Ussrch google redirect

UssrchVictim · Jul 26, 2011

3 Threats found by ESET. That is slightly more than the other scanners found, right?

Here is the ESET Scan log:

C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Agent.AC trojan
C:\Windows\system64\consrv.dll Win64/Agent.AC trojan
D:\Users\Schorsch\Desktop\HSS-1.58-install-anchorfree-238-conduit2.exe a variant of Win32/HotSpotShield application

OTL-Scan Log called "OTL.txt":

OTL logfile created on: 26.07.2011 23:57:38 - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\Schorsch\Desktop
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

4,00 Gb Total Physical Memory | 2,66 Gb Available Physical Memory | 66,53% Memory free
8,00 Gb Paging File | 6,43 Gb Available in Paging File | 80,38% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97,65 Gb Total Space | 35,03 Gb Free Space | 35,87% Space Free | Partition Type: NTFS
Drive D: | 200,43 Gb Total Space | 53,08 Gb Free Space | 26,48% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: SCHORSCH-PC | User Name: Schorsch | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Schorsch\Desktop\OTL.exe (OldTimer Tools)
PRC - D:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - D:\Program Files (x86)\Firefox\firefox.exe (Mozilla Corporation)
PRC - D:\Program Files (x86)\Firefox\plugin-container.exe (Mozilla Corporation)
PRC - D:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - D:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - D:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe (TeamViewer GmbH)
PRC - D:\Program Files (x86)\Winamp\winampa.exe ()
PRC - D:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)

========== Modules (SafeList) ==========

MOD - C:\Users\Schorsch\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (AMD FUEL Service) -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe (Advanced Micro Devices, Inc.)
SRV:64bit: - (NitroReaderDriverReadSpool) -- C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe (Nitro PDF Software)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (AntiVirService) -- D:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- D:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (TeamViewer5) -- D:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe (TeamViewer GmbH)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (SBSDWSCService) -- D:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)

========== Driver Services (SafeList) ==========

DRV:64bit: - (avipbb) -- C:\Windows\SysNative\drivers\avipbb.sys (Avira GmbH)
DRV:64bit: - (avgntflt) -- C:\Windows\SysNative\drivers\avgntflt.sys (Avira GmbH)
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (acedrv05) -- C:\Windows\SysNative\drivers\acedrv05.sys ()
DRV:64bit: - (sptd) -- C:\Windows\SysNative\drivers\sptd.sys ()
DRV:64bit: - (amdiox64) -- C:\Windows\SysNative\drivers\amdiox64.sys (Advanced Micro Devices)
DRV:64bit: - (VBoxNetAdp) -- C:\Windows\SysNative\drivers\VBoxNetAdp.sys (Sun Microsystems, Inc.)
DRV:64bit: - (taphss) -- C:\Windows\SysNative\drivers\taphss.sys (AnchorFree Inc)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.)
DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\wbem\ntfs.mof ()
DRV:64bit: - (yukonw7) -- C:\Windows\SysNative\drivers\yk62x64.sys (Marvell)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (sfsync04) StarForce Protection Synchronization Driver (version 4.x) -- C:\Windows\SysNative\drivers\sfsync04.sys (Protection Technology (StarForce))
DRV:64bit: - (sfdrv01a) StarForce Protection Environment Driver (version 1.x.a) -- C:\Windows\SysNative\drivers\sfdrv01a.sys (Protection Technology (StarForce))
DRV:64bit: - (sfhlp02) StarForce Protection Helper Driver (version 2.x) -- C:\Windows\SysNative\drivers\sfhlp02.sys (Protection Technology (StarForce))

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-596794107-1266347972-1900540280-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.hotspotshield.com/g/?c=h
IE - HKU\S-1-5-21-596794107-1266347972-1900540280-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Hotspot Shield Private Search"
FF - prefs.js..browser.search.defaultthis.engineName: "Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Hotspot Shield Private Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://search.hotspotshield.com/g/?c=h"
FF - prefs.js..extensions.enabledItems: firegestures@xuldev.org:1.6.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..keyword.URL: "http://search.hotspotshield.com/g/results.php?c=s&q="
FF - prefs.js..network.proxy.http: "76.105.203.88"
FF - prefs.js..network.proxy.http_port: 8088

