf10bd3475607804e3b325) C:\Windows\system32\DRIVERS\VBoxDrv.sys
2011/07/25 01:21:26.0756 3156 VBoxNetAdp (f06b5dba15aa87541f1ed6cc17251913) C:\Windows\system32\DRIVERS\VBoxNetAdp.sys
2011/07/25 01:21:26.0802 3156 VBoxNetFlt (08267d8e073e0d056c154fb71de772d0) C:\Windows\system32\DRIVERS\VBoxNetFlt.sys
2011/07/25 01:21:26.0840 3156 VBoxUSBMon (4aaf4085761676489b316162f99554d9) C:\Windows\system32\DRIVERS\VBoxUSBMon.sys
2011/07/25 01:21:26.0881 3156 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
2011/07/25 01:21:26.0933 3156 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/07/25 01:21:26.0969 3156 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2011/07/25 01:21:27.0007 3156 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
2011/07/25 01:21:27.0047 3156 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
2011/07/25 01:21:27.0109 3156 vmbus (1501699d7eda984abc4155a7da5738d1) C:\Windows\system32\DRIVERS\vmbus.sys
2011/07/25 01:21:27.0148 3156 VMBusHID (ae10c35761889e65a6f7176937c5592c) C:\Windows\system32\DRIVERS\VMBusHID.sys
2011/07/25 01:21:27.0183 3156 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
2011/07/25 01:21:27.0225 3156 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
2011/07/25 01:21:27.0272 3156 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
2011/07/25 01:21:27.0328 3156 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/07/25 01:21:27.0370 3156 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
2011/07/25 01:21:27.0414 3156 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
2011/07/25 01:21:27.0461 3156 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
2011/07/25 01:21:27.0499 3156 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/25 01:21:27.0516 3156 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/25 01:21:27.0583 3156 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
2011/07/25 01:21:27.0637 3156 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2011/07/25 01:21:27.0724 3156 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/07/25 01:21:27.0756 3156 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2011/07/25 01:21:27.0889 3156 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\Windows\system32\DRIVERS\WinUsb.sys
2011/07/25 01:21:27.0932 3156 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/07/25 01:21:28.0004 3156 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2011/07/25 01:21:28.0068 3156 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
2011/07/25 01:21:28.0132 3156 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/07/25 01:21:28.0234 3156 yukonw7 (b3eeacf62445e24fbb2cd4b0fb4db026) C:\Windows\system32\DRIVERS\yk62x64.sys
2011/07/25 01:21:28.0303 3156 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
2011/07/25 01:21:28.0319 3156 Boot (0x1200) (3548e250159c460c66dc751b0a1c6e85) \Device\Harddisk0\DR0\Partition0
2011/07/25 01:21:28.0361 3156 Boot (0x1200) (64a04edcbe255100ef611117336e36aa) \Device\Harddisk0\DR0\Partition1
2011/07/25 01:21:28.0369 3156 ================================================================================
2011/07/25 01:21:28.0369 3156 Scan finished
2011/07/25 01:21:28.0369 3156 ================================================================================
2011/07/25 01:21:28.0392 1120 Detected object count: 1
2011/07/25 01:21:28.0392 1120 Actual detected object count: 1
2011/07/25 01:21:50.0621 1120 HKLM\SYSTEM\ControlSet001\services\sptd - will be deleted after reboot
2011/07/25 01:21:50.0684 1120 HKLM\SYSTEM\ControlSet002\services\sptd - will be deleted after reboot
2011/07/25 01:21:50.0711 1120 C:\Windows\system32\Drivers\sptd.sys - will be deleted after reboot
2011/07/25 01:21:50.0711 1120 LockedFile.Multi.Generic(sptd) - User select action: Delete
2011/07/25 01:22:41.0342 3648 Deinitialize success


The log is the new one, the old ones I deleted. Also, the copy of TDSSkiller was freshly downloaded. Going to bed now, it is 1:30 in the morning. Thank you for helping me.

