Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Infection


  • This topic is locked This topic is locked
28 replies to this topic

#1 Rockwil

Rockwil

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 23 August 2009 - 09:33 PM

Please go here to see my postings in BleepingComputer.com > Security > Am I infected? What do I do? Am I Infected? What Do I Do?

When I do a Google or Yahoo search I get redirected to another web site. Running McAfee and it found and claims to have removed Generic RootKit.d!Rootkit several times. Adaware has also removed some spyware, don't know what it removed. Cannot get Spybot to scan system. Cannot get SuperAntiSpyware to install. Norton CW Shredder doesn't find any threats. When problem first started McAfee could not be automatically updated, message said to reinstall McAfee Suite. I did not reinstall McAfee, however updates now possible but still have same problem. I am running Vista. Also, I can't print. Thanks to this virus I have no installed printers and when I try to install them I get a message that the local print spooler is not started and I should start it or reboot. I have rebooted a number of times for different reasons and the print spooler never starts.

Can only get to the internet in Safe Mode with Networking. DDS was run in Safe Mode With Networking.

Root Repeal that is attached was run last night under the direction of Blade. I will also start a complete PC backup using Vista.

I have a question about the firewall. Will the Windows firewall work in Safe Mode with networking. It doesn't appear that McAfees' works?

DDS.txt


DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Bob at 21:44:16.51 on Sun 08/23/2009
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1505 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Users\Bob\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6070209
uWindow Title = Internet Explorer provided by Dell
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program

files\mcafee\virusscan\scriptsn.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program

files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P

DellSupportCenter
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common

files\nero\lib\NMBgMonitor.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [RWCSwpRem] c:\program files\r-wipe&clean\RwcRun.exe /DELETESWAPFILES
mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [CCUTRAYICON] "c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe"
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe"

/startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [NBKeyScan] "c:\program files\nero\nero backitup 4\NBKeyScan.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P

DellSupportCenter
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NvSvc] "RUNDLL32.EXE" c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Intuit SyncManager] "c:\program files\common files\intuit\sync\IntuitSyncManager.exe"

startup
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [Ad-Watch] "c:\program files\lavasoft\ad-aware\AAWTray.exe"
mRun: [SigmatelSysTrayApp] "sttray.exe"
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program

files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\memebercenter.office
Trusted Zone: veoh.com\www
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-

c1c34c691085/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15

-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15

-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15

-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program

files\intuit\quickbooks 2006\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bob\appdata\roaming\mozilla\firefox\profiles\1pro6vr6.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.mozilla.com/en-US/firefox/personal.html

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled",

true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText",

"noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect",

true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input",

true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref

("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref

("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref

("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level",

2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed",

"~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords",

false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",

false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",

false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior",

2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri",

"https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 c2scsi;c2scsi;c:\windows\system32\drivers\C2SCSI.SYS [2006-8-9 248568]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-21 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-

aware\AAWService.exe [2009-3-9 1029456]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-2-8 5504]
S2 0176861239911225mcinstcleanup;McAfee Application Installer Cleanup

(0176861239911225);c:\windows\temp\017686~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini

-cleanup -nolog -service --> c:\windows\temp\017686~1.exe c:\progra~1\common~1\mcafee\instal~1

\cleanup.ini -cleanup -nolog -service [?]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop

elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
S2 DQLWinService;DQLWinService;c:\program files\common

files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common

files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27

28672]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search &

destroy\SDWinSec.exe [2009-8-20 1153368]
S2 SessionLauncher;SessionLauncher;c:\users\bob\appdata\local\temp\dx9\sessionlauncher.exe -->

c:\users\bob\appdata\local\temp\dx9\SessionLauncher.exe [?]
S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [2007-3-1 17976]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\B871.tmp [2009-8-23 6144]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0

\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0

\sharedcom\RoxLiveShare10.exe [?]

=============== Created Last 30 ================

2009-08-23 19:53 6,144 -------- c:\windows\system32\B871.tmp
2009-08-23 19:53 6,144 -------- c:\windows\system32\B851.tmp
2009-08-23 19:51 6,144 -------- c:\windows\system32\F2FF.tmp
2009-08-23 19:48 6,144 -------- c:\windows\system32\12DF.tmp
2009-08-23 19:48 6,144 -------- c:\windows\system32\12BF.tmp
2009-08-23 19:47 6,144 -------- c:\windows\system32\B37F.tmp
2009-08-23 19:47 <DIR> --d----- c:\program files\Sophos
2009-08-22 18:20 15 a------- c:\windows\system32\settings.dat
2009-08-22 14:50 <DIR> --d----- c:\users\bob\appdata\roaming\Malwarebytes
2009-08-22 14:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-22 14:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-22 14:24 <DIR> --d----- c:\programdata\Malwarebytes
2009-08-22 14:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-22 14:24 <DIR> --d----- c:\progra~2\Malwarebytes
2009-08-21 22:44 <DIR> --d----- c:\programdata\Webroot
2009-08-21 22:44 <DIR> --d----- c:\progra~2\Webroot
2009-08-21 22:41 0 a---h--- C:\ProgramData.LOG2
2009-08-21 22:41 0 a---h--- C:\ProgramData.LOG1
2009-08-21 13:25 <DIR> --d----- c:\program files\MSSOAP
2009-08-21 13:25 <DIR> --d----- c:\program files\common files\MSSoap
2009-08-21 13:25 <DIR> --d----- c:\program files\Webroot
2009-08-21 13:23 164 a------- c:\windows\install.dat
2009-08-21 13:10 <DIR> --d----- c:\program files\SpywareBlaster
2009-08-20 19:33 <DIR> --d----- c:\program files\Trend Micro
2009-08-20 17:19 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-08-20 17:15 <DIR> --d----- c:\programdata\Symantec
2009-08-20 17:15 <DIR> --d----- c:\programdata\Norton
2009-08-20 17:15 <DIR> --d----- c:\progra~2\Symantec
2009-08-20 17:15 <DIR> --d----- c:\progra~2\Norton
2009-08-20 17:15 <DIR> --d----- c:\programdata\NortonInstaller
2009-08-20 17:15 <DIR> --d----- c:\progra~2\NortonInstaller
2009-08-20 17:12 <DIR> --d----- c:\program files\AVG
2009-08-20 17:07 <DIR> --d----- c:\users\bob\appdata\roaming\AVG8
2009-08-20 13:30 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-08-20 13:30 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-20 13:30 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-08-20 12:06 <DIR> --d----- c:\users\bob\.housecall6.6
2009-08-20 10:38 <DIR> --d----- c:\program files\VS Revo Group
2009-08-20 09:39 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-20 08:43 <DIR> --d----- c:\users\bob\appdata\roaming\SUPERAntiSpyware.com
2009-08-20 08:43 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-20 08:42 <DIR> --d----- c:\program files\common files\Wise Installation

Wizard
2009-08-20 06:14 <DIR> --d----- c:\programdata\SITEguard
2009-08-20 06:14 <DIR> --d----- c:\progra~2\SITEguard
2009-08-20 06:06 <DIR> --d----- c:\program files\STOPzilla!
2009-08-20 06:06 <DIR> --d----- c:\programdata\STOPzilla!
2009-08-20 06:06 <DIR> --d----- c:\progra~2\STOPzilla!
2009-08-19 13:02 112,105,878 a------- c:\windows\MEMORY.DMP
2009-08-18 06:06 <DIR> --d----- c:\program files\Gammacoder

==================== Find3M ====================

2009-08-20 19:33 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-20 19:33 143,360 a------- c:\windows\inf\infstor.dat
2009-08-20 19:33 51,200 a------- c:\windows\inf\infpub.dat
2009-07-18 13:40 665,600 a------- c:\windows\inf\drvindex.dat
2009-07-17 09:54 71,680 a------- c:\windows\system32\atl.dll
2009-07-15 08:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-15 08:39 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-15 08:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 08:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-06-17 12:47 87,608 a------- c:\users\bob\appdata\roaming\inst.exe
2009-06-17 12:47 47,360 a------- c:\users\bob\appdata\roaming\pcouffin.sys
2009-06-15 10:54 175,104 a------- c:\windows\system32\wdigest.dll
2009-06-15 10:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 10:53 72,704 a------- c:\windows\system32\secur32.dll
2009-06-15 10:53 270,848 a------- c:\windows\system32\schannel.dll
2009-06-15 10:53 218,624 a------- c:\windows\system32\msv1_0.dll
2009-06-15 10:52 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-06-15 10:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 10:52 499,712 a------- c:\windows\system32\kerberos.dll
2009-06-15 10:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 10:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:48 9,728 a------- c:\windows\system32\lsass.exe
2009-06-15 08:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-10 07:42 160,256 a------- c:\windows\system32\wkssvc.dll
2009-06-10 07:38 91,136 a------- c:\windows\system32\avifil32.dll
2009-06-04 08:07 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-05-26 18:48 15,688 a------- c:\windows\system32\lsdelete.exe
2008-12-10 10:17 13,664 a------- c:\users\bob\appdata\roaming\wklnhst.dat
2008-10-22 09:17 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-04-12 23:28 16,384 a--sh---

c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5

\index.dat
2009-04-12 23:28 32,768 a--sh---

c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet

files\content.ie5\index.dat
2009-04-12 23:28 16,384 a--sh---

c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-04-12 23:28 245,760 a--sh---

c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-02-09 04:45 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 21:46:03.85 ===============