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files (x86)\Firefox\components [2011.05.01 16:26:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files (x86)\Firefox\plugins [2011.06.23 16:38:59 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: D:\Program Files (x86)\Firefox\components [2011.06.23 13:38:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: D:\Program Files (x86)\Firefox\plugins

[2010.03.22 13:04:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Schorsch\AppData\Roaming\mozilla\Extensions
[2011.06.23 13:40:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Schorsch\AppData\Roaming\mozilla\Firefox\Profiles\khytt9qe.default\extensions
[2010.05.13 01:58:06 | 000,000,873 | ---- | M] () -- C:\Users\Schorsch\AppData\Roaming\Mozilla\Firefox\Profiles\khytt9qe.default\searchplugins\conduit.xml
[2010.10.12 20:31:33 | 000,001,011 | ---- | M] () -- C:\Users\Schorsch\AppData\Roaming\Mozilla\Firefox\Profiles\khytt9qe.default\searchplugins\torrentz-search.xml
File not found (No name found) --
() (No name found) -- C:\USERS\SCHORSCH\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KHYTT9QE.DEFAULT\EXTENSIONS\FIREGESTURES@XULDEV.ORG.XPI
[2011.06.26 16:31:16 | 000,000,000 | ---D | M] (Java Console) -- D:\PROGRAM FILES (X86)\FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - File not found
O3:64bit: - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - File not found
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - File not found
O3:64bit: - HKU\S-1-5-21-596794107-1266347972-1900540280-1000\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - File not found
O3 - HKU\S-1-5-21-596794107-1266347972-1900540280-1000\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - File not found
O4 - HKLM..\Run: [avgnt] D:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [WinampAgent] D:\Program Files (x86)\Winamp\winampa.exe ()
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-596794107-1266347972-1900540280-1000..\Run: [DAEMON Tools Lite] File not found
O4 - HKU\S-1-5-21-596794107-1266347972-1900540280-1000..\Run: [IpSharkk] File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
O4 - Startup: C:\Users\Schorsch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = D:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-596794107-1266347972-1900540280-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 95 00 00 00 [binary data]
O8:64bit: - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Schorsch\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Schorsch\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} http://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab (IGDTester Class)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 83.169.185.33 83.169.185.97
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{e60e342b-3dce-11df-9de6-001377d71dc6}\Shell - "" = AutoRun
O33 - MountPoints2\{e60e342b-3dce-11df-9de6-001377d71dc6}\Shell\AutoRun\command - "" = F:\noautorun.exe
O33 - MountPoints2\{e60e3441-3dce-11df-9de6-001377d71dc6}\Shell - "" = AutoRun
O33 - MountPoints2\{e60e3441-3dce-11df-9de6-001377d71dc6}\Shell\AutoRun\command - "" = G:\Setup\rsrc\Autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011.07.26 23:54:00 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Users\Schorsch\Desktop\OTL.exe
[2011.07.26 18:50:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2011.07.26 18:48:31 | 002,322,184 | ---- | C] (ESET) -- C:\Users\Schorsch\Desktop\esetsmartinstaller_enu.exe
[2011.07.25 22:44:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Riot Games
[2011.07.25 21:16:13 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011.07.24 16:06:37 | 000,000,000 | ---D | C] -- C:\Users\Schorsch\Desktop\fun
[2011.07.24 16:02:19 | 000,000,000 | ---D | C] -- C:\Users\Schorsch\Desktop\cleaning
[2011.07.24 16:01:32 | 000,000,000 | ---D | C] -- C:\Users\Schorsch\Desktop\Bewerben
[2011.07.24 14:42:31 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011.07.13 14:07:35 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011.07.13 14:06:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011.07.11 03:10:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft
[2011.06.29 04:12:00 | 000,000,000 | ---D | C] -- C:\Users\Schorsch\Desktop\Minecraft Server