ken545
2011-07-25, 04:00
You did just fine :bigthumb:

Again, if the old one is on your desktop, drag it to the trash


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

UssrchVictim
2011-07-25, 22:52
Now I have the same situation again. Rollback to an earlier point, this poorly programmed OS doesn't even tell me to what point it jumped back. All I know is that there is not log and a lot of the cleaning tools are missing, meaning, we directly (again) jumped back into an earlier stage of our cleaning process. Is there a way to nuke out that friggin malware piece of s*** that, according to combofix, is lurking around in the system32 folder without using combofix? Because I really dislike the fact that I have to re-organize my whole desktop again and have to uninstall a lot of stupid programs again. I was sort of proud of my cleaned up desktop. Now its crowded with crap again. :/ Sorry for being such a difficult malware-patient. I really wonder where that thing came from.

Thankfully awaiting your response as always.

ken545
2011-07-26, 00:48
Well, Rootkits are nasty and it came back and we removed it again, I really need you to run Combofix, we can have another forum we work closely with fix your desktop when were done

UssrchVictim
2011-07-26, 01:40
No, you must have misunderstood me. My Desktop is just crowded because of the restoration point of my windows. i cleaned it up after our last step.

I ran combofix again and at the end of its process it restarted my computer. it is supposed to do that, isn't it? but it then says: unable to start windows, boot in recovery mode. (or some similar wording).

yeah, the rootkit nasty, true that. any way to have combofix work on it without rebooting automatically afterwards?

ken545
2011-07-26, 03:39
It has to reboot to remove what it finds

UssrchVictim
2011-07-26, 11:59
I understood the way it works, but it will just do the same thing again, won't it? I will run ComboFix, it will find something, reboot to remove it, produce the screen that says: Can't start up your OS. Then it will demand the clearance for restoring back to an older point. Since I did not want that to happen, I tried out all options to move around that somehow which was not at all crowned with success. So I gave in to this demand and it jumps back to a point where Daemon Tools and the fishy Toolbar are still installed, causing the rootkit to be back in the business. Or am I misinterpreting something here? I will run ComboFix again, but to be honest, I expect the same result we got the last two times I ran it. I will post back here with more information on that soon.

ken545
2011-07-26, 14:04
OK, hold off on ComboFix for a bit.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.






OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

UssrchVictim
2011-07-27, 01:07
3 Threats found by ESET. That is slightly more than the other scanners found, right? :)

Here is the ESET Scan log:

C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Agent.AC trojan
C:\Windows\system64\consrv.dll Win64/Agent.AC trojan
D:\Users\Schorsch\Desktop\HSS-1.58-install-anchorfree-238-conduit2.exe a variant of Win32/HotSpotShield application


OTL-Scan Log called "OTL.txt":

OTL logfile created on: 26.07.2011 23:57:38 - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\Schorsch\Desktop
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

4,00 Gb Total Physical Memory | 2,66 Gb Available Physical Memory | 66,53% Memory free
8,00 Gb Paging File | 6,43 Gb Available in Paging File | 80,38% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97,65 Gb Total Space | 35,03 Gb Free Space | 35,87% Space Free | Partition Type: NTFS
Drive D: | 200,43 Gb Total Space | 53,08 Gb Free Space | 26,48% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: SCHORSCH-PC | User Name: Schorsch | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Schorsch\Desktop\OTL.exe (OldTimer Tools)
PRC - D:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - D:\Program Files (x86)\Firefox\firefox.exe (Mozilla Corporation)
PRC - D:\Program Files (x86)\Firefox\plugin-container.exe (Mozilla Corporation)
PRC - D:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - D:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - D:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe (TeamViewer GmbH)
PRC - D:\Program Files (x86)\Winamp\winampa.exe ()
PRC - D:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)


========== Modules (SafeList) ==========

MOD - C:\Users\Schorsch\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV:[b]64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (AMD FUEL Service) -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe (Advanced Micro Devices, Inc.)
SRV:64bit: - (NitroReaderDriverReadSpool) -- C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe (Nitro PDF Software)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (AntiVirService) -- D:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- D:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (TeamViewer5) -- D:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe (TeamViewer GmbH)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (SBSDWSCService) -- D:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)