Attact.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 2/8/2007 7:49:00 PM
System Uptime: 8/23/2009 8:14:56 PM (1 hours ago)

Motherboard: Dell Inc. | | 0WG855
Processor: Intel® Core™2 CPU 6600 @ 2.40GHz | Microprocessor | 2394/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 223 GiB total, 157.867 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.922 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 233 GiB total, 207.36 GiB free.
H: is CDROM ()
I: is FIXED (NTFS) - 466 GiB total, 216.373 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

"Nero SoundTrax Help
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements 7.0
Adobe Reader 8.1.3
Advertising Center
Apple Software Update
AutoUpdate
Avery Wizard 3.1
Dell Support Center (Support Software)
Dell System Customization Wizard
DirectXInstallService
DivX
Documentation & Support Launcher
DolbyFiles
DVD Shrink 3.2
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.3.2
DVDFab 6.0.1.0 (May 15, 2009)
DVDFab HD Decrypter 3.0.9.6
EMC 10 Content
EPSON Printer Software
EPSON Scan
Games, Music, & Photos Launcher
Gammacoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImagXpress
Intel® Matrix Storage Manager
Intel® Viiv™ Software
Internet Service Offers Launcher
IrfanView (remove only)
iTunes
Java™ 6 Update 15
KeePass Password Safe 1.09
LightScribe 1.6.45.1
Livestation
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Menu Templates - Starter Kit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Small Business Image Uploader
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Works
Microsoft XML Parser
Movie Templates - Starter Kit
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 4.0 SP2 Parser and SDK
Nero 8
Nero 9
Nero BackItUp
Nero BackItUp 4
Nero Burning ROM Help
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero Disc Copy Gadget
Nero Disc Copy Gadget Help
Nero DiscSpeed
Nero DriveSpeed
Nero Express Help
Nero InfoTool
Nero Installer
Nero Live
Nero Live Help
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero WaveEditor
Nero WaveEditor Help
NeroBurningROM
NeroExpress
neroxml
Netflix Movie Viewer
NVIDIA Drivers
PDF reDirect (remove only)
QuickBooks
QuickBooks Pro 2009
R-Wipe&Clean 8.6
Registry Mechanic 7.0
Revo Uninstaller 1.83
Roxio Activation Module
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
SigmaTel Audio
SmartSound Quicktracks Plugin
Sophos Anti-Rootkit 1.5.0
SoundTrax
Spelling Dictionaries Support For Adobe Reader 8
Spy Sweeper Core
Spybot - Search & Destroy
SpywareBlaster 4.2
SupportSoft Assisted Service
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb971933)
URL Assistant
User's Guides
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Studio 2005 Tools for Office Second Edition Runtime
XviD MPEG-4 Video Codec

==== End Of File ===========================

Root Repeal.txt

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/22 18:21
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8D40D000 Size: 753664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x8D583000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\System Volume Information\{068acb4f-8efb-11de-93ec-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{068acb5f-8efb-11de-93ec-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{068acb75-8efb-11de-93ec-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{068acb85-8efb-11de-93ec-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{068acb95-8efb-11de-93ec-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{068acba8-8efb-11de-93ec-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{1ee4e25e-8e36-11de-8dc6-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2861261d-8c51-11de-b983-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2b1564de-8d8e-11de-901a-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{32aa2d5d-8dd1-11de-aa17-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{32aa2d6d-8dd1-11de-aa17-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c672b017-8d9d-11de-83a8-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c8294aab-8ec5-11de-af05-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{dc5ecf64-8d7b-11de-9941-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{dd045fda-8d95-11de-a080-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{dd046016-8d95-11de-a080-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{dd046042-8d95-11de-a080-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{73d52886-8e37-11de-9183-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{73d528df-8e37-11de-9183-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{9c63902b-8ed8-11de-8a0e-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a193805b-8de9-11de-89ce-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a1938075-8de9-11de-89ce-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b6f5a58a-8d2a-11de-8c14-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b6f5a5f0-8d2a-11de-8c14-001676b5a87d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\System32\ESQULqernvhylibkupmhpuiqaxghdxoymoufb.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\ESQULykpxpxcoeixybbcsbvxanrwfyjpxpwsu.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\ESQULzxspectrum
Status: Invisible to the Windows API!

Path: C:\Windows\System32\drivers\ESQULgripcvayfijcuhntryocmcxheviqxebr.sys
Status: Invisible to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\XPSViewer\XPSVIE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_bfff6c932d60651e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_a6e7a8e20e9863b4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4ddfc6cd11929a02.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_5c94f2bbe7d4aaf6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_b7e10f227b2fceff.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_b7e811287b298060.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f59bf601aa775.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_61305e07e4f1bc01.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0ebd6590e0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_a6dfa6920e9f98fc.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_b7e911727b2899b7.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.1.0.0_none_6c030d6fdc86522c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_a6e6a8980e994a5d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f21d3d46d84.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SEC543~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE0F57~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE7561~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE4BA2~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE5F3C~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE5FBC~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE6DB5~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SEC6C7~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE9AEB~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE4F78~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE427A~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE9942~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE3B5D~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE54EE~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE5DF7~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE1FB8~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6000.16720_none_7c654fdc62654993\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6000.20883_none_659d66807c078e86\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6001.18111_none_7c40349262b75634\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6001.22230_none_6574a52e7c5ccf47\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.16720_none_04c87b54ba4ac535\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.20883_none_ee0091f8d3ed0a28\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.18111_none_04a3600aba9cd1d6\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.22230_none_edd7d0a6d4424ae9\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.16720_none_950a4e2fda3ee0ba\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.16720_none_950a4e2fda3ee0ba\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.20883_none_7e4264d3f3e125ad\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.20883_none_7e4264d3f3e125ad\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.18111_none_94e532e5da90ed5b\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.18111_none_94e532e5da90ed5b\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.22230_none_7e19a381f436666e\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.22230_none_7e19a381f436666e\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4cb2b120b7498755\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4cb2b120b7498755\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.20883_none_35eac7c4d0ebcc48\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.20883_none_35eac7c4d0ebcc48\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4c8d95d6b79b93f6\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4c8d95d6b79b93f6\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.22230_none_35c20672d1410d09\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.22230_none_35c20672d1410d09\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6000.16720_none_c39efe8a3f927437\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6000.20883_none_acd7152e5934b92a\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6001.18111_none_c379e3403fe480d8\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6001.22230_none_acae53dc5989f9eb\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6000.16720_none_b103fb905f6db0d9\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6000.20883_none_9a3c1234790ff5cc\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6001.18111_none_b0dee0465fbfbd7a\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6000.16720_none_e2c358ab062e054b\WEB_MI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6000.20883_none_cbfb6f4f1fd04a3e\WEB_MI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6001.18111_none_e29e3d61068011ec\WEB_MI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6000.16720_none_9b01a5fdd9371aff\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6000.20883_none_9b4d641ef282ae74\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6001.18111_none_9cf3b4d9d654a956\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6001.22230_none_9d66b182ef8367ab\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: ESQULqernvhylibkupmhpuiqaxghdxoymoufb.dll]
Process: svchost.exe (PID: 816) Address: 0x10000000 Size: 32768

Hidden Services
-------------------
Service Name: ESQULserv.sys
Image Path: C:\Windows\system32\drivers\ESQULgripcvayfijcuhntryocmcxheviqxebr.sys

==EOF==

BC AdBot (Login to Remove)

 


#2 Rockwil

Rockwil
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 24 August 2009 - 04:09 AM

Tried running backup from the Backup and Restore Center in Vista and received the following message:

Files backup could not save your automatic backup settings for the following reason: The request is not supported. (0x80070032). Please try again.

I tried this in Windows Normal mode. Again, I am now back to Safe Mode as I can only get to the internet in Safe mode. I have downloaded Cobian Backup and Drive Image XML.

Also when I tried to reboot into Safe mode I was getting some access error messages on TeaTimer when system was trying to close down for the boot. Got a Windows message that asked "Just close the program and reboot? Clicked OK and got a blue screen, system then rebooted itself and I went into safe mode to report this and to download the above mentioned programs.

I did do a backup of my files on Friday using the backup from Vista, Accessories, Backup and Restore Configuration. I realize that I probably backed up the infection or maybe not, I don't know? And in case you are wondering I don't have a good System Restore date to go back to and now even if I did I get a message that it didn't initialize properly. Will try one of these programs to backup the system. I have not turned on the Windows firewall, yet. Am I sure that I even want to try this since my system is so flakey?

