[CouchPotatoGuy]

Quote:

What Program was it please?

Check your PM.

Quote:

Do you know what these are?

• C:\Program Files\Causes
  C:\Program Files\African Safari

Yes, those are facebook applications. Not sure if facebook applications are actually downloaded to the computer. Even still, I'm fairly certain those are harmless.

Quote:

Double check MBAM was renamed and try to run again make sure you right click and choose run as administrator


If no luck please run GMER

• Download GMER by GMER from one of the links below:
  Link1
  Link2
• Unzip it to a folder on your desktop
• Double click on gmer.exe to launch GMER
• If asked, allow the gmer.sys driver load
• If it warns you about rootkit activity and asks if you want to run scan, click OK
• If you don't get a warning then
  • Click the rootkit tab
  • Click Scan

I got to here. (I uninstalled MBAM and removed the installer. I then redownloaded the installer (renaming it "muppy.exe") and reinstalled MBAM. MBAM still didn't work. I'm guessing it's because I'm in safe mode?) (Just to clarify, I was only supposed to rename the installer, not the actual program?) Afterward, I followed the instructions regarding gmer. It did warn me about rootkit activity. I clicked ok (or yes or whatever) and it began scanning. It stopped about 1 minute in saying, "This program has stopped working. Windows is checking for a solution to the problem" or something like that and I had to close the program. When I went to try it again, I got the blue screen error. This was a first. I've never received the error while in safe mode. Maybe it was the program. But maybe it's my computer getting worse with the passage of time (?) (I think they call that a "worm" where the virus keeps copying itself and the computer worsens over time). Anyway, the computer restarted and I tried scanning again. Again the program closed. Again I got the blue screen error. The strange thing is the program closed at about the same time into the scan (maybe even stopping at the same file). I can jot down what program it stops at if that helps. I can also snap a picture of the blue screen error that appears after gmer is closed (I'm not sure if it gives the same info as the picture given in a previous post).

Sorry my computer is so stubborn

[muppy03]

Hi, I read the PM.

Quote:

Maybe it was the program. But maybe it's my computer getting worse with the passage of time (?)

Very true, so with that in mind please read what is below carefully.

Quote:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Lets see if Combofix will run, please rename it as described below.

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop Rename it Combo-fix (include the hyphen)

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
• If you need help to disable your protection programs see here.
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/comb...o-use-combofix

Please reply with:-

• Combofix log
• New HJT log

[CouchPotatoGuy]

I noticed we're now starting to pull out more of the "big guns". I just want to make sure this is necessary before going ahead with it. After doing some research (very brief) on the website mentioned in PM, I found the same blog mentions a solution (by "Panda Security"). I tried the free scan (ActiveScan 2.0). I apologize. I forgot that I'm not supposed to scan unless requested. But it appears to have found the problem. It found some 32 "infected" files and 1 suspicious file. I'm not sure if all the cookies are harmful. But I'm pretty sure the virus, adware, and spyware are harmful.

Panda Security appears to be a legitimate company as it is detailed on Wikipedia as such (HERE). And ActiveScan 2.0 is mentioned as one of their products.

The problem, of course, is that it won't remove the stuff without me paying for the product. Even still, it details the viruses, etc. found. I've attached the log ActiveScan produced.

Just want to make sure all the info is available before we use the more powerful scanners. Again I apologize for scanning. It just seemed like a really good fit. That blog detailed my exact problem and provided a potential solution.

[muppy03]

1. Ok, Cookies are a part of everyday internet life and sadly clearing what you have presented will not fix your computer. I like to use ATF for clearing cookies and temp files. Please run it now, and it can be used whenever you feel like it.

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
Make sure that all browser windows are closed.

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Uncheck Cookies if you do not want them deleted. (If deleted, you will likely need to re-enter your passwords at all sites where a cookie is used to recognize you when you visit). Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Uncheck Cookies if you do not want them deleted.
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Uncheck Cookies if you do not want them deleted
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

2. Re-reading your post I am wondering if you re-named MBAM correctly.

1. Right click Start/Windows Icon in Vista then Click Explore
2. Navigate to: c:\program files\malwarebytes' Anti-Malware Right click on mbam.exe (The one that looks like the desktop icon) - click Rename
3. Type into the name box: muppy.exe

You are actually renaming the .exe not the installer.

See if it will run, post the log if it does.

[CouchPotatoGuy]

Alright, I've actually typed this once before but my computer got the blue screen error before I could finish (which is interesting). I'm following the instructions regarding MBAM you wrote in an earlier post.

I cleared the cookies via ATF Cleaner. I renamed MBAM (the program not just the installer). The program was then able to run. When it did, it kept freezing at a spot in the D drive (after scanning the C drive entirely). The spot at which it freezes is always D:\Windows\System32\config\SECURITY

It took me a while because it kept freezing. While scanning, it kept finding exactly 21 infected files (prior to the D drive freeze). I stopped it after it found those files (relatively early in the process) and removed them. I then rescanned just the C drive (since it freezes at the D drive). It found 18 new infected files (that showed up at the end of the scan - way after I had stopped it in the previous scan). So I removed those as well. Finally, I did a HJT scan. All three logs should be attached (mbam1 and mbam2 are the first and second scans (21 infected files and 18 infected files), respectively.