========== Driver Services (SafeList) ==========

DRV:64bit: - (avipbb) -- C:\Windows\SysNative\drivers\avipbb.sys (Avira GmbH)
DRV:64bit: - (avgntflt) -- C:\Windows\SysNative\drivers\avgntflt.sys (Avira GmbH)
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (acedrv05) -- C:\Windows\SysNative\drivers\acedrv05.sys ()
DRV:64bit: - (sptd) -- C:\Windows\SysNative\drivers\sptd.sys ()
DRV:64bit: - (amdiox64) -- C:\Windows\SysNative\drivers\amdiox64.sys (Advanced Micro Devices)
DRV:64bit: - (VBoxNetAdp) -- C:\Windows\SysNative\drivers\VBoxNetAdp.sys (Sun Microsystems, Inc.)
DRV:64bit: - (taphss) -- C:\Windows\SysNative\drivers\taphss.sys (AnchorFree Inc)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.)
DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\wbem\ntfs.mof ()
DRV:64bit: - (yukonw7) -- C:\Windows\SysNative\drivers\yk62x64.sys (Marvell)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (sfsync04) StarForce Protection Synchronization Driver (version 4.x) -- C:\Windows\SysNative\drivers\sfsync04.sys (Protection Technology (StarForce))
DRV:64bit: - (sfdrv01a) StarForce Protection Environment Driver (version 1.x.a) -- C:\Windows\SysNative\drivers\sfdrv01a.sys (Protection Technology (StarForce))
DRV:64bit: - (sfhlp02) StarForce Protection Helper Driver (version 2.x) -- C:\Windows\SysNative\drivers\sfhlp02.sys (Protection Technology (StarForce))

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-596794107-1266347972-1900540280-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.hotspotshield.com/g/?c=h
IE - HKU\S-1-5-21-596794107-1266347972-1900540280-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Hotspot Shield Private Search"
FF - prefs.js..browser.search.defaultthis.engineName: "Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Hotspot Shield Private Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://search.hotspotshield.com/g/?c=h"
FF - prefs.js..extensions.enabledItems: firegestures@xuldev.org:1.6.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..keyword.URL: "http://search.hotspotshield.com/g/results.php?c=s&q="
FF - prefs.js..network.proxy.http: "76.105.203.88"
FF - prefs.js..network.proxy.http_port: 8088

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files (x86)\Firefox\components [2011.05.01 16:26:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files (x86)\Firefox\plugins [2011.06.23 16:38:59 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: D:\Program Files (x86)\Firefox\components [2011.06.23 13:38:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: D:\Program Files (x86)\Firefox\plugins