#3 Rockwil

Rockwil
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 24 August 2009 - 05:40 AM

Drive Image XML gives me the following error:

An error was encountered during a sector block read operation. I clicked continue.

I then received the following message:

Cannot create volume information. (NT, Cluster Size=0) Stack Dump. I clicked on Cancel, the only option.

Cobian also gives me strange error messages. As I said in an earlier post I did backup my files on Friday. Not a drive image but the files.


Every time you add another post it puts you in the back of the rotation even further

Edited by garmanma, 24 August 2009 - 07:51 PM.


#4 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:06:02 PM

Posted 05 September 2009 - 11:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#5 Rockwil

Rockwil
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 06 September 2009 - 06:41 PM

The DDS was run as requested. Earlier posts describe problems. I stated in an earlier post about not turning on the Windows firewall, I have since turned it on. Output of DDS:


DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Bob at 19:28:22.00 on Sun 09/06/2009
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1509 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Bob\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6070209
uWindow Title = Internet Explorer provided by Dell
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program

files\mcafee\virusscan\scriptsn.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program

files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P

DellSupportCenter
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common

files\nero\lib\NMBgMonitor.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [RWCSwpRem] c:\program files\r-wipe&clean\RwcRun.exe /DELETESWAPFILES
mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [CCUTRAYICON] "c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe"
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe"

/startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [NBKeyScan] "c:\program files\nero\nero backitup 4\NBKeyScan.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P

DellSupportCenter
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NvSvc] "RUNDLL32.EXE" c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Intuit SyncManager] "c:\program files\common files\intuit\sync\IntuitSyncManager.exe"

startup
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [Ad-Watch] "c:\program files\lavasoft\ad-aware\AAWTray.exe"
mRun: [SigmatelSysTrayApp] "sttray.exe"
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program

files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\memebercenter.office
Trusted Zone: veoh.com\www
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-

c1c34c691085/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15

-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15

-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15

-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program

files\intuit\quickbooks 2006\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bob\appdata\roaming\mozilla\firefox\profiles\1pro6vr6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mozilla.com/en-US/firefox/personal.html
FF - plugin:

c:\users\bob\appdata\roaming\mozilla\firefox\profiles\1pro6vr6.default\extensions\{e2883e8f-472f

-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled",

true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText",

"noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect",

true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input",

true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref

("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref

("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref

("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level",

2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed",

"~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords",

false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions",

true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",

false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",

false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior",

2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri",

"https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 c2scsi;c2scsi;c:\windows\system32\drivers\C2SCSI.SYS [2006-8-9 248568]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-21 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-

aware\AAWService.exe [2009-3-9 1029456]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-2-8 5504]
S2 0176861239911225mcinstcleanup;McAfee Application Installer Cleanup

(0176861239911225);c:\windows\temp\017686~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini

-cleanup -nolog -service --> c:\windows\temp\017686~1.exe c:\progra~1\common~1\mcafee\instal~1

\cleanup.ini -cleanup -nolog -service [?]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop

elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
S2 DQLWinService;DQLWinService;c:\program files\common

files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common

files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27

28672]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search &

destroy\SDWinSec.exe [2009-8-20 1153368]
S2 SessionLauncher;SessionLauncher;c:\users\bob\appdata\local\temp\dx9\sessionlauncher.exe -->

c:\users\bob\appdata\local\temp\dx9\SessionLauncher.exe [?]
S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [2007-3-1 17976]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2008-10-22

21504]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\B871.tmp [2009-8-23 6144]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0

\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0

\sharedcom\RoxLiveShare10.exe [?]

=============== Created Last 30 ================

2009-09-04 07:00 <DIR> --d----- c:\programdata\NOS
2009-08-24 05:27 <DIR> --d----- c:\program files\Runtime Software
2009-08-24 05:15 <DIR> --d----- c:\programdata\Cobian
2009-08-24 05:15 <DIR> --d----- c:\progra~2\Cobian
2009-08-24 05:14 <DIR> --d----- c:\program files\Cobian Backup 9
2009-08-24 00:12 <DIR> --dsh--- C:\found.000
2009-08-23 19:53 6,144 -------- c:\windows\system32\B871.tmp
2009-08-23 19:53 6,144 -------- c:\windows\system32\B851.tmp
2009-08-23 19:51 6,144 -------- c:\windows\system32\F2FF.tmp
2009-08-23 19:48 6,144 -------- c:\windows\system32\12DF.tmp
2009-08-23 19:48 6,144 -------- c:\windows\system32\12BF.tmp
2009-08-23 19:47 6,144 -------- c:\windows\system32\B37F.tmp
2009-08-23 19:47 <DIR> --d----- c:\program files\Sophos
2009-08-22 18:20 15 a------- c:\windows\system32\settings.dat
2009-08-22 14:50 <DIR> --d----- c:\users\bob\appdata\roaming\Malwarebytes
2009-08-22 14:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-22 14:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-22 14:24 <DIR> --d----- c:\programdata\Malwarebytes
2009-08-22 14:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-22 14:24 <DIR> --d----- c:\progra~2\Malwarebytes
2009-08-21 22:44 <DIR> --d----- c:\programdata\Webroot
2009-08-21 22:44 <DIR> --d----- c:\progra~2\Webroot
2009-08-21 22:41 0 a---h--- C:\ProgramData.LOG2
2009-08-21 22:41 0 a---h--- C:\ProgramData.LOG1
2009-08-21 13:25 <DIR> --d----- c:\program files\MSSOAP
2009-08-21 13:25 <DIR> --d----- c:\program files\common files\MSSoap
2009-08-21 13:25 <DIR> --d----- c:\program files\Webroot
2009-08-21 13:23 164 a------- c:\windows\install.dat
2009-08-21 13:10 <DIR> --d----- c:\program files\SpywareBlaster
2009-08-20 19:33 <DIR> --d----- c:\program files\Trend Micro
2009-08-20 17:19 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-08-20 17:15 <DIR> --d----- c:\programdata\Symantec
2009-08-20 17:15 <DIR> --d----- c:\programdata\Norton
2009-08-20 17:15 <DIR> --d----- c:\progra~2\Symantec
2009-08-20 17:15 <DIR> --d----- c:\progra~2\Norton
2009-08-20 17:15 <DIR> --d----- c:\programdata\NortonInstaller
2009-08-20 17:15 <DIR> --d----- c:\progra~2\NortonInstaller
2009-08-20 17:12 <DIR> --d----- c:\program files\AVG
2009-08-20 17:07 <DIR> --d----- c:\users\bob\appdata\roaming\AVG8
2009-08-20 13:30 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-08-20 13:30 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-20 13:30 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-08-20 12:06 <DIR> --d----- c:\users\bob\.housecall6.6
2009-08-20 10:38 <DIR> --d----- c:\program files\VS Revo Group
2009-08-20 09:39 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-20 08:43 <DIR> --d----- c:\users\bob\appdata\roaming\SUPERAntiSpyware.com
2009-08-20 08:43 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-20 08:42 <DIR> --d----- c:\program files\common files\Wise Installation

Wizard
2009-08-20 06:14 <DIR> --d----- c:\programdata\SITEguard
2009-08-20 06:14 <DIR> --d----- c:\progra~2\SITEguard
2009-08-20 06:06 <DIR> --d----- c:\program files\STOPzilla!
2009-08-20 06:06 <DIR> --d----- c:\programdata\STOPzilla!
2009-08-20 06:06 <DIR> --d----- c:\progra~2\STOPzilla!
2009-08-19 13:02 204,107,243 a------- c:\windows\MEMORY.DMP
2009-08-18 06:06 <DIR> --d----- c:\program files\Gammacoder

==================== Find3M ====================

2009-08-20 19:33 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-20 19:33 143,360 a------- c:\windows\inf\infstor.dat
2009-08-20 19:33 51,200 a------- c:\windows\inf\infpub.dat
2009-07-18 13:40 665,600 a------- c:\windows\inf\drvindex.dat
2009-07-17 09:54 71,680 a------- c:\windows\system32\atl.dll
2009-07-15 08:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-15 08:39 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-15 08:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 08:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-06-17 12:47 87,608 a------- c:\users\bob\appdata\roaming\inst.exe
2009-06-17 12:47 47,360 a------- c:\users\bob\appdata\roaming\pcouffin.sys
2009-06-15 10:54 175,104 a------- c:\windows\system32\wdigest.dll
2009-06-15 10:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 10:53 72,704 a------- c:\windows\system32\secur32.dll
2009-06-15 10:53 270,848 a------- c:\windows\system32\schannel.dll
2009-06-15 10:53 218,624 a------- c:\windows\system32\msv1_0.dll
2009-06-15 10:52 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-06-15 10:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 10:52 499,712 a------- c:\windows\system32\kerberos.dll
2009-06-15 10:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 10:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:48 9,728 a------- c:\windows\system32\lsass.exe
2009-06-15 08:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-10 07:42 160,256 a------- c:\windows\system32\wkssvc.dll
2009-06-10 07:38 91,136 a------- c:\windows\system32\avifil32.dll
2008-12-10 10:17 13,664 a------- c:\users\bob\appdata\roaming\wklnhst.dat
2008-10-22 09:17 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-04-12 23:28 16,384 a--sh---

c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5

\index.dat
2009-04-12 23:28 32,768 a--sh---

c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet

files\content.ie5\index.dat
2009-04-12 23:28 16,384 a--sh---

c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-04-12 23:28 245,760 a--sh---

c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-02-09 04:45 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:30:09.26 ===============