Here's about where I got to in my post. I was about to say that McAfee Security Center has a problem. When I click the "fix" button, it always says that the problem couldn't be fixed due to an error. I thought it was worth mentioning. When I went to double check that the error could not be fixed (now that the infected files were removed), I got the blue screen error. (I double clicked on the small McAfee icon at the bottom right of my screen and the blue screen instantly popped up). This also erased my first attempt to post this.

[CouchPotatoGuy]

Quote:

Originally Posted by CouchPotatoGuy

When I click the "fix" button, it always says that the problem couldn't be fixed due to an error.

I should add that this isn't a new problem. It just was something I forgot to mention before.

[muppy03]

Can you boot in normal mode now? If so please re-run MBAM in normal mode and post a HJT log also done in normal mode.

[CouchPotatoGuy]

Unfortunately, I'm still unable to boot in normal mode.

[CouchPotatoGuy]

bump

[muppy03]

Sorry for the delay it was unavoidable.

Please copy and paste all logs rather than post as an attachment.

RootRepeal - Rootkit Detector

• Download RootRepeal from the following location and save it to your desktop.
  • Link 1
  • Link 2
  • Link 3
• Unzip it to your Desktop
• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
    
• Click the OK button
• Check the box for your main system drive (Usually C, and Click OK to start the scan
  
  The scan can take some time. DO NOT run any other programs while the scan is running
  
• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

Please reply with:-

• RootRepeal.txt
  New HJT log

[CouchPotatoGuy]

Here are the two requested logs (they're too long to fit in one post):