[2010.03.22 13:04:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Schorsch\AppData\Roaming\mozilla\Extensions
[2011.06.23 13:40:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Schorsch\AppData\Roaming\mozilla\Firefox\Profiles\khytt9qe.default\extensions
[2010.05.13 01:58:06 | 000,000,873 | ---- | M] () -- C:\Users\Schorsch\AppData\Roaming\Mozilla\Firefox\Profiles\khytt9qe.default\searchplugins\conduit.xml
[2010.10.12 20:31:33 | 000,001,011 | ---- | M] () -- C:\Users\Schorsch\AppData\Roaming\Mozilla\Firefox\Profiles\khytt9qe.default\searchplugins\torrentz-search.xml
File not found (No name found) --
() (No name found) -- C:\USERS\SCHORSCH\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KHYTT9QE.DEFAULT\EXTENSIONS\FIREGESTURES@XULDEV.ORG.XPI
[2011.06.26 16:31:16 | 000,000,000 | ---D | M] (Java Console) -- D:\PROGRAM FILES (X86)\FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - File not found
O3:64bit: - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - File not found
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - File not found
O3:64bit: - HKU\S-1-5-21-596794107-1266347972-1900540280-1000\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - File not found
O3 - HKU\S-1-5-21-596794107-1266347972-1900540280-1000\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - File not found
O4 - HKLM..\Run: [avgnt] D:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [WinampAgent] D:\Program Files (x86)\Winamp\winampa.exe ()
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-596794107-1266347972-1900540280-1000..\Run: [DAEMON Tools Lite] File not found
O4 - HKU\S-1-5-21-596794107-1266347972-1900540280-1000..\Run: [IpSharkk] File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
O4 - Startup: C:\Users\Schorsch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = D:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-596794107-1266347972-1900540280-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 95 00 00 00 [binary data]
O8:64bit: - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Schorsch\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Schorsch\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} http://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab (IGDTester Class)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 83.169.185.33 83.169.185.97
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{e60e342b-3dce-11df-9de6-001377d71dc6}\Shell - "" = AutoRun
O33 - MountPoints2\{e60e342b-3dce-11df-9de6-001377d71dc6}\Shell\AutoRun\command - "" = F:\noautorun.exe
O33 - MountPoints2\{e60e3441-3dce-11df-9de6-001377d71dc6}\Shell - "" = AutoRun
O33 - MountPoints2\{e60e3441-3dce-11df-9de6-001377d71dc6}\Shell\AutoRun\command - "" = G:\Setup\rsrc\Autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011.07.26 23:54:00 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Users\Schorsch\Desktop\OTL.exe
[2011.07.26 18:50:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2011.07.26 18:48:31 | 002,322,184 | ---- | C] (ESET) -- C:\Users\Schorsch\Desktop\esetsmartinstaller_enu.exe
[2011.07.25 22:44:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Riot Games
[2011.07.25 21:16:13 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011.07.24 16:06:37 | 000,000,000 | ---D | C] -- C:\Users\Schorsch\Desktop\fun
[2011.07.24 16:02:19 | 000,000,000 | ---D | C] -- C:\Users\Schorsch\Desktop\cleaning
[2011.07.24 16:01:32 | 000,000,000 | ---D | C] -- C:\Users\Schorsch\Desktop\Bewerben
[2011.07.24 14:42:31 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011.07.13 14:07:35 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011.07.13 14:06:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011.07.11 03:10:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft
[2011.06.29 04:12:00 | 000,000,000 | ---D | C] -- C:\Users\Schorsch\Desktop\Minecraft Server

========== Files - Modified Within 30 Days ==========

[2011.07.26 23:54:01 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\Schorsch\Desktop\OTL.exe
[2011.07.26 23:52:32 | 000,438,891 | ---- | M] () -- C:\Users\Schorsch\Desktop\kill those motherfuckers.png
[2011.07.26 18:48:31 | 002,322,184 | ---- | M] (ESET) -- C:\Users\Schorsch\Desktop\esetsmartinstaller_enu.exe
[2011.07.26 10:34:14 | 000,018,688 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011.07.26 10:34:14 | 000,018,688 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011.07.26 10:26:43 | 000,065,536 | ---- | M] () -- C:\Windows\SysNative\Ikeext.etl
[2011.07.26 10:26:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.07.26 10:26:23 | 3219,984,384 | -HS- | M] () -- C:\hiberfil.sys
[2011.07.25 22:49:03 | 000,000,829 | ---- | M] () -- C:\Users\Public\Desktop\Play League of Legends.lnk
[2011.07.13 14:06:59 | 000,000,784 | ---- | M] () -- C:\Users\Schorsch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011.07.13 14:06:37 | 000,000,627 | ---- | M] () -- C:\Users\Schorsch\Desktop\ERUNT.lnk
[2011.06.28 15:55:59 | 000,123,784 | ---- | M] (Avira GmbH) -- C:\Windows\SysNative\drivers\avipbb.sys
[2011.06.28 15:55:59 | 000,088,288 | ---- | M] (Avira GmbH) -- C:\Windows\SysNative\drivers\avgntflt.sys