========== Files - Modified Within 30 Days ==========

[2011.07.26 23:54:01 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\Schorsch\Desktop\OTL.exe
[2011.07.26 23:52:32 | 000,438,891 | ---- | M] () -- C:\Users\Schorsch\Desktop\kill those motherfuckers.png
[2011.07.26 18:48:31 | 002,322,184 | ---- | M] (ESET) -- C:\Users\Schorsch\Desktop\esetsmartinstaller_enu.exe
[2011.07.26 10:34:14 | 000,018,688 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011.07.26 10:34:14 | 000,018,688 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011.07.26 10:26:43 | 000,065,536 | ---- | M] () -- C:\Windows\SysNative\Ikeext.etl
[2011.07.26 10:26:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.07.26 10:26:23 | 3219,984,384 | -HS- | M] () -- C:\hiberfil.sys
[2011.07.25 22:49:03 | 000,000,829 | ---- | M] () -- C:\Users\Public\Desktop\Play League of Legends.lnk
[2011.07.13 14:06:59 | 000,000,784 | ---- | M] () -- C:\Users\Schorsch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011.07.13 14:06:37 | 000,000,627 | ---- | M] () -- C:\Users\Schorsch\Desktop\ERUNT.lnk
[2011.06.28 15:55:59 | 000,123,784 | ---- | M] (Avira GmbH) -- C:\Windows\SysNative\drivers\avipbb.sys
[2011.06.28 15:55:59 | 000,088,288 | ---- | M] (Avira GmbH) -- C:\Windows\SysNative\drivers\avgntflt.sys

========== Files Created - No Company Name ==========

[2011.07.26 23:52:32 | 000,438,891 | ---- | C] () -- C:\Users\Schorsch\Desktop\kill those motherfuckers.png
[2011.07.25 22:49:03 | 000,000,829 | ---- | C] () -- C:\Users\Public\Desktop\Play League of Legends.lnk
[2011.07.13 14:06:59 | 000,000,784 | ---- | C] () -- C:\Users\Schorsch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011.07.13 14:06:37 | 000,000,627 | ---- | C] () -- C:\Users\Schorsch\Desktop\ERUNT.lnk
[2011.06.05 04:36:07 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\cd.dat
[2011.04.19 22:10:32 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2011.03.17 19:51:44 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2010.12.10 03:55:30 | 001,589,182 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010.12.09 04:43:33 | 000,000,227 | ---- | C] () -- C:\Windows\PowerReg.dat
[2010.12.09 04:43:32 | 000,045,568 | ---- | C] () -- C:\Windows\UniFish3.exe
[2010.11.22 16:05:06 | 000,000,193 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2010.10.28 05:18:17 | 000,053,248 | ---- | C] () -- C:\Windows\SysWow64\acedrv05.dll
[2010.08.17 00:54:23 | 000,086,528 | ---- | C] () -- C:\Windows\bnetunin.exe
[2010.06.15 05:49:32 | 000,007,605 | ---- | C] () -- C:\Users\Schorsch\AppData\Local\Resmon.ResmonCfg
[2010.06.15 05:17:50 | 000,000,080 | RHS- | C] () -- C:\Windows\SysWow64\DCEA78C8F6.dll
[2010.05.26 23:00:56 | 000,027,314 | ---- | C] () -- C:\Windows\DIIUnin.dat
[2010.05.04 02:52:55 | 000,847,360 | ---- | C] () -- C:\Windows\JS32.dll
[2010.04.26 17:01:18 | 000,000,048 | -H-- | C] () -- C:\Windows\SysWow64\ezsidmv.dat
[2010.04.04 21:23:48 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\Access.dat
[2010.04.03 03:58:39 | 000,001,356 | ---- | C] () -- C:\Windows\eReg.dat
[2010.04.02 02:07:35 | 000,020,480 | ---- | C] () -- C:\Windows\SysWow64\H@tKeysH@@k.DLL
[2010.03.28 07:39:11 | 000,057,344 | ---- | C] () -- C:\Windows\SysWow64\apache.dll
[2010.03.22 19:33:20 | 000,021,840 | ---- | C] () -- C:\Windows\SysWow64\SIntfNT.dll
[2010.03.22 19:33:20 | 000,017,212 | ---- | C] () -- C:\Windows\SysWow64\SIntf32.dll
[2010.03.22 19:33:20 | 000,012,067 | ---- | C] () -- C:\Windows\SysWow64\SIntf16.dll
[2010.03.21 14:48:10 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009.12.21 03:42:18 | 000,000,326 | ---- | C] () -- C:\Windows\primopdf.ini
[2009.07.14 07:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009.07.14 04:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009.07.14 04:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009.07.14 02:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009.07.13 23:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009.06.10 23:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2008.10.07 09:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008.10.07 09:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2002.09.18 01:45:00 | 000,119,808 | ---- | C] () -- C:\Windows\lsb_un20.exe