#6 Rockwil

Rockwil
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 08 September 2009 - 08:09 AM

Sorry, I realized that the DDS didn't complete so here is the DDS TXT and ATTACH. This was run in Normal Mode:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Bob at 8:43:34.78 on Tue 09/08/2009
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1180 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\sttray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\system32\IoctlSvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\wbem\unsecapp.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Bob\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6070209
uWindow Title = Internet Explorer provided by Dell
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [CCUTRAYICON] "c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe"
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [NBKeyScan] "c:\program files\nero\nero backitup 4\NBKeyScan.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NvSvc] "RUNDLL32.EXE" c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Intuit SyncManager] "c:\program files\common files\intuit\sync\IntuitSyncManager.exe" startup
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [Ad-Watch] "c:\program files\lavasoft\ad-aware\AAWTray.exe"
mRun: [SigmatelSysTrayApp] "sttray.exe"
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\memebercenter.office
Trusted Zone: veoh.com\www
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2006\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bob\appdata\roaming\mozilla\firefox\profiles\1pro6vr6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mozilla.com/en-US/firefox/personal.html
FF - plugin: c:\users\bob\appdata\roaming\mozilla\firefox\profiles\1pro6vr6.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 c2scsi;c2scsi;c:\windows\system32\drivers\C2SCSI.SYS [2006-8-9 248568]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-21 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-8-20 1153368]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-2-8 5504]
S2 0176861239911225mcinstcleanup;McAfee Application Installer Cleanup (0176861239911225);c:\windows\temp\017686~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\017686~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 SessionLauncher;SessionLauncher;c:\users\bob\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\bob\appdata\local\temp\dx9\SessionLauncher.exe [?]
S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [2007-3-1 17976]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2008-10-22 21504]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\B871.tmp [2009-8-23 6144]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]

=============== Created Last 30 ================

2009-09-04 07:00 <DIR> --d----- c:\programdata\NOS
2009-08-24 05:27 <DIR> --d----- c:\program files\Runtime Software
2009-08-24 05:15 <DIR> --d----- c:\programdata\Cobian
2009-08-24 05:15 <DIR> --d----- c:\progra~2\Cobian
2009-08-24 05:14 <DIR> --d----- c:\program files\Cobian Backup 9
2009-08-24 00:12 <DIR> --dsh--- C:\found.000
2009-08-23 19:53 6,144 -------- c:\windows\system32\B871.tmp
2009-08-23 19:53 6,144 -------- c:\windows\system32\B851.tmp
2009-08-23 19:51 6,144 -------- c:\windows\system32\F2FF.tmp
2009-08-23 19:48 6,144 -------- c:\windows\system32\12DF.tmp
2009-08-23 19:48 6,144 -------- c:\windows\system32\12BF.tmp
2009-08-23 19:47 6,144 -------- c:\windows\system32\B37F.tmp
2009-08-23 19:47 <DIR> --d----- c:\program files\Sophos
2009-08-22 18:20 15 a------- c:\windows\system32\settings.dat
2009-08-22 14:50 <DIR> --d----- c:\users\bob\appdata\roaming\Malwarebytes
2009-08-22 14:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-22 14:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-22 14:24 <DIR> --d----- c:\programdata\Malwarebytes
2009-08-22 14:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-22 14:24 <DIR> --d----- c:\progra~2\Malwarebytes
2009-08-21 22:44 <DIR> --d----- c:\programdata\Webroot
2009-08-21 22:44 <DIR> --d----- c:\progra~2\Webroot
2009-08-21 22:41 0 a---h--- C:\ProgramData.LOG2
2009-08-21 22:41 0 a---h--- C:\ProgramData.LOG1
2009-08-21 13:25 <DIR> --d----- c:\program files\MSSOAP
2009-08-21 13:25 <DIR> --d----- c:\program files\common files\MSSoap
2009-08-21 13:25 <DIR> --d----- c:\program files\Webroot
2009-08-21 13:23 164 a------- c:\windows\install.dat
2009-08-21 13:10 <DIR> --d----- c:\program files\SpywareBlaster
2009-08-20 19:33 <DIR> --d----- c:\program files\Trend Micro
2009-08-20 17:19 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-08-20 17:15 <DIR> --d----- c:\programdata\Symantec
2009-08-20 17:15 <DIR> --d----- c:\programdata\Norton
2009-08-20 17:15 <DIR> --d----- c:\progra~2\Symantec
2009-08-20 17:15 <DIR> --d----- c:\progra~2\Norton
2009-08-20 17:15 <DIR> --d----- c:\programdata\NortonInstaller
2009-08-20 17:15 <DIR> --d----- c:\progra~2\NortonInstaller
2009-08-20 17:12 <DIR> --d----- c:\program files\AVG
2009-08-20 17:07 <DIR> --d----- c:\users\bob\appdata\roaming\AVG8
2009-08-20 13:30 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-08-20 13:30 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-20 13:30 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-08-20 12:06 <DIR> --d----- c:\users\bob\.housecall6.6
2009-08-20 10:38 <DIR> --d----- c:\program files\VS Revo Group
2009-08-20 09:39 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-20 08:43 <DIR> --d----- c:\users\bob\appdata\roaming\SUPERAntiSpyware.com
2009-08-20 08:43 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-20 08:42 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-20 06:14 <DIR> --d----- c:\programdata\SITEguard
2009-08-20 06:14 <DIR> --d----- c:\progra~2\SITEguard
2009-08-20 06:06 <DIR> --d----- c:\program files\STOPzilla!
2009-08-20 06:06 <DIR> --d----- c:\programdata\STOPzilla!
2009-08-20 06:06 <DIR> --d----- c:\progra~2\STOPzilla!
2009-08-19 13:02 127,287,683 a------- c:\windows\MEMORY.DMP
2009-08-18 06:06 <DIR> --d----- c:\program files\Gammacoder

==================== Find3M ====================

2009-08-20 19:33 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-20 19:33 143,360 a------- c:\windows\inf\infstor.dat
2009-08-20 19:33 51,200 a------- c:\windows\inf\infpub.dat
2009-07-18 13:40 665,600 a------- c:\windows\inf\drvindex.dat
2009-07-17 09:54 71,680 a------- c:\windows\system32\atl.dll
2009-07-15 08:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-15 08:39 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-15 08:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 08:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-06-17 12:47 87,608 a------- c:\users\bob\appdata\roaming\inst.exe
2009-06-17 12:47 47,360 a------- c:\users\bob\appdata\roaming\pcouffin.sys
2009-06-15 10:54 175,104 a------- c:\windows\system32\wdigest.dll
2009-06-15 10:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 10:53 72,704 a------- c:\windows\system32\secur32.dll
2009-06-15 10:53 270,848 a------- c:\windows\system32\schannel.dll
2009-06-15 10:53 218,624 a------- c:\windows\system32\msv1_0.dll
2009-06-15 10:52 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-06-15 10:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 10:52 499,712 a------- c:\windows\system32\kerberos.dll
2009-06-15 10:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 10:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:48 9,728 a------- c:\windows\system32\lsass.exe
2009-06-15 08:42 289,792 a------- c:\windows\system32\atmfd.dll
2008-12-10 10:17 13,664 a------- c:\users\bob\appdata\roaming\wklnhst.dat
2008-10-22 09:17 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-04-12 23:28 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-04-12 23:28 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-04-12 23:28 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-04-12 23:28 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-02-09 04:45 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 8:45:31.36 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 2/8/2007 7:49:00 PM
System Uptime: 9/8/2009 8:39:27 AM (0 hours ago)

Motherboard: Dell Inc. | | 0WG855
Processor: Intel® Core™2 CPU 6600 @ 2.40GHz | Microprocessor | 2394/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 223 GiB total, 156.615 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.864 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 233 GiB total, 207.269 GiB free.
H: is CDROM ()
I: is FIXED (NTFS) - 466 GiB total, 157.274 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {50127dc3-0f36-415e-a6cc-4cb3be910b65}
Description: Intel Processor
Device ID: ACPI\GENUINEINTEL_-_X86_FAMILY_6_MODEL_15\_0
Manufacturer: Intel
Name: Intel® Core™2 CPU 6600 @ 2.40GHz
PNP Device ID: ACPI\GENUINEINTEL_-_X86_FAMILY_6_MODEL_15\_0
Service: intelppm