========== Files Created - No Company Name ==========

[2011.07.26 23:52:32 | 000,438,891 | ---- | C] () -- C:\Users\Schorsch\Desktop\kill those motherfuckers.png
[2011.07.25 22:49:03 | 000,000,829 | ---- | C] () -- C:\Users\Public\Desktop\Play League of Legends.lnk
[2011.07.13 14:06:59 | 000,000,784 | ---- | C] () -- C:\Users\Schorsch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011.07.13 14:06:37 | 000,000,627 | ---- | C] () -- C:\Users\Schorsch\Desktop\ERUNT.lnk
[2011.06.05 04:36:07 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\cd.dat
[2011.04.19 22:10:32 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2011.03.17 19:51:44 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2010.12.10 03:55:30 | 001,589,182 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010.12.09 04:43:33 | 000,000,227 | ---- | C] () -- C:\Windows\PowerReg.dat
[2010.12.09 04:43:32 | 000,045,568 | ---- | C] () -- C:\Windows\UniFish3.exe
[2010.11.22 16:05:06 | 000,000,193 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2010.10.28 05:18:17 | 000,053,248 | ---- | C] () -- C:\Windows\SysWow64\acedrv05.dll
[2010.08.17 00:54:23 | 000,086,528 | ---- | C] () -- C:\Windows\bnetunin.exe
[2010.06.15 05:49:32 | 000,007,605 | ---- | C] () -- C:\Users\Schorsch\AppData\Local\Resmon.ResmonCfg
[2010.06.15 05:17:50 | 000,000,080 | RHS- | C] () -- C:\Windows\SysWow64\DCEA78C8F6.dll
[2010.05.26 23:00:56 | 000,027,314 | ---- | C] () -- C:\Windows\DIIUnin.dat
[2010.05.04 02:52:55 | 000,847,360 | ---- | C] () -- C:\Windows\JS32.dll
[2010.04.26 17:01:18 | 000,000,048 | -H-- | C] () -- C:\Windows\SysWow64\ezsidmv.dat
[2010.04.04 21:23:48 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\Access.dat
[2010.04.03 03:58:39 | 000,001,356 | ---- | C] () -- C:\Windows\eReg.dat
[2010.04.02 02:07:35 | 000,020,480 | ---- | C] () -- C:\Windows\SysWow64\H@tKeysH@@k.DLL
[2010.03.28 07:39:11 | 000,057,344 | ---- | C] () -- C:\Windows\SysWow64\apache.dll
[2010.03.22 19:33:20 | 000,021,840 | ---- | C] () -- C:\Windows\SysWow64\SIntfNT.dll
[2010.03.22 19:33:20 | 000,017,212 | ---- | C] () -- C:\Windows\SysWow64\SIntf32.dll
[2010.03.22 19:33:20 | 000,012,067 | ---- | C] () -- C:\Windows\SysWow64\SIntf16.dll
[2010.03.21 14:48:10 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009.12.21 03:42:18 | 000,000,326 | ---- | C] () -- C:\Windows\primopdf.ini
[2009.07.14 07:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009.07.14 04:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009.07.14 04:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009.07.14 02:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009.07.13 23:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009.06.10 23:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2008.10.07 09:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008.10.07 09:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2002.09.18 01:45:00 | 000,119,808 | ---- | C] () -- C:\Windows\lsb_un20.exe

========== LOP Check ==========

[2011.06.27 00:19:55 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\.minecraft
[2010.06.07 01:40:34 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\Command and Conquer 4
[2010.04.03 03:37:55 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\DAEMON Tools Lite
[2011.02.23 21:43:26 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\DVDVideoSoftIEHelpers
[2011.06.19 20:45:34 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\GetRightToGo
[2010.07.30 12:38:11 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\LolClient
[2011.07.20 17:33:12 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\Nitro PDF
[2011.03.14 22:53:51 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\OpenCandy
[2010.03.29 12:46:30 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\OpenOffice.org
[2011.03.14 23:02:43 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\PrimoPDF
[2010.09.04 20:38:34 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\Recordpad
[2011.06.19 20:41:23 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\RIFT
[2010.04.03 15:56:39 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\Stardock
[2010.06.19 21:04:41 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\TeamViewer
[2011.07.25 22:37:09 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\TS3Client
[2011.07.25 22:37:09 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\uTorrent
[2011.04.10 12:20:00 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >


and here is the OTL Scan called "Extras.txt":