========== LOP Check ==========

[2011.06.27 00:19:55 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\.minecraft
[2010.06.07 01:40:34 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\Command and Conquer 4
[2010.04.03 03:37:55 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\DAEMON Tools Lite
[2011.02.23 21:43:26 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\DVDVideoSoftIEHelpers
[2011.06.19 20:45:34 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\GetRightToGo
[2010.07.30 12:38:11 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\LolClient
[2011.07.20 17:33:12 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\Nitro PDF
[2011.03.14 22:53:51 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\OpenCandy
[2010.03.29 12:46:30 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\OpenOffice.org
[2011.03.14 23:02:43 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\PrimoPDF
[2010.09.04 20:38:34 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\Recordpad
[2011.06.19 20:41:23 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\RIFT
[2010.04.03 15:56:39 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\Stardock
[2010.06.19 21:04:41 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\TeamViewer
[2011.07.25 22:37:09 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\TS3Client
[2011.07.25 22:37:09 | 000,000,000 | ---D | M] -- C:\Users\Schorsch\AppData\Roaming\uTorrent
[2011.04.10 12:20:00 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

and here is the OTL Scan called "Extras.txt":

OTL Extras logfile created on: 26.07.2011 23:57:38 - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\Schorsch\Desktop
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

4,00 Gb Total Physical Memory | 2,66 Gb Available Physical Memory | 66,53% Memory free
8,00 Gb Paging File | 6,43 Gb Available in Paging File | 80,38% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97,65 Gb Total Space | 35,03 Gb Free Space | 35,87% Space Free | Partition Type: NTFS
Drive D: | 200,43 Gb Total Space | 53,08 Gb Free Space | 26,48% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: SCHORSCH-PC | User Name: Schorsch | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-596794107-1266347972-1900540280-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- D:\Program Files (x86)\Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "D:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "D:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "D:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "D:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "D:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "D:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "D:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{000F870E-BCF6-F19F-A154-B3488407F467}" = ccc-utility64
"{02382870-19C7-3ACD-BBAE-F6E3760947DC}" = Microsoft .NET Framework 4 Extended DEU Language Pack
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{13DE9577-0CB1-4898-92D3-167062ADBB9C}" = Nitro PDF Reader
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{6C30F9EF-5032-925C-1905-D87E8472EB85}" = ATI Catalyst Install Manager
"{70AC9B8B-5DC4-4E5E-964B-2A695D157FCB}" = Sun VirtualBox
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{A97CD0A7-2DF5-EDA0-4FF7-A3BF6CAE771B}" = AMD Fuel
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{E34038BB-5358-3890-B5C8-37C5FE817806}" = WMV9/VC-1 Video Playback
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft .NET Framework 4 Extended DEU Language Pack" = Microsoft .NET Framework 4 Extended DEU Language Pack

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06F80017-8F98-4C94-B868-52358569FC32}" = Command & Conquer Generals
"{0E33EC53-22CE-426C-A88B-2AAC231BAC85}" = Catalyst Control Center - Branding
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 26
"{3A9D04F7-80CA-4755-97EC-6025B515A6B8}" = League of Legends
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5AFBC2F3-D3F5-660A-A2AD-CAD3E8EDA1D7}" = CCC Help English
"{63953BA4-7F92-98F7-B99D-FEB4B7BF6905}" = Catalyst Control Center Localization All
"{7753A3B2-E858-F0B3-3DD9-C027B16CBB81}" = Catalyst Control Center InstallProxy
"{8D1E61D1-1395-4E97-997F-D002DB3A5074}" = OpenOffice.org 3.2
"{918A9082-6287-4D25-9002-5E5D5E4971CB}" = League of Legends
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{AC76BA86-7AD7-1031-7B44-A94000000001}" = Adobe Reader 9.4.5 - Deutsch
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BA688606-4B20-4982-995E-EDADC6A6817E}" = League of Legends
"{D56B0E27-4A3E-46C9-B5C1-D93D580C099C}" = NVIDIA PhysX v8.10.29
"{E2616F7B-9E5B-7B21-EDB0-5659A5A4DDA1}" = Catalyst Control Center Graphics Previews Common
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.0
"{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}" = Command and ConquerTM Generals Zero Hour
"{FEF90494-3911-A844-2622-545BD4008231}" = AMD VISION Engine Control Center
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Battle.net" = Battle.net
"Counter-Strike: Source v17" = Counter-Strike: Source v17
"Diablo II" = Diablo II
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.4.7
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.9.33
"InstallShield_{06F80017-8F98-4C94-B868-52358569FC32}" = Command & Conquer Generals
"InstallShield_{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}" = Command and ConquerTM Generals Zero Hour
"Mozilla Firefox (3.6.17)" = Mozilla Firefox (3.6.17)
"Mozilla Firefox 5.0 (x86 de)" = Mozilla Firefox 5.0 (x86 de)
"Peggle Deluxe1.0" = Peggle Deluxe
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"Project IGI" = Project IGI
"RollerCoaster Tycoon Setup" = Roll
"SecureW2 EAP Suite" = SecureW2 EAP Suite 1.0.6 for Windows
"Switch" = Switch Sound File Converter
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"TeamViewer 5" = TeamViewer 5
"Tunatic" = Tunatic
"Uninstall_is1" = Uninstall 1.0.0.1
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.5
"Winamp" = Winamp
"WinRAR archiver" = WinRAR
"World of Warcraft" = World of Warcraft

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-596794107-1266347972-1900540280-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"QIP 2005" = QIP 2005 8095

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Thank you for your time and help, have a good day.

ken545 · Jul 26, 2011

ProgramFiles%\DAEMON Tools Toolbar <-- Do you use this , if not uninstall it

That file in Qoobox is just a back up of what was removed by Combofix, we will remove that later.

Lets check these two

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again

C:\Windows\system64\consrv.dll
D:\Users\Schorsch\Desktop\HSS-1.58-install-anchorfree-238-conduit2.exe

If the site is busy you can try this one
http://virusscan.jotti.org/en

UssrchVictim · Jul 31, 2011

HSS-1.58-install-anchorfree-238-conduit2.exe

report:

Antivirus Version Last Update Result
AhnLab-V3 2011.07.31.00 2011.07.30 -
AntiVir 7.11.12.167 2011.07.29 -
Antiy-AVL 2.0.3.7 2011.07.31 -
Avast 4.8.1351.0 2011.07.30 -
Avast5 5.0.677.0 2011.07.30 -
AVG 10.0.0.1190 2011.07.30 -
BitDefender 7.2 2011.07.31 -
CAT-QuickHeal 11.00 2011.07.30 -
ClamAV 0.97.0.0 2011.07.30 -
Commtouch 5.3.2.6 2011.07.31 -
Comodo 9572 2011.07.31 -
Emsisoft 5.1.0.8 2011.07.31 -
eSafe 7.0.17.0 2011.07.27 -
eTrust-Vet 36.1.8472 2011.07.29 -
F-Prot 4.6.2.117 2011.07.31 -
F-Secure 9.0.16440.0 2011.07.29 -
Fortinet 4.2.257.0 2011.07.30 -
GData 22 2011.07.31 -
Ikarus T3.1.1.104.0 2011.07.31 -
Jiangmin 13.0.900 2011.07.30 -
K7AntiVirus 9.109.4961 2011.07.29 -
Kaspersky 9.0.0.837 2011.07.31 -
McAfee 5.400.0.1158 2011.07.31 -
McAfee-GW-Edition 2010.1D 2011.07.31 -
Microsoft 1.7104 2011.07.31 -
NOD32 6337 2011.07.31 a variant of Win32/HotSpotShield
Norman 6.07.10 2011.07.30 -
nProtect 2011-07-30.01 2011.07.30 -
Panda 10.0.3.5 2011.07.30 -
PCTools 8.0.0.5 2011.07.31 -
Prevx 3.0 2011.07.31 -
Rising 23.68.04.03 2011.07.29 -
Sophos 4.67.0 2011.07.31 -
SUPERAntiSpyware 4.40.0.1006 2011.07.30 -
Symantec 20111.1.0.186 2011.07.31 -
TheHacker 6.7.0.1.266 2011.07.31 -
TrendMicro 9.200.0.1012 2011.07.31 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.31 -
VIPRE 10016 2011.07.31 -
ViRobot 2011.7.30.4597 2011.07.30 -
VirusBuster 14.0.146.2 2011.07.30 -
Additional information
MD5 : f2ca6bff37fa18ddffbca52e8ef27ea2
SHA1 : 5942123d1cf0dfb99ac9ce4636c6cb26d100828f
SHA256: 98b47cc47564d924e4fc6193e01d0e06e2329c409bd30e5d5c58384fb67c3b6b

consrv.dll

report:

Antivirus Version Last Update Result
AhnLab-V3 2011.07.31.00 2011.07.30 Backdoor/Win64.ZAccess
AntiVir 7.11.12.167 2011.07.29 BDS/ZAccess.D
Antiy-AVL 2.0.3.7 2011.07.31 Backdoor/Win64.ZAccess.gen
Avast 4.8.1351.0 2011.07.30 Win32:Malware-gen
Avast5 5.0.677.0 2011.07.30 Win32:Malware-gen
AVG 10.0.0.1190 2011.07.30 BackDoor.Generic13.BKMF
BitDefender 7.2 2011.07.31 Backdoor.Generic.665297
CAT-QuickHeal 11.00 2011.07.30 -
ClamAV 0.97.0.0 2011.07.30 -
Commtouch 5.3.2.6 2011.07.31 -
Comodo 9572 2011.07.31 -
DrWeb 5.0.2.03300 2011.07.31 BackDoor.Maxplus.13
Emsisoft 5.1.0.8 2011.07.31 Backdoor.Win64!IK
eSafe 7.0.17.0 2011.07.27 -
eTrust-Vet 36.1.8472 2011.07.29 -
F-Prot 4.6.2.117 2011.07.31 -
F-Secure 9.0.16440.0 2011.07.29 Backdoor.Generic.665297
Fortinet 4.2.257.0 2011.07.30 -
GData 22 2011.07.31 Backdoor.Generic.665297
Ikarus T3.1.1.104.0 2011.07.31 Backdoor.Win64
Jiangmin 13.0.900 2011.07.30 Backdoor/ZAccess.aq
K7AntiVirus 9.109.4961 2011.07.29 Trojan
Kaspersky 9.0.0.837 2011.07.31 Backdoor.Win64.ZAccess.a
McAfee 5.400.0.1158 2011.07.31 Generic BackDoor!djh
McAfee-GW-Edition 2010.1D 2011.07.31 Generic BackDoor!djh
Microsoft 1.7104 2011.07.31 Trojan:Win64/Sirefef.B
NOD32 6337 2011.07.31 Win64/Agent.AC
Norman 6.07.10 2011.07.30 Suspicious_Gen3.UKSW
nProtect 2011-07-30.01 2011.07.30 Backdoor/W32.Small.31744.O
Panda 10.0.3.5 2011.07.30 Generic Backdoor
PCTools 8.0.0.5 2011.07.31 Backdoor.Trojan
Prevx 3.0 2011.07.31 -
Rising 23.68.04.03 2011.07.29 -
Sophos 4.67.0 2011.07.31 -
SUPERAntiSpyware 4.40.0.1006 2011.07.30 -
Symantec 20111.1.0.186 2011.07.31 Backdoor.Trojan
TheHacker 6.7.0.1.266 2011.07.31 Backdoor/Win64.ZAccess.a
TrendMicro 9.200.0.1012 2011.07.31 TROJ_GEN.R11C2G7
TrendMicro-HouseCall 9.200.0.1012 2011.07.31 TROJ_GEN.R11C2G7
VBA32 3.12.16.4 2011.07.29 Backdoor.Win64.ZAccess.a
VIPRE 10016 2011.07.31 Trojan.Win32.Generic!BT
ViRobot 2011.7.30.4597 2011.07.30 -
VirusBuster 14.0.146.2 2011.07.30 -
Additional information
MD5 : adf1ddd89d424e8d0e275cc42747ec81
SHA1 : 321105503846b4a5f8fd3ccd6d92253c39b3e1ce
SHA256: 5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f

ken545 · Jul 31, 2011

To be honest, not sure whats going on with hotspot shield, again if you dont use it uninstall it

Lets get rid of that bad file

Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code:

:processes
killallprocesses

:OTL



:Services

:Reg

:Files
C:\Windows\system64\consrv.dll	





:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Ussrch google redirect

UssrchVictim

New member

ken545

Emeritus-Security Expert

UssrchVictim

New member

ken545

Emeritus-Security Expert