RootRepeal part 1:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/03 17:37
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================
Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8B000000 Size: 815104 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9569A000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\System Volume Information\{137c3c0f-85d3-11de-83dd-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{26e4ec5f-82e5-11de-81ff-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{2ef878e4-8859-11de-a2fc-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{73ee075f-86c5-11de-8f16-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{73ee081b-86c5-11de-8f16-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{9f9b6632-7bc6-11de-bc11-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{9f9b6647-7bc6-11de-bc11-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{a81bae88-7f21-11de-84df-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{a81baeb5-7f21-11de-84df-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{accd848c-7e54-11de-8275-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{accd84ca-7e54-11de-8275-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{accd84d0-7e54-11de-8275-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{b358e2eb-83a9-11de-b5e7-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{d8e6fb3f-81ea-11de-a742-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{e129be28-7c5f-11de-ae3b-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{e129be49-7c5f-11de-ae3b-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{e129be4f-7c5f-11de-ae3b-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{e7b5d5f7-8546-11de-994b-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{b358e31d-83a9-11de-b5e7-00219be6a99d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\Windows\System32\ESQULicnroirubjrpiikfcxvxwxdshfeqwdtp.dll
Status: Invisible to the Windows API!
Path: C:\Windows\System32\ESQULwhmryijuyseqowoovmosnrrgfbyprwxh.dll
Status: Invisible to the Windows API!
Path: C:\Windows\System32\ESQULzxspectrum
Status: Invisible to the Windows API!
Path: C:\Windows\System32\drivers\ESQULbmostvkpchxvwdruvxengwlbfrxvukxl.sys
Status: Invisible to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e 3b_9.0.21022.8_none_5d1777c2e857a23b.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.5072 7.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.5072 7.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.5 0727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818. 0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378 f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.5072 7.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.2102 2.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870. 0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e 18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e 3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e 3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e 18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.3072 9.1_none_e163563597edeada.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.5072 7.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e 3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e 18e3b_9.0.21022.8_none_7ab8cc63a6e4c2a3.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.5 0727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.2 1022.8_none_b59bae9d65014b98.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.2 1022.8_none_ecdf8c290e547f39.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e 3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e 18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.5072 7.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e 3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.2102 2.8_none_b81d038aaf540e86.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e 18e3b_9.0.21022.8_none_5ce47260749ddc2c.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.5072 7.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e 3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_n one_365945b9da656e4d.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_n one_3658456fda6654f6.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e 3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e 3b_9.0.21022.8_none_5926f98ceadc42c2.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.5 0727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378 f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.2102 2.8_none_bdf22a22ab9e15d5.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e 3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6000.16720_none_c2e2272db9e 7b99c\INSTAL~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6000.20883_none_c32de54ed33 34d11\INSTAL~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6001.18111_none_c4d43609b70 547f3\INSTAL~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6001.22230_none_c54732b2d03 40648\INSTAL~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.0.6000.16720_none_f570e12815568682\MA CHIN~1.COM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.0.6000.20883_none_dea8f7cc2ef8cb75\MA CHIN~1.COM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.0.6001.18111_none_f54bc5de15a89323\MA CHIN~1.COM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.0.6001.22230_none_de80367a2f4e0c36\MA CHIN~1.COM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_data_files_b03f5f7f11d50a3a_6.0.6001.18111_none_7c8b5cbf426fb0d2\MI CROS~1.TAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_data_files_b03f5f7f11d50a3a_6.0.6001.22230_none_65bfcd5b5c1529e5\MI CROS~1.TAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad36 4e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRole s.config
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_33db43850c7307a 2\_SMSVC~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_34c832162545dbc 8\_SMSVC~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_reg_31bf3856ad364e35_6.0.6000.16708_none_2e6f68d71183311 5\_SMSVC~1.REG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_reg_31bf3856ad364e35_6.0.6000.20864_none_2eb424f22ad5132 9\_SMSVC~1.REG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_reg_31bf3856ad364e35_6.0.6001.18096_none_2ff255b70ef48da a\_SMSVC~1.REG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_reg_31bf3856ad364e35_6.0.6001.22208_none_30df444827c761d 0\_SMSVC~1.REG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_reg_31bf3856ad364e35_6.0.6000.16708_none_c4f661e592b1c88 e\_SERVI~1.REG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_reg_31bf3856ad364e35_6.0.6000.20864_none_c53b1e00ac03aaa 2\_SERVI~1.REG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_reg_31bf3856ad364e35_6.0.6001.18096_none_c6794ec59023252 3\_SERVI~1.REG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_reg_31bf3856ad364e35_6.0.6001.22208_none_c7663d56a8f5f94 9\_SERVI~1.REG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_vrg_31bf3856ad364e35_6.0.6000.16708_none_cab9e41b8efd69e d\_SERVI~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_vrg_31bf3856ad364e35_6.0.6000.20864_none_cafea036a84f4c0 1\_SERVI~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_vrg_31bf3856ad364e35_6.0.6001.18096_none_cc3cd0fb8c6ec68 2\_SERVI~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_vrg_31bf3856ad364e35_6.0.6001.22208_none_cd29bf8ca5419aa 8\_SERVI~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6000.16708_none_f87832f6f02b1a0c \_SERVI~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6000.20864_none_f8bcef12097cfc20 \_SERVI~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6001.18096_none_f9fb1fd6ed9c76a1 \_SERVI~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_h_31bf3856ad364e35_6.0.6000.20864_none_24101549d032590a\ _SERVI~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6001.22208_none_fae80e68066f4ac7 \_SERVI~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_reg_31bf3856ad364e35_6.0.6001.22208_none_c8512a7445976b 57\_SERVI~1.REG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6000.16720_none_7081409dee5 1e2d7\MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6000.20883_none_59b9574207f 427ca\MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6001.18111_none_705c2553eea 3ef78\MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6001.22230_none_599095f0084 9688b\MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6000.16720_none_b462fc0cbe880bcb\ MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6000.20883_none_9d9b12b0d82a50be\ MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6001.18111_none_b43de0c2beda186c\ MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6001.22230_none_9d72515ed87f917f\ MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_data_files_b03f5f7f11d50a3a_6.0.6000.16720_none_7cb07809421da431\MI CROS~1.TAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_data_files_b03f5f7f11d50a3a_6.0.6000.20883_none_65e88ead5bbfe924\MI CROS~1.TAS
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6000.16720_none_ea4958dde0dcb61b\_DATAP~1. H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6000.16720_none_ea4958dde0dcb61b\_DATAP~2. H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6000.20883_none_d3816f81fa7efb0e\_DATAP~1. H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6000.20883_none_d3816f81fa7efb0e\_DATAP~2. H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6001.18111_none_ea243d93e12ec2bc\_DATAP~1. H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6001.18111_none_ea243d93e12ec2bc\_DATAP~2. H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6001.22230_none_d358ae2ffad43bcf\_DATAP~1. H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6001.22230_none_d358ae2ffad43bcf\_DATAP~2. H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.0.6000.16720_none_879a188098bde787\CSCEXE ~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.0.6000.20883_none_70d22f24b2602c7a\CSCEXE ~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.0.6001.18111_none_8774fd36990ff428\CSCEXE ~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.0.6001.22230_none_70a96dd2b2b56d3b\CSCEXE ~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-dv_aspnetmmc_chm_res_b03f5f7f11d50a3a_6.0.6000.16720_none_f49cbb9015dc43b3\ DV_ASP~1.CHM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-dv_aspnetmmc_chm_res_b03f5f7f11d50a3a_6.0.6000.20883_none_ddd4d2342f7e88a6\ DV_ASP~1.CHM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-dv_aspnetmmc_chm_res_b03f5f7f11d50a3a_6.0.6001.18111_none_f477a046162e5054\ DV_ASP~1.CHM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-dv_aspnetmmc_chm_res_b03f5f7f11d50a3a_6.0.6001.22230_none_ddac10e22fd3c967\ DV_ASP~1.CHM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6000.16720_none_9b0 1a5fdd9371aff\GACUTI~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6000.20883_none_9b4 d641ef282ae74\GACUTI~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6001.18111_none_9cf 3b4d9d654a956\GACUTI~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6001.22230_none_9d6 6b182ef8367ab\GACUTI~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6001.18096_none_ada2ec92b42bf87e \GLOBAL~1.COM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_sm_mof_31bf3856ad364e35_6.0.6000.16708_none_c29392a082f7409d\SERVIC~1.UNI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_sm_mof_31bf3856ad364e35_6.0.6000.20864_none_c2d84ebb9c4922b1\SERVIC~1.UNI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_sm_mof_31bf3856ad364e35_6.0.6001.18096_none_c4167f8080689d32\SERVIC~1.UNI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_sm_mof_31bf3856ad364e35_6.0.6001.22208_none_c5036e11993b7158\SERVIC~1.UNI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_h_31bf3856ad364e35_6.0.6000.16708_none_23cb592eb6e076f6\ _SERVI~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6000.16708_none_c3d601207722394b\WORKFL ~1.TAR
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6000.20864_none_c41abd3b90741b5f\WORKFL ~1.TAR
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6001.18096_none_c558ee00749395e0\WORKFL ~1.TAR
Status: Locked to the Windows API!