Class GUID: {50127dc3-0f36-415e-a6cc-4cb3be910b65}
Description: Intel Processor
Device ID: ACPI\GENUINEINTEL_-_X86_FAMILY_6_MODEL_15\_1
Manufacturer: Intel
Name: Intel® Core™2 CPU 6600 @ 2.40GHz
PNP Device ID: ACPI\GENUINEINTEL_-_X86_FAMILY_6_MODEL_15\_1
Service: intelppm

==== System Restore Points ===================


==== Installed Programs ======================

"Nero SoundTrax Help
Ad-Aware
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements 7.0
Adobe Reader 8.1.3
Advertising Center
Apple Software Update
AutoUpdate
Avery Wizard 3.1
Cobian Backup 9
Dell Support Center (Support Software)
Dell System Customization Wizard
DirectXInstallService
DivX
Documentation & Support Launcher
DolbyFiles
DVD Shrink 3.2
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.3.2
DVDFab 6.0.1.0 (May 15, 2009)
DVDFab HD Decrypter 3.0.9.6
EMC 10 Content
EPSON Printer Software
EPSON Scan
Games, Music, & Photos Launcher
Gammacoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImagXpress
Intel® Matrix Storage Manager
Intel® Viiv™ Software
Internet Service Offers Launcher
IrfanView (remove only)
iTunes
Java™ 6 Update 15
KeePass Password Safe 1.09
LightScribe 1.6.45.1
Livestation
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Menu Templates - Starter Kit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Small Business Image Uploader
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Works
Microsoft XML Parser
Movie Templates - Starter Kit
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 4.0 SP2 Parser and SDK
Nero 8
Nero 9
Nero BackItUp
Nero BackItUp 4
Nero Burning ROM Help
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero Disc Copy Gadget
Nero Disc Copy Gadget Help
Nero DiscSpeed
Nero DriveSpeed
Nero Express Help
Nero InfoTool
Nero Installer
Nero Live
Nero Live Help
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero WaveEditor
Nero WaveEditor Help
NeroBurningROM
NeroExpress
neroxml
Netflix Movie Viewer
NVIDIA Drivers
PDF reDirect (remove only)
QuickBooks
QuickBooks Pro 2009
R-Wipe&Clean 8.6
Registry Mechanic 7.0
Revo Uninstaller 1.83
Roxio Activation Module
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
SigmaTel Audio
SmartSound Quicktracks Plugin
Sophos Anti-Rootkit 1.5.0
SoundTrax
Spelling Dictionaries Support For Adobe Reader 8
Spy Sweeper Core
Spybot - Search & Destroy
SpywareBlaster 4.2
SupportSoft Assisted Service
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb971933)
URL Assistant
User's Guides
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Studio 2005 Tools for Office Second Edition Runtime
XviD MPEG-4 Video Codec

==== End Of File ===========================

Edited by Rockwil, 08 September 2009 - 09:56 AM.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:02 AM

Posted 10 September 2009 - 01:48 PM

Hi Rockwil,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#8 Rockwil

Rockwil
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 10 September 2009 - 06:09 PM

Hello FARBAR and thankyou for helping out. I downloaded and saved combofix to my desktop. I disabled McAfee. Combofix was run in Safe Mode with Networking. I didn't get a log to paste but a popup screen that listed the following:

C:\Windows\System32\ESQULqernvhylibkupmhpuiqaxghdxoymoufb.dll

C:\Windows\System32\drivers\ESQULgripcvayfijcuhntryocmcxheviqxebr.sys

C:\Windows\System32\ESQULykpxpxcoeixybbcsbvxanrwfyjpxpwsu.dll

C:\Windows\System32\drivers\ESQULgripcvayfijcuhntryocmcxheviqxebr.sys

C:\Windows\System32\ESQULqernvhylibkupmhpuiqaxghdxoymoufb.dll

C:\Windows\System32\ESQULykpxpxcoeixybbcsbvxanrwfyjpxpwsu.dll

The popup box noted that the system would reboot but that I should copy down the files for possible later use. I copied the names and clicked OK. The system started to reboot and I brought it up in Safe Mode with Networking. No other log or report was produced after the system came back.

These files are the same that came up in the Root Repeal report in the first post of this thread. I am bringing the system up in Safe Mode with Networking because I can't get to the internet in Normal mode. Also, my printers are still not available in Normal or Safe Mode.

Edited by Rockwil, 10 September 2009 - 06:11 PM.


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:02 AM

Posted 10 September 2009 - 06:18 PM

Let see if there is a log:

Please go to start -> Run.
  • Copy and paste the bold line in the run-box and click OK:

    C:\ComboFix.txt

  • If a text file opens up, copy and paste the content to your reply.


#10 Rockwil

Rockwil
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 10 September 2009 - 09:00 PM

Hi FARBAR,

I got a popup that Windows could not find Combo.txt. I did find a Bug.txt file and here it is:

Edited by farbar, 11 September 2009 - 02:42 AM.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:02 AM

Posted 11 September 2009 - 02:52 AM

Hi Rockwil,

Thank you for the log you posted. I edited the post and removed the unneeded log because it makes more difficult to review the log later on.

Please run Combofix, preferably in normal mode unless it didn't run in normal mode. Either way please let ComboFix to reboot to normal mode and produce the log. Combofix starts to delete those files and make a log if you let it to go to normal mode. After letting ComboFix to reboot and do its job if you still have no internet connection in normal mode you can reboot again to safe mode with networking to post the log.

Please from now on don't run any tool in safe mode unless it is mentioned and don't reboot to safe mode when the tools are going to reboot to delete the file.

Thanks for your effort, you are doing fine and we are going to clean this.

#12 Rockwil

Rockwil
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 11 September 2009 - 06:00 AM

Hello farbar,

I ran combofix in normal mode and it seemed to have gone to a good completion. I now have internet connection and my printers are back. After combofix rebooted the system I was not able to open anything. McAfee, Windows Explorer, Firefox. I received the same message each time I clicked on them: An illegal operation attempted on a registry key that has been marked for deletion. So since I would have to reboot to go into Safe mode to post the Combofix.txt I decided to let it go into Normal mode. When the system came up SPYBOT started giving me messages about registry entry changes. I denied one change called NoDrives. it started giving me other change messages and I allowed them, thinking these were probably from the Combofix. Right or wrong I allowed the changes except for the NoDrives. I don't know what that was for but if it was part of Combofix I will run it again, of course under your direction. After I rebooted and answered the SPYBOT messages I was able to open McAfee, Firefox, and Windows Explore. I now have internet connection in normal mode and my printers are back. I haven't tried printing anything but at least they are there.

So to sum up do I need to run combofix again because I denied a change? I have internet connection in Safe mode and my printers are back. Seems like I am on my way back to a virus free PC and for that I thank you and all of the folks at Bleeping Computer. Here is the Combofix.txt and I will await further instructions.