OTL Extras logfile created on: 26.07.2011 23:57:38 - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\Schorsch\Desktop
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

4,00 Gb Total Physical Memory | 2,66 Gb Available Physical Memory | 66,53% Memory free
8,00 Gb Paging File | 6,43 Gb Available in Paging File | 80,38% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97,65 Gb Total Space | 35,03 Gb Free Space | 35,87% Space Free | Partition Type: NTFS
Drive D: | 200,43 Gb Total Space | 53,08 Gb Free Space | 26,48% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: SCHORSCH-PC | User Name: Schorsch | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-596794107-1266347972-1900540280-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- D:\Program Files (x86)\Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "D:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "D:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "D:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "D:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "D:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "D:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{000F870E-BCF6-F19F-A154-B3488407F467}" = ccc-utility64
"{02382870-19C7-3ACD-BBAE-F6E3760947DC}" = Microsoft .NET Framework 4 Extended DEU Language Pack
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{13DE9577-0CB1-4898-92D3-167062ADBB9C}" = Nitro PDF Reader
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{6C30F9EF-5032-925C-1905-D87E8472EB85}" = ATI Catalyst Install Manager
"{70AC9B8B-5DC4-4E5E-964B-2A695D157FCB}" = Sun VirtualBox
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{A97CD0A7-2DF5-EDA0-4FF7-A3BF6CAE771B}" = AMD Fuel
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{E34038BB-5358-3890-B5C8-37C5FE817806}" = WMV9/VC-1 Video Playback
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft .NET Framework 4 Extended DEU Language Pack" = Microsoft .NET Framework 4 Extended DEU Language Pack

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06F80017-8F98-4C94-B868-52358569FC32}" = Command & Conquer Generals
"{0E33EC53-22CE-426C-A88B-2AAC231BAC85}" = Catalyst Control Center - Branding
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 26
"{3A9D04F7-80CA-4755-97EC-6025B515A6B8}" = League of Legends
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5AFBC2F3-D3F5-660A-A2AD-CAD3E8EDA1D7}" = CCC Help English
"{63953BA4-7F92-98F7-B99D-FEB4B7BF6905}" = Catalyst Control Center Localization All
"{7753A3B2-E858-F0B3-3DD9-C027B16CBB81}" = Catalyst Control Center InstallProxy
"{8D1E61D1-1395-4E97-997F-D002DB3A5074}" = OpenOffice.org 3.2
"{918A9082-6287-4D25-9002-5E5D5E4971CB}" = League of Legends
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{AC76BA86-7AD7-1031-7B44-A94000000001}" = Adobe Reader 9.4.5 - Deutsch
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BA688606-4B20-4982-995E-EDADC6A6817E}" = League of Legends
"{D56B0E27-4A3E-46C9-B5C1-D93D580C099C}" = NVIDIA PhysX v8.10.29
"{E2616F7B-9E5B-7B21-EDB0-5659A5A4DDA1}" = Catalyst Control Center Graphics Previews Common
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.0
"{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}" = Command and ConquerTM Generals Zero Hour
"{FEF90494-3911-A844-2622-545BD4008231}" = AMD VISION Engine Control Center
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Battle.net" = Battle.net
"Counter-Strike: Source v17" = Counter-Strike: Source v17
"Diablo II" = Diablo II
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.4.7
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.9.33
"InstallShield_{06F80017-8F98-4C94-B868-52358569FC32}" = Command & Conquer Generals
"InstallShield_{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}" = Command and ConquerTM Generals Zero Hour
"Mozilla Firefox (3.6.17)" = Mozilla Firefox (3.6.17)
"Mozilla Firefox 5.0 (x86 de)" = Mozilla Firefox 5.0 (x86 de)
"Peggle Deluxe1.0" = Peggle Deluxe
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"Project IGI" = Project IGI
"RollerCoaster Tycoon Setup" = Roll
"SecureW2 EAP Suite" = SecureW2 EAP Suite 1.0.6 for Windows
"Switch" = Switch Sound File Converter
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"TeamViewer 5" = TeamViewer 5
"Tunatic" = Tunatic
"Uninstall_is1" = Uninstall 1.0.0.1
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.5
"Winamp" = Winamp
"WinRAR archiver" = WinRAR
"World of Warcraft" = World of Warcraft

