Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection/google hijacking


  • Please log in to reply
8 replies to this topic

#1 afunkyfreak

afunkyfreak

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 20 August 2009 - 10:38 PM

Howdy and thanks in advance for any help provided. I am having issues with my computer that include redirecting from google, erasure of restore points (after trying to do a restore), antivirus utilities won't update, and so on... Here is the dds report & rootrepeal report.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Traci at 13:33:05.93 on Thu 08/20/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1012 [GMT -4:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Users\Traci\Desktop\Maintence Shed\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\RtHDVCpl.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\rundll32.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Traci\Desktop\Maintence Shed\Lavasoft\Ad-Aware\AAWTray.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Traci\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=0509&m=aspire_m1202
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=0509&m=aspire_m1202
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=0509&m=aspire_m1202
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: bankofamerica.com\www
Trusted Zone: hotschedules.com\www
Trusted Zone: netflix.com\www
Trusted Zone: tvguide.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.189,85.255.112.178
TCP: {08DA8D7F-258D-4538-B460-9291DD245766} = 85.255.112.189,85.255.112.178
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\traci\appdata\roaming\mozilla\firefox\profiles\qplo3m9a.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2009-1-20 24576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\users\traci\desktop\maintence shed\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-15 210216]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-9-23 144632]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-7-14 239648]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-6-19 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-5-8 42752]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-1-29 23680]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-9-23 50424]

=============== Created Last 30 ================

2009-08-20 12:53 <DIR> --d----- C:\Trend Micro
2009-08-20 01:06 <DIR> --d----- c:\users\traci\.housecall6.6
2009-08-20 00:49 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-20 00:49 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-20 00:49 <DIR> --d----- c:\programdata\Malwarebytes
2009-08-20 00:49 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-20 00:49 <DIR> --d----- c:\progra~2\Malwarebytes
2009-08-19 17:32 15,688 a------- c:\windows\system32\lsdelete.exe
2009-08-19 17:27 <DIR> --d----- c:\programdata\Lavasoft
2009-08-19 17:27 <DIR> -cd-h--- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-19 17:27 <DIR> -cd-h--- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-19 14:53 8,212 a------- c:\windows\mfebcdata
2009-08-19 13:39 157,514,861 a------- c:\windows\MEMORY.DMP
2009-08-17 14:23 <DIR> --d----- c:\program files\LiveUpdate
2009-08-17 14:22 <DIR> --d----- c:\programdata\BVRP Software
2009-08-17 14:22 <DIR> --d----- c:\program files\mobile PhoneTools
2009-08-17 00:59 <DIR> --d----- c:\users\traci\appdata\roaming\TuneUp Software
2009-08-17 00:59 <DIR> --d----- c:\program files\TuneUp Utilities 2009
2009-08-17 00:59 <DIR> --d----- c:\programdata\TuneUp Software
2009-08-17 00:59 <DIR> --d----- c:\progra~2\TuneUp Software
2009-08-17 00:58 <DIR> --dsh--- c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-17 00:58 <DIR> --dsh--- c:\progra~2\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-16 16:06 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motport_01007.Wdf
2009-08-16 16:06 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01007.Wdf
2009-08-16 16:06 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2009-08-16 16:06 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2009-08-16 11:04 <DIR> --d----- c:\users\traci\{2ae7ecac-0687-48f0-9a46-199dd76e5771}
2009-08-16 11:01 <DIR> --d----- c:\users\traci\{cb050a8b-a140-4f0b-b0cc-0d8603e27a61}
2009-08-16 10:58 <DIR> --d----- c:\users\traci\{982a7e41-a3ab-465b-9ff2-5e91ba030f9e}
2009-08-16 10:56 <DIR> --d----- c:\users\traci\{71c7754f-3e8c-474b-a29e-d05096862cbb}
2009-08-16 10:52 <DIR> --d----- c:\users\traci\{d8d63167-5790-4c2f-808c-ea4164bea055}
2009-08-16 10:52 <DIR> --d----- c:\program files\common files\Motorola Shared
2009-08-14 17:44 <DIR> --d----- c:\program files\Coupons
2009-08-14 17:37 <DIR> --d----- c:\users\traci\{ec5c55c8-2ddb-4e5a-868f-b5b71346483f}
2009-08-12 23:51 <DIR> --d----- c:\users\traci\Logitech
2009-08-12 21:56 <DIR> --d----- c:\program files\common files\Remote Control Software Common
2009-08-12 21:55 <DIR> --d----- c:\program files\common files\Remote Control USB Driver
2009-08-12 17:50 71,680 a------- c:\windows\system32\atl.dll
2009-08-12 17:49 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-12 17:49 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-12 17:49 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-12 17:49 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-12 17:49 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-12 17:49 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-12 17:49 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-12 17:49 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-12 17:49 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-12 17:49 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-12 01:54 <DIR> --d----- c:\windows\pss
2009-07-28 20:42 <DIR> --d----- c:\windows\system32\Adobe
2009-07-21 16:08 <DIR> --d----- c:\programdata\Nero
2009-07-21 16:08 <DIR> --d----- c:\progra~2\Nero
2009-07-21 15:09 <DIR> --d----- c:\program files\Nero

==================== Find3M ====================

2009-08-20 00:54 32,879 a------- c:\programdata\nvModes.dat
2009-08-20 00:54 32,879 a------- c:\progra~2\nvModes.dat
2009-08-16 16:06 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-16 16:06 86,016 a------- c:\windows\inf\infstor.dat
2009-08-16 16:06 51,200 a------- c:\windows\inf\infpub.dat
2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-18 16:31 665,600 a------- c:\windows\inf\drvindex.dat
2009-07-18 03:08 472,576 a------- c:\windows\Nvidia Omega Drivers v1.169.25 Uninstall.exe
2009-07-17 15:20 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-07-15 15:02 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-15 05:58 148,917 a------- c:\windows\hpoins19.dat
2009-07-15 05:57 116,842 a------- c:\windows\hpqins00.dat
2009-07-14 14:54 10,854,400 a------- c:\windows\system32\nvoglv32.dll
2009-07-14 14:54 9,557,216 a------- c:\windows\system32\drivers\nvlddmkm.sys
2009-07-14 14:54 7,565,824 a------- c:\windows\system32\nvd3dum.dll
2009-07-14 14:54 3,287,040 a------- c:\windows\system32\nvwgf2um.dll
2009-07-14 14:54 2,169,376 a------- c:\windows\system32\nvcuvid.dll
2009-07-14 14:54 1,983,488 a------- c:\windows\system32\nvcuda.dll
2009-07-14 14:54 1,706,528 a------- c:\windows\system32\nvcuvenc.dll
2009-07-14 14:54 1,044,992 a------- c:\windows\system32\nvapi.dll
2009-07-14 14:54 485,920 a------- c:\windows\system32\nvudisp.exe
2009-07-14 14:54 151,552 a------- c:\windows\system32\nvcod157.dll
2009-07-14 14:54 151,552 a------- c:\windows\system32\nvcod.dll
2009-07-14 14:54 4,224 a------- c:\windows\system32\drivers\nvBridge.kmd
2009-07-10 07:01 485,920 a------- c:\windows\system32\NVUNINST.EXE
2009-06-15 10:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 10:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 10:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 10:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-10 06:03 795,104 a------- c:\windows\system32\dpinst.exe
2009-05-25 08:01 89,256 a------- c:\windows\system32\ElbyCDIO.dll
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:33:35.35 ===============


And here is a a rootrepeal report
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/20 13:15
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x8F638000 Size: 32768 File Visible: No Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8F62D000 Size: 45056 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA1B84000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Windows\cd6311402021ca01330000007003c403.program_files_common_files_microsoft_share
d_ink_3c86e3db0b3b254c.cdf-ms
Status: Locked to the Windows API!

Path: C:\Windows\System32\ESQULcgvtpounorghpgbbiwnfqxufwvkxtgom.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\ESQULmgypxtsnimcjejexkfhyienoalxsytvp.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\ESQULzxspectrum
Status: Invisible to the Windows API!

Path: C:\Windows\Temp\871b03402021ca01310000007003c403.program_files_common_files_d7a65bb2f0e854e
7.cdf-ms
Status: Locked to the Windows API!

Path: C:\Windows\Temp\Srt
Status: Locked to the Windows API!

Path: C:\Windows\Temp\8e49f8402021ca013e0000007003c403.$$.cdf-ms
Status: Locked to the Windows API!