ComboFix 09-09-10.03 - Bob 09/11/2009 5:48.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.965 [GMT -4:00]
Running from: c:\users\Bob\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-1471400044-3889847437-394969636-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\users\Bob\AppData\Roaming\inst.exe
c:\windows\Installer\14b3a6f.msi
c:\windows\Installer\49d337.msi
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\ESQULgripcvayfijcuhntryocmcxheviqxebr.sys
c:\windows\System32\ESQULqernvhylibkupmhpuiqaxghdxoymoufb.dll
c:\windows\system32\ESQULykpxpxcoeixybbcsbvxanrwfyjpxpwsu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ESQULserv.sys
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-04 11:00 . 2009-09-04 11:00 -------- d-----w- c:\programdata\NOS
2009-09-04 11:00 . 2009-09-04 11:00 -------- d-----w- c:\program files\NOS
2009-08-24 09:27 . 2009-08-24 10:02 -------- d-----w- c:\program files\Runtime Software
2009-08-24 09:15 . 2009-08-24 09:15 -------- d-----w- c:\programdata\Cobian
2009-08-24 09:14 . 2009-08-24 10:20 -------- d-----w- c:\program files\Cobian Backup 9
2009-08-24 04:12 . 2009-08-24 04:12 -------- d-----w- C:\found.000
2009-08-23 23:47 . 2009-08-23 23:47 -------- d-----w- c:\program files\Sophos
2009-08-22 22:20 . 2009-08-22 22:21 15 ----a-w- c:\windows\system32\settings.dat
2009-08-22 18:50 . 2009-08-22 18:50 -------- d-----w- c:\users\Bob\AppData\Roaming\Malwarebytes
2009-08-22 18:36 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-22 18:36 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-22 18:24 . 2009-08-22 18:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-22 18:24 . 2009-08-22 18:24 -------- d-----w- c:\programdata\Malwarebytes
2009-08-22 02:44 . 2009-08-22 02:44 -------- d-----w- c:\programdata\Webroot
2009-08-21 17:25 . 2009-08-21 17:25 -------- d-----w- c:\program files\MSSOAP
2009-08-21 17:25 . 2009-08-21 17:25 -------- d-----w- c:\program files\Webroot
2009-08-21 17:23 . 2009-08-21 17:23 164 ----a-w- c:\windows\install.dat
2009-08-21 17:10 . 2009-08-21 17:10 -------- d-----w- c:\program files\SpywareBlaster
2009-08-20 23:33 . 2009-08-22 02:42 -------- d-----w- c:\program files\Trend Micro
2009-08-20 21:19 . 2009-08-21 19:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-20 21:15 . 2009-08-22 12:02 -------- d-----w- c:\programdata\Norton
2009-08-20 21:15 . 2009-08-22 12:02 -------- d-----w- c:\programdata\Symantec
2009-08-20 21:15 . 2009-08-20 21:15 -------- d-----w- c:\programdata\NortonInstaller
2009-08-20 21:12 . 2009-08-20 21:13 -------- d-----w- c:\program files\AVG
2009-08-20 21:07 . 2009-08-20 21:07 -------- d-----w- c:\users\Bob\AppData\Roaming\AVG8
2009-08-20 17:30 . 2009-08-20 21:24 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-20 17:30 . 2009-08-20 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-20 16:06 . 2009-08-20 23:39 -------- d-----w- c:\users\Bob\.housecall6.6
2009-08-20 14:52 . 2009-08-20 14:52 -------- d-----w- c:\users\Bob\AppData\Local\Mozilla
2009-08-20 14:38 . 2009-08-20 14:38 -------- d-----w- c:\program files\VS Revo Group
2009-08-20 13:59 . 2009-08-20 13:59 -------- d-----w- c:\windows\Sun
2009-08-20 13:39 . 2009-08-20 13:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-20 12:43 . 2009-08-20 12:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-20 12:43 . 2009-08-20 12:43 -------- d-----w- c:\users\Bob\AppData\Roaming\SUPERAntiSpyware.com
2009-08-20 12:42 . 2009-08-20 12:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-20 10:44 . 2009-09-08 15:22 680 ----a-w- c:\users\Bob\AppData\Local\d3d9caps.dat
2009-08-20 10:14 . 2009-08-20 10:14 -------- d-----w- c:\programdata\SITEguard
2009-08-20 10:06 . 2009-08-20 13:13 -------- d-----w- c:\program files\STOPzilla!
2009-08-20 10:06 . 2009-08-20 13:13 -------- d-----w- c:\programdata\STOPzilla!
2009-08-19 11:48 . 2009-08-19 11:48 133592 ----a-w- c:\users\Bob\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-18 10:06 . 2009-08-18 10:06 -------- d-----w- c:\program files\Gammacoder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 09:32 . 2007-04-26 10:29 -------- d-----w- c:\users\Bob\AppData\Roaming\R-Wipe&Clean
2009-09-08 15:23 . 2007-02-21 19:44 -------- d-----w- c:\programdata\DVD Shrink
2009-08-22 11:50 . 2007-02-09 00:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-20 16:01 . 2007-03-05 10:53 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-20 15:14 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-20 13:39 . 2007-02-09 00:54 -------- d-----w- c:\program files\Java
2009-08-19 06:01 . 2007-11-16 11:55 -------- d-----w- c:\programdata\R-Wipe&Clean
2009-08-19 00:48 . 2007-02-20 03:52 -------- d-----w- c:\programdata\Apple Computer
2009-07-18 17:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-07-18 17:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-07-18 17:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-07-18 17:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-07-18 17:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-18 17:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-07-18 16:48 . 2008-02-09 04:12 -------- d-----w- c:\programdata\Microsoft Help
2009-07-18 16:47 . 2007-02-09 01:03 -------- d-----w- c:\program files\Microsoft Works
2009-07-17 13:54 . 2009-08-20 15:13 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-20 15:13 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-20 15:13 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-20 15:13 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-20 15:13 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-06-18 16:54 . 2009-08-23 23:53 6144 ------w- c:\windows\system32\B871.tmp
2009-06-18 16:54 . 2009-08-23 23:53 6144 ------w- c:\windows\system32\B851.tmp
2009-06-18 16:54 . 2009-08-23 23:51 6144 ------w- c:\windows\system32\F2FF.tmp
2009-06-18 16:54 . 2009-08-23 23:48 6144 ------w- c:\windows\system32\12DF.tmp
2009-06-18 16:54 . 2009-08-23 23:48 6144 ------w- c:\windows\system32\12BF.tmp
2009-06-18 16:54 . 2009-08-23 23:47 6144 ------w- c:\windows\system32\B37F.tmp
2009-06-17 16:47 . 2009-06-17 16:47 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-17 16:47 . 2009-06-17 16:47 47360 ----a-w- c:\users\Bob\AppData\Roaming\pcouffin.sys
2009-06-15 23:15 . 2009-08-20 15:13 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-15 14:54 . 2009-08-20 15:13 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-06-15 14:53 . 2009-07-18 16:42 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:53 . 2009-08-20 15:13 72704 ----a-w- c:\windows\system32\secur32.dll
2009-06-15 14:53 . 2009-08-20 15:13 270848 ----a-w- c:\windows\system32\schannel.dll
2009-06-15 14:53 . 2009-08-20 15:13 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-15 14:52 . 2009-08-20 15:13 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-15 14:52 . 2009-07-18 16:42 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-08-20 15:13 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-06-15 14:52 . 2009-07-18 16:42 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-18 16:42 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:48 . 2009-08-20 15:13 9728 ----a-w- c:\windows\system32\lsass.exe
2009-06-15 12:42 . 2009-07-18 16:43 289792 ----a-w- c:\windows\system32\atmfd.dll
2007-02-09 08:45 . 2007-02-09 08:44 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-02-28 132392]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-05-16 213936]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"NBKeyScan"="c:\program files\Nero\Nero BackItUp 4\NBKeyScan.exe" [2008-09-17 2254120]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-05-16 213936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-20 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2006-11-22 303104]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-12 984352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0RwcLkRen c:\windows\system32\RwcLkCfg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:thumbup2::8e,b3,80,fb,cf,07,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\PROGRAM FILES\\LIVESTATION\\1.0.73.1\\LIVESTATION.EXE"= c:\program files\Livestation\1.0.73.1\Livestation.exe
"c:\\PROGRAM FILES\\LIVESTATION\\1.0.75.1\\LIVESTATION.EXE"= c:\program files\Livestation\1.0.75.1\Livestation.exe
"c:\\PROGRAM FILES\\LIVESTATION\\1.0.77.1\\LIVESTATION.EXE"= c:\program files\Livestation\1.0.77.1\Livestation.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9BCCF815-EB61-453A-9261-72203E7E1AD2}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{99A5CD2B-46E1-4E3D-85E7-229EBE3100C4}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{DA79750F-5141-45B7-8603-EDCE2CD0F8D1}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{D648C44F-260E-4EF4-A447-0AE3A5696436}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{AC35943E-7081-4021-A7F9-CDAFFEBF97C4}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{9EE19352-D7D3-4808-8296-C0E79B867668}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{3B928C47-D697-45D6-9DE1-391F3C41DCA6}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{366D6884-4D1B-490F-AE68-922B796EDF9F}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{C62FBF68-A8F9-4F5B-BE63-7621CA1D9B34}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{3F293929-6328-45F5-A444-ED78F8769D64}"= Disabled:UDP:c:\program files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{EDBE98E2-0F13-41B0-9369-7343B48A143A}"= Disabled:TCP:c:\program files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{8A5F9755-583E-4C04-8385-A6D82B8383C4}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{89342A05-46CA-4275-9ED4-32417D16DE97}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{42873673-D86B-4BCC-BBDC-E5AC053D5A7B}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{F5BD8727-3BEA-4BD5-B5E0-D9E57708E9B2}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{38A5176D-9BA5-48AF-9E7F-595745106EAF}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{6259271E-B5D8-4343-BF38-4B11E25BDFAF}"= Disabled:UDP:c:\program files\Adobe\Photoshop Elements 7.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{E49DB958-D39B-4A2F-AC00-C2C07E3AB282}"= Disabled:TCP:c:\program files\Adobe\Photoshop Elements 7.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{DF1324EA-4106-4D70-A945-7FB2168A2B03}"= UDP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{62487421-CA15-488E-9957-22C3F06F66C2}"= TCP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"TCP Query User{96151A92-44FB-49F4-96A5-FCF593A5827F}c:\\program files\\mcafee\\mbk\\mcafeedatabackup.exe"= UDP:c:\program files\mcafee\mbk\mcafeedatabackup.exe:McAfee Data Backup
"UDP Query User{294512F2-7FA6-441A-A4F3-E92E7ADAAFCD}c:\\program files\\mcafee\\mbk\\mcafeedatabackup.exe"= TCP:c:\program files\mcafee\mbk\mcafeedatabackup.exe:McAfee Data Backup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\PROGRAM FILES\\LIVESTATION\\1.0.73.1\\LIVESTATION.EXE"= c:\program files\Livestation\1.0.73.1\Livestation.exe
"c:\\PROGRAM FILES\\LIVESTATION\\1.0.75.1\\LIVESTATION.EXE"= c:\program files\Livestation\1.0.75.1\Livestation.exe
"c:\\PROGRAM FILES\\LIVESTATION\\1.0.77.1\\LIVESTATION.EXE"= c:\program files\Livestation\1.0.77.1\Livestation.exe