[CouchPotatoGuy]

RootRepeal Part 2:

Path: C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6001.22208_none_c645dc918d666a06\WORKFL ~1.TAR
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6000.16708_none_71e62ab9fe238fad\PERFCO~1. INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6000.20864_none_722ae6d5177571c1\PERFCO~1. INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6000.16708_none_319b7f14a2b4f78c\GLOBAL~ 1.COM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6000.20864_none_31e03b2fbc06d9a0\GLOBAL~ 1.COM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6001.18096_none_331e6bf4a0265421\GLOBAL~ 1.COM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6001.22208_none_340b5a85b8f92847\GLOBAL~ 1.COM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6000.16708_none_ac1fffb2b6ba9be9 \GLOBAL~1.COM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6000.20864_none_ac64bbcdd00c7dfd \GLOBAL~1.COM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_c1843fad322b40 04\_SERVI~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_c1843fad322b40 04\_SERVI~2.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6000.20864_none_c1c8fbc84b7d22 18\_SERVI~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6000.20864_none_c1c8fbc84b7d22 18\_SERVI~2.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_c3072c8d2f9c9c 99\_SERVI~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_c3072c8d2f9c9c 99\_SERVI~2.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_c3f41b1e486f70 bf\_SERVI~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_c3f41b1e486f70 bf\_SERVI~2.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_reg_31bf3856ad364e35_6.0.6000.16708_none_c5e14f032f533a 9c\_SERVI~1.REG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_reg_31bf3856ad364e35_6.0.6000.20864_none_c6260b1e48a51c b0\_SERVI~1.REG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_reg_31bf3856ad364e35_6.0.6001.18096_none_c7643be32cc497 31\_SERVI~1.REG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_h_31bf3856ad364e35_6.0.6001.18096_none_254e460eb451d38b\ _SERVI~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_h_31bf3856ad364e35_6.0.6001.22208_none_263b349fcd24a7b1\ _SERVI~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_ini_31bf3856ad364e35_6.0.6000.16708_none_c8df4fb39030428 6\_SERVI~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_ini_31bf3856ad364e35_6.0.6000.16708_none_c8df4fb39030428 6\_SERVI~2.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_ini_31bf3856ad364e35_6.0.6000.20864_none_c9240bcea982249 a\_SERVI~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_ini_31bf3856ad364e35_6.0.6000.20864_none_c9240bcea982249 a\_SERVI~2.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_ini_31bf3856ad364e35_6.0.6001.18096_none_ca623c938da19f1 b\_SERVI~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_ini_31bf3856ad364e35_6.0.6001.18096_none_ca623c938da19f1 b\_SERVI~2.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_ini_31bf3856ad364e35_6.0.6001.22208_none_cb4f2b24a674734 1\_SERVI~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_ini_31bf3856ad364e35_6.0.6001.22208_none_cb4f2b24a674734 1\_SERVI~2.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wpf-winfxtargets_31bf3856ad364e35_6.0.6000.16708_none_c7595a2aa4b56e63\MICROS~1 .TAR
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wpf-winfxtargets_31bf3856ad364e35_6.0.6000.20864_none_c79e1645be075077\MICROS~1 .TAR
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wpf-winfxtargets_31bf3856ad364e35_6.0.6001.18096_none_c8dc470aa226caf8\MICROS~1 .TAR
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wpf-winfxtargets_31bf3856ad364e35_6.0.6001.22208_none_c9c9359bbaf99f1e\MICROS~1 .TAR
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_h_31bf3856ad364e35_6.0.6000.16708_none_4180b46a5c473b6d\ _SMSVC~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_h_31bf3856ad364e35_6.0.6000.20864_none_41c5708575991d81\ _SMSVC~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_h_31bf3856ad364e35_6.0.6001.18096_none_4303a14a59b89802\ _SMSVC~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_h_31bf3856ad364e35_6.0.6001.22208_none_43f08fdb728b6c28\ _SMSVC~1.H
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_325856a50f01ab0 d\_SMSVC~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6000.20864_none_329d12c028538d2 1\_SMSVC~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6001.22208_none_7456062b1467c068\PERFCO~1. INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6001.18096_none_73691799fb94ec42\PERFCO~1. INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6001.22208_none_ae8fdb23ccfecca4 \GLOBAL~1.COM
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_vrg_31bf3856ad364e35_6.0.6000.16708_none_3432eb0d0dced27 4\_SMSVC~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_vrg_31bf3856ad364e35_6.0.6000.20864_none_3477a7282720b48 8\_SMSVC~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_vrg_31bf3856ad364e35_6.0.6001.18096_none_35b5d7ed0b402f0 9\_SMSVC~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_vrg_31bf3856ad364e35_6.0.6001.22208_none_36a2c67e2413032 f\_SMSVC~1.VRG
Status: Locked to the Windows API!
Path: C:\Windows\inf\.NET CLR Data\_DATAP~1.H
Status: Locked to the Windows API!
Path: C:\Windows\inf\.NET Data Provider for SqlServer\_DATAP~2.H
Status: Locked to the Windows API!
Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\SYSTEM~1.DLL
Status: Locked to the Windows API!
Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MICROS~1.TAS
Status: Locked to the Windows API!
Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\DV_ASP~1.CHM
Status: Locked to the Windows API!
Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MICROS~1.TAR
Status: Locked to the Windows API!
Path: c:\windows\system32\wdi\logfiles\wdicontextlog.etl.003
Status: Allocation size mismatch (API: 262144, Raw: 0)
Path: c:\windows\system32\logfiles\scm\scm.evm
Status: Allocation size mismatch (API: 1048576, Raw: 0)
Path: C:\Windows\winsxs\Temp\PendingDeletes\sortkey.nlp
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Temp\PendingDeletes\sortkey.nlp
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Temp\PendingDeletes\sorttbls.nlp
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Temp\PendingDeletes\sorttbls.nlp
Status: Locked to the Windows API!
Path: C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0000\PERFCO~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\_SERVI~2.INI
Status: Locked to the Windows API!
Path: C:\Windows\inf\ServiceModelOperation 3.0.0.0\0000\_SERVI~2.INI
Status: Locked to the Windows API!
Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6. 0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!
PaProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!
Stealth Objects
-------------------
Object: Hidden Module [Name: ESQULicnroirubjrpiikfcxvxwxdshfeqwdtp.dll]
Process: svchost.exe (PID: 816) Address: 0x10000000 Size: 32768
Hidden Services
-------------------
Service Name: ESQULserv.sys
Image Path: C:\Windows\system32\drivers\ESQULbmostvkpchxvwdruvxengwlbfrxvukxl.sys
==EOF==

[CouchPotatoGuy]

HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:58 PM, on 9/3/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Safe mode with network support
Running processes:
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehungersite.com/clickTo...faces?siteId=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {d8608d46-1567-4623-a0b1-bfd9a40bc421} - C:\Program Files\African Safari\Helper.dll
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {969f6d55-0b76-4956-8f31-2a995769e43c} - C:\Program Files\Causes\Helper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: FCTBPos00Pos - {6521F190-A6C6-44F4-B5AE-1600DF9D6FAB} - C:\Program Files\African Safari\Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: FCTBPos00Pos - {AAAC503B-6F0F-4F48-8055-289B8A5EF5C0} - C:\Program Files\Causes\Toolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: African Safari - {620E8039-805C-4356-9727-0D7A617FADA0} - C:\Program Files\African Safari\Toolbar.dll
O3 - Toolbar: Causes - {5D51B4F2-CC28-4488-9AB3-BE7E40EB3293} - C:\Program Files\Causes\Toolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\muppy.exe.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [feedreader.exe] "C:\Program Files\FeedReader30\feedreader.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo 4\MemTurbo.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: PMCRemoteLauncher.lnk = C:\Users\Tad\AppData\Local\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9aa9a54af35c0) (gupdate1c9aa9a54af35c0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 12587 bytes

[muppy03]

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop Rename it Combo-fix (include the hyphen)

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
• If you need help to disable your protection programs see here.
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/comb...o-use-combofix

Please reply with:-

• Combofix log
• New HJT log

[CouchPotatoGuy]

Alright, I ran combofix and it saved a log. However, I was unable to run HiJackThis.

While I scanned, this image popped up:



After rebooting, I ran the combofix again (since it hadn't yet scanned). This time it scanned. It took a few minutes so I walked away for a second. When I returned, it was about to restart. After restarting, it saved the log. However, now when I try to run HiJackThis (or any program), it pops up with this message:



(Illegal operation attempted on a registry key that has been marked for deletion).

Here's the Combofix log anyway:

ComboFix 09-09-03.02 - Tad 09/04/2009 21:14.1.2 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1629 [GMT -7:00]
Running from: c:\users\Tad\Desktop\Combo-fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
c:\$recycle.bin\S-1-5-21-3688192189-393838976-3506527395-1001
c:\$recycle.bin\S-1-5-21-3688192189-393838976-3506527395-500
c:\windows\emMON.exe
c:\windows\System32\drivers\ESQULbmostvkpchxvwdruvxengwlbfrxvukxl.sys
c:\windows\system32\ESQULicnroirubjrpiikfcxvxwxdshfeqwdtp.dll
c:\windows\system32\ESQULwhmryijuyseqowoovmosnrrgfbyprwxh.dll
c:\windows\system32\oem7.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ESQULserv.sys
-------\Service_ESQULserv.sys

((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.
2009-09-05 04:23 . 2009-09-05 04:23 -------- d-----w- c:\users\Tad\AppData\Local\temp
2009-08-31 01:59 . 2009-08-31 01:59 -------- d-----w- c:\users\Tad\AppData\Roaming\Malwarebytes
2009-08-31 01:58 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 01:58 . 2009-08-31 03:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 01:58 . 2009-08-31 01:58 -------- d-----w- c:\programdata\Malwarebytes
2009-08-31 01:58 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 05:59 . 2009-09-05 03:44 -------- d-----w- c:\program files\Panda Security
2009-08-30 02:10 . 2009-08-30 02:10 -------- d-----w- C:\rsit
2009-08-28 02:42 . 2009-08-28 02:42 -------- d-----w- c:\users\Tad\AppData\Roaming\Sammsoft
2009-08-28 02:42 . 2009-08-28 02:42 -------- d-----w- c:\program files\MemTurbo 4
2009-08-28 02:42 . 2009-08-28 02:42 -------- d-----w- c:\program files\Advanced Registry Optimizer
2009-08-15 02:24 . 2009-08-14 04:09 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-14 08:03 . 2009-08-14 08:03 -------- d-----w- c:\program files\Trend Micro
2009-08-14 04:09 . 2009-08-15 02:24 -------- d-----w- c:\users\Tad\.housecall6.6
2009-08-14 01:06 . 2009-08-14 01:06 -------- d-----w- c:\windows\Sun
2009-08-12 01:34 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 01:34 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 01:34 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 01:34 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-12 01:34 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 01:34 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-12 01:34 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-12 01:34 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-10 05:05 . 2009-08-10 05:06 -------- d-----w- c:\program files\Causes
2009-08-08 00:31 . 2009-08-08 00:31 -------- d-----w- c:\program files\African Safari
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 04:21 . 2009-05-30 19:16 6648 ----a-w- c:\users\Tad\AppData\Local\d3d9caps.dat
2009-08-31 18:33 . 2008-08-30 08:53 -------- d-----w- c:\program files\McAfee
2009-08-31 03:45 . 2009-07-13 07:32 -------- d-----w- c:\program files\NOS
2009-08-31 03:45 . 2009-07-13 07:32 -------- d-----w- c:\programdata\NOS
2009-08-14 02:00 . 2008-08-30 11:03 173218014 ----a-w- c:\windows\DUMPc9b4.tmp
2009-08-13 05:36 . 2009-03-22 02:59 -------- d-----w- c:\programdata\Google Updater
2009-08-12 08:05 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-30 03:16 . 2009-07-30 03:15 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-30 03:16 . 2009-07-30 03:15 -------- d-----w- c:\program files\iTunes
2009-07-30 03:16 . 2009-01-28 20:23 -------- d-----w- c:\program files\iPod
2009-07-30 03:15 . 2009-01-28 20:47 -------- d-----w- c:\program files\Common Files\Apple
2009-07-30 03:13 . 2009-07-30 03:13 -------- d-----w- c:\program files\QuickTime
2009-07-30 03:06 . 2009-07-30 03:06 -------- d-----w- c:\program files\Bonjour
2009-07-21 21:52 . 2009-07-28 22:41 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-28 22:41 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-28 22:41 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-28 22:41 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-13 10:37 . 2009-07-13 10:37 -------- d-----w- c:\users\Tad\AppData\Roaming\vlc
2009-07-13 10:10 . 2009-07-13 10:10 -------- d-----w- c:\users\Tad\AppData\Roaming\MozillaControl
2009-07-13 10:10 . 2009-07-13 10:09 -------- d-----w- c:\program files\Graboid
2009-07-13 10:10 . 2009-07-13 10:10 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-07-13 10:09 . 2009-07-13 10:09 -------- d-----w- c:\program files\VideoLAN
2009-07-13 05:52 . 2009-07-13 05:52 -------- d-----w- c:\users\Tad\AppData\Roaming\BitTorrent
2009-07-10 02:54 . 2008-08-30 08:52 -------- d-----w- c:\programdata\McAfee
2009-06-15 15:24 . 2009-07-14 21:42 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-14 21:42 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-14 21:42 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-14 21:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2008-08-30 11:16 . 2008-08-30 11:15 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{d8608d46-1567-4623-a0b1-bfd9a40bc421}"= "c:\program files\African Safari\Helper.dll" [2009-08-08 201216]