Path: C:\Windows\System32\drivers\ESQULerumlftvycdciemdbvptwxlrytuqtxcw.sys
Status: Invisible to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c3
5eb.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f
59bf601aa775.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_db5f5c9d98cb161f.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df5
6e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f2
1d3d46d84.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d
131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4ddf
c6cd11929a02.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed
.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e
1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e
58.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.c
at
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e5070
87.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_5c
94f2bbe7d4aaf6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_61
305e07e4f1bc01.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_bfff6c932d606
51e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0e
bd6590e0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.c
at
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_58b1a5
ca663317c4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c
2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_54c127
9468b7b84b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea
1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8
.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c
0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_588
43c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.c
at
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_5c400d
5e63e93b68.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d21850
4d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c
.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3c
e6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_ab
ac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc
0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.c
at
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_dc9917e997f80c63.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8d
d7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11d
f268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_588
445e3d272feb1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003
bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a
620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b
5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_765
8964504b9f3b6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.1.0.0_none_6c030d6fdc86522c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053
e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_d6c3f1519bae0514.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cd
a6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16721_none_400572c0c425beea\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16772_none_3fd0636ec44d63f6\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.20788_none_40553023dd6dba94\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.20885_none_4052312bdd706bb6\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.20949_none_408173e9dd4c5e75\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18000_none_42004f0ec13d017b\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18032_none_41e1dfdec15387fc\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18165_none_41c472dec16924fb\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22132_none_426b7ca9da7127c6\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22233_none_426c7ed9da703e44\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22299_none_4231a10dda9b7df4\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.18005_none_43ebc81abe5eccc7\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16651_none_3fe50116c43e1596\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18112_none_41f7819cc1434d41\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6001.18000_none_0278b57e8399bfdb\MIC237~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6001.18000_none_0278b57e8399bfdb\MI2095~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6002.18005_none_04642e8a80bb8b27\MI2095~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6002.18005_none_04642e8a80bb8b27\MIC237~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6000.16386_en-us_014bf45395655ea8\_DATAO~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6000.16386_en-us_014bf45395655ea8\_DATAP~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6000.16720_en-us_0186d9b7953a1394\_DATAO~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6000.16720_en-us_0186d9b7953a1394\_DATAP~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6000.20883_en-us_01d297d8ae85a709\_DATAO~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6000.20883_en-us_01d297d8ae85a709\_DATAP~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6001.18000_en-us_0382b64f92506f7c\_DATAO~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6001.18000_en-us_0382b64f92506f7c\_DATAP~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6001.18111_en-us_0378e8939257a1eb\_DATAO~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6001.18111_en-us_0378e8939257a1eb\_DATAP~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6001.22230_en-us_03ebe53cab866040\_DATAO~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6001.22230_en-us_03ebe53cab866040\_DATAP~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6002.18005_en-us_056e2f5b8f723ac8\_DATAO~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.0.6002.18005_en-us_056e2f5b8f723ac8\_DATAP~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18000_none_4b00c645ec09f02d\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18000_none_4b00c645ec09f02d\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18000_none_4b00c645ec09f02d\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_6.0.6000.16720_none_81591d45b0e55432\MSBUIL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_6.0.6000.20883_none_6a9133e9ca879925\MSBUIL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_6.0.6001.18000_none_8133189db1382d8a\MSBUIL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_6.0.6001.18111_none_813401fbb13760d3\MSBUIL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_6.0.6001.22230_none_6a687297cadcd9e6\MSBUIL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_6.0.6002.18005_none_810e9dd9b189c19e\MSBUIL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_pg_persnlization_sql_b03f5f7f11d50a3a_6.0.6000.16720_none_b898612ecd927be
5\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_pg_persnlization_sql_b03f5f7f11d50a3a_6.0.6000.20883_none_a1d077d2e734c0d
8\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_pg_persnlization_sql_b03f5f7f11d50a3a_6.0.6001.18111_none_b87345e4cde4888
6\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_pg_persnlization_sql_b03f5f7f11d50a3a_6.0.6001.22230_none_a1a7b680e78a019
9\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\AVANTG~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\CASSIO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\DEFAUL~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\DOCOMO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\ERICSS~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\EZWAP~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\GATEWA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\GENERI~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\GOAMER~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\JATAAY~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\JPHONE~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\LEGEND~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\NETSCA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\NOKIA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\OPENWA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\OPERA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\PALM~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\PANASO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\WEBTV~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\WINWAP~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\XIINO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\AVANTG~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\CASSIO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\DEFAUL~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\DOCOMO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\ERICSS~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\EZWAP~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\GATEWA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\GENERI~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\GOAMER~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\JATAAY~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\JPHONE~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\LEGEND~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\NETSCA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\NOKIA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\OPENWA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\OPERA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\PALM~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\PANASO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\WEBTV~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\WINWAP~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\XIINO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\AVANTG~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\CASSIO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\DEFAUL~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\DOCOMO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\ERICSS~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\EZWAP~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\GATEWA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\GENERI~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\GOAMER~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\JATAAY~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\JPHONE~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\LEGEND~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\NETSCA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\NOKIA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\OPENWA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\OPERA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\PALM~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\PANASO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\WEBTV~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\WINWAP~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18000_none_710438f4cbc4bb4e\XIINO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\AVANTG~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\CASSIO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\DEFAUL~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\DOCOMO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\ERICSS~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\EZWAP~1.BRO
Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1148 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: ESQULcgvtpounorghpgbbiwnfqxufwvkxtgom.dll]
Process: svchost.exe (PID: 824) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: ESQULmgypxtsnimcjejexkfhyienoalxsytvp.dll]
Process: iexplore.exe (PID: 3092) Address: 0x10000000 Size: 184320