R0 c2scsi;c2scsi;c:\windows\System32\drivers\C2SCSI.SYS [8/9/2006 3:49 AM 248568]
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [4/21/2009 6:49 PM 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\System32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [10/29/2006 10:03 AM 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\System32\drivers\nmsgopro.sys [9/27/2006 5:37 PM 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [10/19/2006 4:49 PM 7424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [8/20/2009 1:30 PM 1153368]
R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [2/8/2007 8:59 PM 5504]
S2 0176861239911225mcinstcleanup;McAfee Application Installer Cleanup (0176861239911225);c:\windows\TEMP\017686~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\017686~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S2 SessionLauncher;SessionLauncher;c:\users\Bob\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\users\Bob\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\System32\drivers\epusbsto.sys [3/1/2007 10:05 PM 17976]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [10/22/2008 8:09 AM 21504]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\System32\B871.tmp [8/23/2009 7:53 PM 6144]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-08-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:57]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-14 17:32]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-14 17:32]

2009-09-11 c:\windows\Tasks\User_Feed_Synchronization-{86C2122F-326C-4851-B803-871AEDE1D0C7}.job
- c:\windows\system32\msfeedssync.exe [2008-10-22 03:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6070209
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\memebercenter.office
Trusted Zone: veoh.com\www
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\1pro6vr6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mozilla.com/en-US/firefox/personal.html
FF - plugin: c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\1pro6vr6.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\B871.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\System32\IoctlSvc.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\issm.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\program files\McAfee\MSC\mcuimgr.exe
c:\program files\Intel\IntelDH\CCU\CCU_Engine.exe
.
**************************************************************************
.
Completion time: 2009-09-11 6:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 10:06

Pre-Run: 159,694,802,944 bytes free
Post-Run: 159,078,486,016 bytes free

296 --- E O F --- 2009-08-20 15:16

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:02 AM

Posted 11 September 2009 - 06:26 AM

Well done. :thumbup2:
  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.


  • We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    • Go to Start > Control Panel > Windows Defender.
    • Open Windows Defender.
    • Click on Tools, Options.
    • At the bottom of the Window Defender's page, under Administrator Options uncheck "use Windows Defender" and then Save.
    • Click Close.
    Note:When everything is done and your log is clean again, you can enable it again.

  • Consult this page to disable ad-watch:
    HOW TO TURN OFF AD-WATCH

  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\
    00,00
    
    Rootkit::
    c:\windows\system32\RwcLkCfg

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#14 Rockwil

Rockwil
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 11 September 2009 - 07:43 AM

Hello farbar,

Windows Defender was not turned on so I had nothing to do there, I turned off SPYBOT as directed. For AdWatch I had to go into the AdWatch section of AdAware to turn off. I rebooted after turning off SPYBOT and I also disabled McAfee. Moved the script into Combofix. Combofix ran and rebooted the system and produced the log. When I tried to open McAfee and Firefox I received the same messages as before, "Illegal operation attempted on a registry key that has been marked for deletion."

I rebooted the system and since SPYBOT was turned off I didn't receive any messages. here is the Combofix. Again, thank you for your patience and continuing help.