"{969f6d55-0b76-4956-8f31-2a995769e43c}"= "c:\program files\Causes\Helper.dll" [2009-08-10 201216]
[HKEY_CLASSES_ROOT\clsid\{d8608d46-1567-4623-a0b1-bfd9a40bc421}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{C29D9D6E-9D18-4046-A7AA-82327AA19B1D}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
[HKEY_CLASSES_ROOT\clsid\{969f6d55-0b76-4956-8f31-2a995769e43c}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{F8015C24-C4F2-4B61-98A3-8AF4B7BEEE13}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6521F190-A6C6-44F4-B5AE-1600DF9D6FAB}]
2009-08-08 00:31 1358848 ----a-w- c:\program files\African Safari\Toolbar.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAAC503B-6F0F-4F48-8055-289B8A5EF5C0}]
2009-08-10 05:06 1358848 ----a-w- c:\program files\Causes\Toolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{620E8039-805C-4356-9727-0D7A617FADA0}"= "c:\program files\African Safari\Toolbar.dll" [2009-08-08 1358848]
"{5D51B4F2-CC28-4488-9AB3-BE7E40EB3293}"= "c:\program files\Causes\Toolbar.dll" [2009-08-10 1358848]
[HKEY_CLASSES_ROOT\clsid\{620e8039-805c-4356-9727-0d7a617fada0}]
[HKEY_CLASSES_ROOT\FCTB000060819.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{7E8C34F9-EF28-45BE-9B6E-E146D809789A}]
[HKEY_CLASSES_ROOT\FCTB000060819.IEToolbar]
[HKEY_CLASSES_ROOT\clsid\{5d51b4f2-cc28-4488-9ab3-be7e40eb3293}]
[HKEY_CLASSES_ROOT\FCTB000060459.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{315BC644-F418-4AD0-9E10-339AB9F84EC7}]
[HKEY_CLASSES_ROOT\FCTB000060459.IEToolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{620E8039-805C-4356-9727-0D7A617FADA0}"= "c:\program files\African Safari\Toolbar.dll" [2009-08-08 1358848]
"{5D51B4F2-CC28-4488-9AB3-BE7E40EB3293}"= "c:\program files\Causes\Toolbar.dll" [2009-08-10 1358848]
[HKEY_CLASSES_ROOT\clsid\{620e8039-805c-4356-9727-0d7a617fada0}]
[HKEY_CLASSES_ROOT\FCTB000060819.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{7E8C34F9-EF28-45BE-9B6E-E146D809789A}]
[HKEY_CLASSES_ROOT\FCTB000060819.IEToolbar]
[HKEY_CLASSES_ROOT\clsid\{5d51b4f2-cc28-4488-9ab3-be7e40eb3293}]
[HKEY_CLASSES_ROOT\FCTB000060459.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{315BC644-F418-4AD0-9E10-339AB9F84EC7}]
[HKEY_CLASSES_ROOT\FCTB000060459.IEToolbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-30 68856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"feedreader.exe"="c:\program files\FeedReader30\feedreader.exe" [2009-03-29 2058240]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-13 4351216]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-19 3444736]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-30 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\muppy.exe.exe" [2009-08-03 1295632]
c:\users\Tad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]
MemTurbo.lnk - c:\program files\MemTurbo 4\MemTurbo.exe [2009-8-27 3121760]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
PMCRemoteLauncher.lnk - c:\users\Tad\AppData\Local\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe [2009-3-25 50448]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
$McRebootA5E6DEAA56$.lnk - c:\windows\System32\cmd.exe [2008-1-20 318976]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-30 50688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-08-30 09:00 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4B735F17-C2BA-40D0-8F1C-12A344E09F6B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{AD23D099-F8D4-47EE-90C7-A6546994D7E8}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7E1A62E1-8DD0-4C4B-932D-E8A02C6507CC}"= c:\program files\Dell\MediaDirect\MediaDirect.exeell MediaDirect
"{38120D60-904D-4526-8970-66C6A35ACD97}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{1A724F6B-72CA-424A-9151-7A2BE4D6201D}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{237FA5AD-2621-4B30-B989-8C9EDE0068CD}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{BFBCA513-7E46-4B03-A4D5-866CCEBA55E8}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5E1BA540-BBA3-441D-B666-14E72E84410F}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{78399408-81BC-45F9-B4F4-197BD8EFE489}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{19DECE65-5144-405D-A28B-3257EF7B59FE}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{B2D904C0-2129-4CB2-A89E-FD1180AD8A91}"= UDP:c:\program files\Pinnacle\VideoSpin\Programs\RM.exe:Render Manager
"{D7554068-A18C-4BB7-9FCD-CB9EDC575724}"= TCP:c:\program files\Pinnacle\VideoSpin\Programs\RM.exe:Render Manager
"{8BF9BD3B-DA11-4033-9D07-9A7862DFEA05}"= UDP:c:\program files\Pinnacle\VideoSpin\Programs\PMSRegisterFile.exe:PMSRegisterFile
"{185FE302-4206-4C03-8EB0-58AD9B381CB8}"= TCP:c:\program files\Pinnacle\VideoSpin\Programs\PMSRegisterFile.exe:PMSRegisterFile