Object: Hidden Module [Name: ESQULmgypxtsnimcjejexkfhyienoalxsytvp.dll]
Process: iexplore.exe (PID: 3168) Address: 0x10000000 Size: 184320

Object: Hidden Module [Name: ESQULmgypxtsnimcjejexkfhyienoalxsytvp.dll]
Process: iexplore.exe (PID: 1732) Address: 0x10000000 Size: 184320

Hidden Services
-------------------
Service Name: ESQULserv.sys
Image Path: C:\Windows\system32\drivers\ESQULerumlftvycdciemdbvptwxlrytuqtxcw.sys

==EOF==

Thanks again

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:16 PM

Posted 22 August 2009 - 09:50 PM

Hello afunkyfreak,

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans.
This can make helping you impossible.


Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**********************

Note: If you already have Malwarebytes' Anti-Malware, then update, run it, then do a "Perform Full Scan"

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 afunkyfreak

afunkyfreak
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 23 August 2009 - 12:37 AM

Howdy SifuMike, I do appreciate your help. I downloaded Malwarebytes before asking for help and it downloads and installs but I can't get it to open. This virus or what ever is very nasty. Here are the reports you requsted

Results of screen317's Security Check version 0.98.9
Windows Vista Service Pack 2
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!


WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner (remove only)
Java™ 6 Update 14
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.1.2
``````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!


``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:44 AM, on 8/23/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\System32\mobsync.exe
C:\Users\Traci\Desktop\Maintence Shed\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&a...;m=aspire_m1202
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&a...;m=aspire_m1202
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&a...;m=aspire_m1202
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.hotschedules.com
O15 - Trusted Zone: http://www.tvguide.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08DA8D7F-258D-4538-B460-9291DD245766}: NameServer = 85.255.112.189,85.255.112.178
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.189,85.255.112.178
O17 - HKLM\System\CS1\Services\Tcpip\..\{08DA8D7F-258D-4538-B460-9291DD245766}: NameServer = 85.255.112.189,85.255.112.178
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.189,85.255.112.178
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Users\Traci\Desktop\Maintence Shed\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 8084 bytes

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:16 PM

Posted 23 August 2009 - 01:05 AM

Hi afunkyfreak,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 15
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 6 Update 14
    J2SE Runtime Environment 5.0 Update 6
    Java 6 Update 3
    Java 6 Update 5

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.
********************


If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe3, double click newtool3.exe to proceed in running a Full scan.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 afunkyfreak

afunkyfreak
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 23 August 2009 - 03:54 PM

Thanks again. Okay I got the updated java loaded and I got malwarebytes to work but it won't update. I have yet to restart the computer thgough so maybe that will fix it. I have to leave for work though.
Vince

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6002 Service Pack 2

8/23/2009 4:49:13 PM
mbam-log-2009-08-23 (16-49-13).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 194358
Time elapsed: 30 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.189,85.255.112.178 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{08da8d7f-258d-4538-b460-9291dd245766}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.189,85.255.112.178 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.189,85.255.112.178 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{08da8d7f-258d-4538-b460-9291dd245766}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.189,85.255.112.178 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.189,85.255.112.178 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{08da8d7f-258d-4538-b460-9291dd245766}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.189,85.255.112.178 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:16 PM

Posted 23 August 2009 - 04:30 PM

Hi afunkyfreak,


Manually download updates from HERE http://malwarebytes.gt500.org/mbam-rules.exe and just double-click on mbam-rules.exe to install.

Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

After you update it, then run it and post a new log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 afunkyfreak

afunkyfreak
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 24 August 2009 - 12:28 AM

Howdy again. Since the restart it would now update the malware bytes. It still is being google hijacked though. Here is the report and thanks again.

Malwarebytes' Anti-Malware 1.40
Database version: 2686
Windows 6.0.6002 Service Pack 2

8/24/2009 1:23:21 AM
mbam-log-2009-08-24 (01-23-21).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 195109
Time elapsed: 26 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:16 PM

Posted 24 August 2009 - 12:33 AM

Hi afunkyfreak,

Looks like you have a nasty rootkit on your computer.
Should take about a few minutes to write up a fix.

I'llllllllllllllllll be back! (spoken with Austrian accent) :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:16 PM

Posted 24 August 2009 - 12:44 AM

Hi afunkyfreak,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee Antivirus, Ad-Watch and Windows Defender before running ComboFix, as they will prevent it from running.

To disable McAfee Virusscan:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.

Disable Ad-Watch to make sure it won't interfere fixing.

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users