ComboFix 09-09-10.03 - Bob 09/11/2009 8:01.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1250 [GMT -4:00]
Running from: c:\users\Bob\Desktop\ComboFix.exe
Command switches used :: c:\users\Bob\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-11 12:10 . 2009-09-11 12:10 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-11 12:10 . 2009-09-11 12:10 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2009-09-11 12:10 . 2009-09-11 12:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-04 11:00 . 2009-09-04 11:00 -------- d-----w- c:\programdata\NOS
2009-09-04 11:00 . 2009-09-04 11:00 -------- d-----w- c:\program files\NOS
2009-08-24 09:27 . 2009-08-24 10:02 -------- d-----w- c:\program files\Runtime Software
2009-08-24 09:15 . 2009-08-24 09:15 -------- d-----w- c:\programdata\Cobian
2009-08-24 09:14 . 2009-08-24 10:20 -------- d-----w- c:\program files\Cobian Backup 9
2009-08-24 04:12 . 2009-08-24 04:12 -------- d-----w- C:\found.000
2009-08-23 23:47 . 2009-08-23 23:47 -------- d-----w- c:\program files\Sophos
2009-08-22 22:20 . 2009-08-22 22:21 15 ----a-w- c:\windows\system32\settings.dat
2009-08-22 18:50 . 2009-08-22 18:50 -------- d-----w- c:\users\Bob\AppData\Roaming\Malwarebytes
2009-08-22 18:36 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-22 18:36 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-22 18:24 . 2009-08-22 18:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-22 18:24 . 2009-08-22 18:24 -------- d-----w- c:\programdata\Malwarebytes
2009-08-22 02:44 . 2009-08-22 02:44 -------- d-----w- c:\programdata\Webroot
2009-08-21 17:25 . 2009-08-21 17:25 -------- d-----w- c:\program files\MSSOAP
2009-08-21 17:25 . 2009-08-21 17:25 -------- d-----w- c:\program files\Webroot
2009-08-21 17:23 . 2009-08-21 17:23 164 ----a-w- c:\windows\install.dat
2009-08-21 17:10 . 2009-08-21 17:10 -------- d-----w- c:\program files\SpywareBlaster
2009-08-20 23:33 . 2009-08-22 02:42 -------- d-----w- c:\program files\Trend Micro
2009-08-20 21:19 . 2009-08-21 19:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-20 21:15 . 2009-08-22 12:02 -------- d-----w- c:\programdata\Norton
2009-08-20 21:15 . 2009-08-22 12:02 -------- d-----w- c:\programdata\Symantec
2009-08-20 21:15 . 2009-08-20 21:15 -------- d-----w- c:\programdata\NortonInstaller
2009-08-20 21:12 . 2009-08-20 21:13 -------- d-----w- c:\program files\AVG
2009-08-20 21:07 . 2009-08-20 21:07 -------- d-----w- c:\users\Bob\AppData\Roaming\AVG8
2009-08-20 17:30 . 2009-09-11 11:32 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-20 17:30 . 2009-08-20 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-20 16:06 . 2009-08-20 23:39 -------- d-----w- c:\users\Bob\.housecall6.6
2009-08-20 14:52 . 2009-08-20 14:52 -------- d-----w- c:\users\Bob\AppData\Local\Mozilla
2009-08-20 14:38 . 2009-08-20 14:38 -------- d-----w- c:\program files\VS Revo Group
2009-08-20 13:59 . 2009-08-20 13:59 -------- d-----w- c:\windows\Sun
2009-08-20 13:39 . 2009-08-20 13:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-20 12:43 . 2009-08-20 12:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-20 12:43 . 2009-08-20 12:43 -------- d-----w- c:\users\Bob\AppData\Roaming\SUPERAntiSpyware.com
2009-08-20 12:42 . 2009-08-20 12:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-20 10:44 . 2009-09-08 15:22 680 ----a-w- c:\users\Bob\AppData\Local\d3d9caps.dat
2009-08-20 10:14 . 2009-08-20 10:14 -------- d-----w- c:\programdata\SITEguard
2009-08-20 10:06 . 2009-08-20 13:13 -------- d-----w- c:\program files\STOPzilla!
2009-08-20 10:06 . 2009-08-20 13:13 -------- d-----w- c:\programdata\STOPzilla!
2009-08-19 11:48 . 2009-08-19 11:48 133592 ----a-w- c:\users\Bob\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-18 10:06 . 2009-08-18 10:06 -------- d-----w- c:\program files\Gammacoder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 11:25 . 2007-02-21 19:44 -------- d-----w- c:\programdata\DVD Shrink
2009-09-11 09:32 . 2007-04-26 10:29 -------- d-----w- c:\users\Bob\AppData\Roaming\R-Wipe&Clean
2009-08-22 11:50 . 2007-02-09 00:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-20 16:01 . 2007-03-05 10:53 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-20 15:14 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-20 13:39 . 2007-02-09 00:54 -------- d-----w- c:\program files\Java
2009-08-19 06:01 . 2007-11-16 11:55 -------- d-----w- c:\programdata\R-Wipe&Clean
2009-08-19 00:48 . 2007-02-20 03:52 -------- d-----w- c:\programdata\Apple Computer
2009-07-18 17:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-07-18 17:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-07-18 17:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-07-18 17:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-07-18 17:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-18 17:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-07-18 16:48 . 2008-02-09 04:12 -------- d-----w- c:\programdata\Microsoft Help
2009-07-18 16:47 . 2007-02-09 01:03 -------- d-----w- c:\program files\Microsoft Works
2009-07-17 13:54 . 2009-08-20 15:13 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-20 15:13 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-20 15:13 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-20 15:13 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-20 15:13 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-06-18 16:54 . 2009-08-23 23:53 6144 ------w- c:\windows\system32\B871.tmp
2009-06-18 16:54 . 2009-08-23 23:53 6144 ------w- c:\windows\system32\B851.tmp
2009-06-18 16:54 . 2009-08-23 23:51 6144 ------w- c:\windows\system32\F2FF.tmp
2009-06-18 16:54 . 2009-08-23 23:48 6144 ------w- c:\windows\system32\12DF.tmp
2009-06-18 16:54 . 2009-08-23 23:48 6144 ------w- c:\windows\system32\12BF.tmp
2009-06-18 16:54 . 2009-08-23 23:47 6144 ------w- c:\windows\system32\B37F.tmp
2009-06-17 16:47 . 2009-06-17 16:47 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-17 16:47 . 2009-06-17 16:47 47360 ----a-w- c:\users\Bob\AppData\Roaming\pcouffin.sys
2009-06-15 23:15 . 2009-08-20 15:13 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-15 14:54 . 2009-08-20 15:13 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-06-15 14:53 . 2009-07-18 16:42 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:53 . 2009-08-20 15:13 72704 ----a-w- c:\windows\system32\secur32.dll
2009-06-15 14:53 . 2009-08-20 15:13 270848 ----a-w- c:\windows\system32\schannel.dll
2009-06-15 14:53 . 2009-08-20 15:13 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-15 14:52 . 2009-08-20 15:13 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-15 14:52 . 2009-07-18 16:42 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-08-20 15:13 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-06-15 14:52 . 2009-07-18 16:42 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-18 16:42 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:48 . 2009-08-20 15:13 9728 ----a-w- c:\windows\system32\lsass.exe
2009-06-15 12:42 . 2009-07-18 16:43 289792 ----a-w- c:\windows\system32\atmfd.dll
2007-02-09 08:45 . 2007-02-09 08:44 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-09-11_10.01.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-02-09 01:16 . 2009-09-11 12:14 70514 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-09-11 12:14 80908 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-02-19 12:02 . 2009-09-11 12:14 16256 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1471400044-3889847437-394969636-1002_UserData.bin
+ 2007-02-19 01:33 . 2009-09-11 12:14 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-02-19 01:33 . 2009-09-11 10:01 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-02-19 01:33 . 2009-09-11 12:14 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-02-19 01:33 . 2009-09-11 10:01 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-02-19 01:33 . 2009-09-11 10:01 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-02-19 01:33 . 2009-09-11 12:14 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-02-21 12:15 . 2009-09-11 12:11 2900 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-09-11 12:12 . 2009-09-11 12:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-11 09:59 . 2009-09-11 09:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-09-11 12:12 . 2009-09-11 12:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-09-11 09:59 . 2009-09-11 09:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-02-28 132392]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-05-16 213936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"NBKeyScan"="c:\program files\Nero\Nero BackItUp 4\NBKeyScan.exe" [2008-09-17 2254120]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-05-16 213936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-20 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2006-11-22 303104]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-12 984352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:thumbup2::8e,b3,80,fb,cf,07,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\PROGRAM FILES\\LIVESTATION\\1.0.73.1\\LIVESTATION.EXE"= c:\program files\Livestation\1.0.73.1\Livestation.exe
"c:\\PROGRAM FILES\\LIVESTATION\\1.0.75.1\\LIVESTATION.EXE"= c:\program files\Livestation\1.0.75.1\Livestation.exe
"c:\\PROGRAM FILES\\LIVESTATION\\1.0.77.1\\LIVESTATION.EXE"= c:\program files\Livestation\1.0.77.1\Livestation.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9BCCF815-EB61-453A-9261-72203E7E1AD2}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{99A5CD2B-46E1-4E3D-85E7-229EBE3100C4}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{DA79750F-5141-45B7-8603-EDCE2CD0F8D1}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{D648C44F-260E-4EF4-A447-0AE3A5696436}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{AC35943E-7081-4021-A7F9-CDAFFEBF97C4}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{9EE19352-D7D3-4808-8296-C0E79B867668}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{3B928C47-D697-45D6-9DE1-391F3C41DCA6}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{366D6884-4D1B-490F-AE68-922B796EDF9F}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{C62FBF68-A8F9-4F5B-BE63-7621CA1D9B34}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{3F293929-6328-45F5-A444-ED78F8769D64}"= Disabled:UDP:c:\program files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{EDBE98E2-0F13-41B0-9369-7343B48A143A}"= Disabled:TCP:c:\program files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{8A5F9755-583E-4C04-8385-A6D82B8383C4}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{89342A05-46CA-4275-9ED4-32417D16DE97}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{42873673-D86B-4BCC-BBDC-E5AC053D5A7B}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{F5BD8727-3BEA-4BD5-B5E0-D9E57708E9B2}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{38A5176D-9BA5-48AF-9E7F-595745106EAF}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{6259271E-B5D8-4343-BF38-4B11E25BDFAF}"= Disabled:UDP:c:\program files\Adobe\Photoshop Elements 7.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{E49DB958-D39B-4A2F-AC00-C2C07E3AB282}"= Disabled:TCP:c:\program files\Adobe\Photoshop Elements 7.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{DF1324EA-4106-4D70-A945-7FB2168A2B03}"= UDP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{62487421-CA15-488E-9957-22C3F06F66C2}"= TCP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"TCP Query User{96151A92-44FB-49F4-96A5-FCF593A5827F}c:\\program files\\mcafee\\mbk\\mcafeedatabackup.exe"= UDP:c:\program files\mcafee\mbk\mcafeedatabackup.exe:McAfee Data Backup
"UDP Query User{294512F2-7FA6-441A-A4F3-E92E7ADAAFCD}c:\\program files\\mcafee\\mbk\\mcafeedatabackup.exe"= TCP:c:\program files\mcafee\mbk\mcafeedatabackup.exe:McAfee Data Backup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\PROGRAM FILES\\LIVESTATION\\1.0.73.1\\LIVESTATION.EXE"= c:\program files\Livestation\1.0.73.1\Livestation.exe
"c:\\PROGRAM FILES\\LIVESTATION\\1.0.75.1\\LIVESTATION.EXE"= c:\program files\Livestation\1.0.75.1\Livestation.exe
"c:\\PROGRAM FILES\\LIVESTATION\\1.0.77.1\\LIVESTATION.EXE"= c:\program files\Livestation\1.0.77.1\Livestation.exe

R0 c2scsi;c2scsi;c:\windows\System32\drivers\C2SCSI.SYS [8/9/2006 3:49 AM 248568]
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [4/21/2009 6:49 PM 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\System32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [10/29/2006 10:03 AM 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\System32\drivers\nmsgopro.sys [9/27/2006 5:37 PM 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [10/19/2006 4:49 PM 7424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [8/20/2009 1:30 PM 1153368]
R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [2/8/2007 8:59 PM 5504]
S2 0176861239911225mcinstcleanup;McAfee Application Installer Cleanup (0176861239911225);c:\windows\TEMP\017686~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\017686~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 SessionLauncher;SessionLauncher;c:\users\Bob\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\users\Bob\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\System32\drivers\epusbsto.sys [3/1/2007 10:05 PM 17976]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [10/22/2008 8:09 AM 21504]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\System32\B871.tmp [8/23/2009 7:53 PM 6144]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-08-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:57]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-14 17:32]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-14 17:32]

2009-09-11 c:\windows\Tasks\User_Feed_Synchronization-{86C2122F-326C-4851-B803-871AEDE1D0C7}.job
- c:\windows\system32\msfeedssync.exe [2008-10-22 03:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6070209
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\memebercenter.office
Trusted Zone: veoh.com\www
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\1pro6vr6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mozilla.com/en-US/firefox/personal.html
FF - plugin: c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\1pro6vr6.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\B871.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\System32\IoctlSvc.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\issm.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Intel\IntelDH\CCU\CCU_Engine.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\program files\McAfee\MSC\mcuimgr.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-09-11 8:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 12:18
ComboFix2.txt 2009-09-11 10:06

Pre-Run: 158,865,342,464 bytes free
Post-Run: 158,822,252,544 bytes free

298 --- E O F --- 2009-08-20 15:16

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:02 AM

Posted 11 September 2009 - 08:45 AM

Did you applied ResetTeaTimer.exe after disabling Spybot TeaTimer?

Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Tell me also how is your computer running now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users