"{0E6E28E5-CFE1-4E6C-9E12-D1AA26CB09C1}"= UDP:c:\program files\Pinnacle\VideoSpin\Programs\umi.exe:umi
"{4AB26F22-58D2-4EE1-85DF-712C3FDF02DF}"= TCP:c:\program files\Pinnacle\VideoSpin\Programs\umi.exe:umi
"{08C443DF-3C97-4B5C-BA84-F19420F6EF86}"= UDP:c:\program files\Pinnacle\VideoSpin\Programs\VideoSpin.exe:Pinnacle VideoSpin
"{E177FAFF-2200-4399-8100-B9FF080DD546}"= TCP:c:\program files\Pinnacle\VideoSpin\Programs\VideoSpin.exe:Pinnacle VideoSpin
"TCP Query User{D4AC827D-08DD-423E-BB99-77DFAB61A185}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{4505CDDC-263C-476D-B721-22329E244B97}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{A02A4383-4BEC-4811-B1ED-E7ED2D41DEB2}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{61390AFF-D695-4AED-B78F-6AA5EBA9D3C2}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CA349CFF-88E9-4842-A6EF-5D880EE7811F}"= UDP:c:\program files\Tencent\QQ Games\QQGames.exe:QQ Games
"{2F18C7C7-100C-4D10-9630-A8BAAB550F51}"= TCP:c:\program files\Tencent\QQ Games\QQGames.exe:QQ Games
"{0D775819-13F9-4120-8D98-44FBD7FCD292}"= UDP:c:\program files\Tencent\QQ Games\QQGamesD.exe:QQ Games Downloader
"{6B0AB7F0-A746-4E53-B501-131DAE3C7A3D}"= TCP:c:\program files\Tencent\QQ Games\QQGamesD.exe:QQ Games Downloader
"{A878E84A-3695-4AD9-BFD7-D373581DCA3D}"= UDP:c:\program files\Tencent\QQ Games\Update\Update.exe:QQ Games Updater
"{C79312E2-FB0F-4A7D-A4B0-15475F10DA51}"= TCP:c:\program files\Tencent\QQ Games\Update\Update.exe:QQ Games Updater
"{E445C348-C33B-477B-906C-9D4D5021C9DD}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{2BD80ED1-91B0-4CC6-BB3E-0F1AA6EC02AF}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{B0FAC743-8AA5-48EC-99E8-6C266C03A743}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3F21EF7E-A6A4-4F05-A614-53B8F027EDB5}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DA89253E-323B-4510-A997-B5FBB7BE66C2}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A094EF37-4010-4D68-B26E-DF70D7DC63D9}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{377ACDDE-8A67-4C01-9712-F6ED6EE2C4C1}"= UDP:c:\program files\African Safari\TroubleShooter.exe:African Safari (Helper)
"{F18F0FA4-2722-4DEB-819B-25942C50D48E}"= TCP:c:\program files\African Safari\TroubleShooter.exe:African Safari (Helper)
"{2A5A7FA0-9BA9-4A55-83ED-302E2297CAA4}"= UDP:c:\program files\African Safari\ToolbarUpdate.exe:African Safari (Update)
"{339A0A58-DCF3-4432-AAD5-B25A06110FDF}"= TCP:c:\program files\African Safari\ToolbarUpdate.exe:African Safari (Update)
"{C81B1895-458A-4048-B464-39A8F1B25A88}"= UDP:c:\program files\Causes\TroubleShooter.exe:Causes (Helper)
"{9FB9C851-0DC6-4671-B821-F7C245A3F43C}"= TCP:c:\program files\Causes\TroubleShooter.exe:Causes (Helper)
"{AE0AD1AE-8508-4B56-8811-7716B25A68E4}"= UDP:c:\program files\Causes\ToolbarUpdate.exe:Causes (Update)
"{BAAC2BF1-F335-4523-9A96-46C9EEEB98A9}"= TCP:c:\program files\Causes\ToolbarUpdate.exe:Causes (Update)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\Auth orizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
S2 0134111252121733mcinstcleanup;McAfee Application Installer Cleanup (0134111252121733);c:\users\Tad\AppData\Local\Temp\013411~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\users\Tad\AppData\Local\Temp\013411~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [8/29/2008 8:25 PM 73728]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [4/28/2008 2:56 PM 161048]
S2 gupdate1c9aa9a54af35c0;Google Update Service (gupdate1c9aa9a54af35c0);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2009 8:00 PM 133104]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [8/30/2008 4:20 AM 111616]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-08-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-30 02:59]
2009-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 02:59]
2009-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 02:59]
2009-09-01 c:\windows\Tasks\User_Feed_Synchronization-{AEA1B5AB-7C85-48CB-A1E9-C99C9F212892}.job
- c:\windows\system32\msfeedssync.exe [2009-07-28 20:13]
.
- - - - ORPHANS REMOVED - - - -
HKLM-RunOnce-Uninstall Adobe Download Manager - c:\program files\NOS\bin\getPlus_HelperSvc.exe
HKLM-RunOnce-<NO NAME> - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thehungersite.com/clickToGive/home.faces?siteId=1
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 21:24
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3688192189-393838976-3506527395-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:0a,0b,f9,07,88,45,ae,00
DUMPHIVE0.003 (REGF)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\HelpPane.exe
.
**************************************************************************
.
Completion time: 2009-09-05 21:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-05 04:29
Pre-Run: 58,981,883,904 bytes free
Post-Run: 59,017,723,904 bytes free
283 --- E O F --- 2009-08-12 08:06