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-596794107-1266347972-1900540280-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"QIP 2005" = QIP 2005 8095

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >


Thank you for your time and help, have a good day. :)

ken545
2011-07-27, 01:26
ProgramFiles%\DAEMON Tools Toolbar <-- Do you use this , if not uninstall it

That file in Qoobox is just a back up of what was removed by Combofix, we will remove that later.

Lets check these two

You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again

C:\Windows\system64\consrv.dll
D:\Users\Schorsch\Desktop\HSS-1.58-install-anchorfree-238-conduit2.exe


If the site is busy you can try this one
http://virusscan.jotti.org/en

UssrchVictim
2011-07-31, 11:56
HSS-1.58-install-anchorfree-238-conduit2.exe

report:

Antivirus Version Last Update Result
AhnLab-V3 2011.07.31.00 2011.07.30 -
AntiVir 7.11.12.167 2011.07.29 -
Antiy-AVL 2.0.3.7 2011.07.31 -
Avast 4.8.1351.0 2011.07.30 -
Avast5 5.0.677.0 2011.07.30 -
AVG 10.0.0.1190 2011.07.30 -
BitDefender 7.2 2011.07.31 -
CAT-QuickHeal 11.00 2011.07.30 -
ClamAV 0.97.0.0 2011.07.30 -
Commtouch 5.3.2.6 2011.07.31 -
Comodo 9572 2011.07.31 -
Emsisoft 5.1.0.8 2011.07.31 -
eSafe 7.0.17.0 2011.07.27 -
eTrust-Vet 36.1.8472 2011.07.29 -
F-Prot 4.6.2.117 2011.07.31 -
F-Secure 9.0.16440.0 2011.07.29 -
Fortinet 4.2.257.0 2011.07.30 -
GData 22 2011.07.31 -
Ikarus T3.1.1.104.0 2011.07.31 -
Jiangmin 13.0.900 2011.07.30 -
K7AntiVirus 9.109.4961 2011.07.29 -
Kaspersky 9.0.0.837 2011.07.31 -
McAfee 5.400.0.1158 2011.07.31 -
McAfee-GW-Edition 2010.1D 2011.07.31 -
Microsoft 1.7104 2011.07.31 -
NOD32 6337 2011.07.31 a variant of Win32/HotSpotShield
Norman 6.07.10 2011.07.30 -
nProtect 2011-07-30.01 2011.07.30 -
Panda 10.0.3.5 2011.07.30 -
PCTools 8.0.0.5 2011.07.31 -
Prevx 3.0 2011.07.31 -
Rising 23.68.04.03 2011.07.29 -
Sophos 4.67.0 2011.07.31 -
SUPERAntiSpyware 4.40.0.1006 2011.07.30 -
Symantec 20111.1.0.186 2011.07.31 -
TheHacker 6.7.0.1.266 2011.07.31 -
TrendMicro 9.200.0.1012 2011.07.31 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.31 -
VIPRE 10016 2011.07.31 -
ViRobot 2011.7.30.4597 2011.07.30 -
VirusBuster 14.0.146.2 2011.07.30 -
Additional information
MD5 : f2ca6bff37fa18ddffbca52e8ef27ea2
SHA1 : 5942123d1cf0dfb99ac9ce4636c6cb26d100828f
SHA256: 98b47cc47564d924e4fc6193e01d0e06e2329c409bd30e5d5c58384fb67c3b6b



consrv.dll

report:

Antivirus Version Last Update Result
AhnLab-V3 2011.07.31.00 2011.07.30 Backdoor/Win64.ZAccess
AntiVir 7.11.12.167 2011.07.29 BDS/ZAccess.D
Antiy-AVL 2.0.3.7 2011.07.31 Backdoor/Win64.ZAccess.gen
Avast 4.8.1351.0 2011.07.30 Win32:Malware-gen
Avast5 5.0.677.0 2011.07.30 Win32:Malware-gen
AVG 10.0.0.1190 2011.07.30 BackDoor.Generic13.BKMF
BitDefender 7.2 2011.07.31 Backdoor.Generic.665297
CAT-QuickHeal 11.00 2011.07.30 -
ClamAV 0.97.0.0 2011.07.30 -
Commtouch 5.3.2.6 2011.07.31 -
Comodo 9572 2011.07.31 -
DrWeb 5.0.2.03300 2011.07.31 BackDoor.Maxplus.13
Emsisoft 5.1.0.8 2011.07.31 Backdoor.Win64!IK
eSafe 7.0.17.0 2011.07.27 -
eTrust-Vet 36.1.8472 2011.07.29 -
F-Prot 4.6.2.117 2011.07.31 -
F-Secure 9.0.16440.0 2011.07.29 Backdoor.Generic.665297
Fortinet 4.2.257.0 2011.07.30 -
GData 22 2011.07.31 Backdoor.Generic.665297
Ikarus T3.1.1.104.0 2011.07.31 Backdoor.Win64
Jiangmin 13.0.900 2011.07.30 Backdoor/ZAccess.aq
K7AntiVirus 9.109.4961 2011.07.29 Trojan
Kaspersky 9.0.0.837 2011.07.31 Backdoor.Win64.ZAccess.a
McAfee 5.400.0.1158 2011.07.31 Generic BackDoor!djh
McAfee-GW-Edition 2010.1D 2011.07.31 Generic BackDoor!djh
Microsoft 1.7104 2011.07.31 Trojan:Win64/Sirefef.B
NOD32 6337 2011.07.31 Win64/Agent.AC
Norman 6.07.10 2011.07.30 Suspicious_Gen3.UKSW
nProtect 2011-07-30.01 2011.07.30 Backdoor/W32.Small.31744.O
Panda 10.0.3.5 2011.07.30 Generic Backdoor
PCTools 8.0.0.5 2011.07.31 Backdoor.Trojan
Prevx 3.0 2011.07.31 -
Rising 23.68.04.03 2011.07.29 -
Sophos 4.67.0 2011.07.31 -
SUPERAntiSpyware 4.40.0.1006 2011.07.30 -
Symantec 20111.1.0.186 2011.07.31 Backdoor.Trojan
TheHacker 6.7.0.1.266 2011.07.31 Backdoor/Win64.ZAccess.a
TrendMicro 9.200.0.1012 2011.07.31 TROJ_GEN.R11C2G7
TrendMicro-HouseCall 9.200.0.1012 2011.07.31 TROJ_GEN.R11C2G7
VBA32 3.12.16.4 2011.07.29 Backdoor.Win64.ZAccess.a
VIPRE 10016 2011.07.31 Trojan.Win32.Generic!BT
ViRobot 2011.7.30.4597 2011.07.30 -
VirusBuster 14.0.146.2 2011.07.30 -
Additional information
MD5 : adf1ddd89d424e8d0e275cc42747ec81
SHA1 : 321105503846b4a5f8fd3ccd6d92253c39b3e1ce
SHA256: 5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f

ken545
2011-07-31, 15:54
To be honest, not sure whats going on with hotspot shield, again if you dont use it uninstall it


Lets get rid of that bad file


Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL




:processes
killallprocesses

:OTL



:Services

:Reg

:Files
C:\Windows\system64\consrv.dll





:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )