when i scan all the time i always getRootkit.Agent/Gen-ESQUL

[gyan19]

I tried SAS because it is highly recommended by my friends and i found it very helpful. one thing that bothers me is that everytime i scan i get this Rootkit.Agent/Gen-ESQUL thing always sometimes 3 sometimes 5... i got this free spyware 2 days ago and everyday i try scanning my full system in those 2 days. the first day i got trojans, cookies and a bunch of rootkits... the second day i only got adwares cookies and rootkits... today i scanned i got cookies and this rootkit and after rebooting i scanned again and i still get 5 SAME ROOTKITS... what are these? it seems that they multiply fast or is just that SAS cant detect them all at once... please help because im very much bothered by these rootkits.

and by the way i am very much thankful for SAS because 2 days ago this computer is not very functional but after scanning and detecting some spyware my computer is much better now(except with these nasty rootkits). now im so paranoid with these stuff... thanks

[gyan19]

Quick scan just minutes ago

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 07/17/2009 at 05:04 PM

Application Version : 4.26.1006

Core Rules Database Version : 4002

Trace Rules Database Version: 1942

Scan type : Quick Scan

Total Scan Time : 00:30:57

Memory items scanned : 871

Memory threats detected : 0

Registry items scanned : 504

Registry threats detected : 5

File items scanned : 30331

File threats detected : 0

Rootkit.Agent/Gen-ESQUL

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#start

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#type

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#imagepath

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#group

FULL SCAN TODAY

Generated 07/17/2009 at 04:12 PM

Application Version : 4.26.1006

Core Rules Database Version : 4002

Trace Rules Database Version: 1942

Scan type : Complete Scan

Total Scan Time : 00:48:06

Memory items scanned : 891

Memory threats detected : 0

Registry items scanned : 6822

Registry threats detected : 8

File items scanned : 36719

File threats detected : 3

Adware.Tracking Cookie

C:\Users\giancarlo\AppData\Roaming\Microsoft\Windows\Cookies\giancarlo@doubleclick[1].txt

C:\Users\giancarlo\AppData\Roaming\Microsoft\Windows\Cookies\giancarlo@ad.yieldmanager[2].txt

C:\Users\giancarlo\AppData\Roaming\Microsoft\Windows\Cookies\giancarlo@atdmt[1].txt

Rootkit.Agent/Gen-ESQUL

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#start

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#type

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#imagepath

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#group

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS\modules

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS\modules#ESQULserv

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS\modules#ESQULl

YESTERDAY

Generated 07/16/2009 at 01:33 AM

Application Version : 4.26.1006

Core Rules Database Version : 3998

Trace Rules Database Version: 1938

Scan type : Quick Scan

Total Scan Time : 00:56:02

Memory items scanned : 930

Memory threats detected : 0

Registry items scanned : 518

Registry threats detected : 17

File items scanned : 30390

File threats detected : 1

Rootkit.Agent/Gen-ESQUL

HKLM\system\controlset001\services\ESQULserv.sys

C:\WINDOWS\SYSTEM32\DRIVERS\ESQULCHSATUYPLYVTSQFUJXUMMTRENBSOOSUI.SYS

HKLM\system\controlset002\services\ESQULserv.sys

HKLM\system\controlset003\services\ESQULserv.sys

HKLM\system\controlset004\services\ESQULserv.sys

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#start

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#type

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#imagepath

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#group

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS\modules

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS\modules#ESQULserv

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS\modules#ESQULl

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS\modules#ESQULclk

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS\Enum

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS\Enum#0

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS\Enum#Count

HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS\Enum#NextInstance

THE FIRSTDAY SCAN

Generated 07/15/2009 at 08:25 PM

Application Version : 4.26.1006

Core Rules Database Version : 3998

Trace Rules Database Version: 1938

Scan type : Complete Scan

Total Scan Time : 01:06:11

Memory items scanned : 944

Memory threats detected : 0

Registry items scanned : 6849

Registry threats detected : 88

File items scanned : 36859

File threats detected : 6

Adware.MyWebSearch

HKU\S-1-5-21-2049136128-3216804590-1937335049-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}

HKU\S-1-5-21-2049136128-3216804590-1937335049-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}

HKU\S-1-5-21-2049136128-3216804590-1937335049-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA}

Rootkit.Agent/Gen-ESQUL

HKLM\system\controlset001\services\ESQULserv.sys

C:\WINDOWS\SYSTEM32\DRIVERS\ESQULCHSATUYPLYVTSQFUJXUMMTRENBSOOSUI.SYS

HKLM\system\controlset002\services\ESQULserv.sys

HKLM\system\controlset003\services\ESQULserv.sys

HKLM\system\controlset004\services\ESQULserv.sys

Trojan.Unknown Origin

HKU\S-1-5-21-2049136128-3216804590-1937335049-1000\Software\ColdWare

Adware.MyWebSearch/FunWebProducts

HKLM\SOFTWARE\Fun Web Products

HKLM\SOFTWARE\Fun Web Products\MSNMessenger

HKLM\SOFTWARE\Fun Web Products\MSNMessenger#DLLFile

HKLM\SOFTWARE\Fun Web Products\MSNMessenger#DLLDir

HKLM\SOFTWARE\Fun Web Products\ScreenSaver

HKLM\SOFTWARE\Fun Web Products\ScreenSaver#ImagesDir

HKLM\SOFTWARE\Fun Web Products\Settings

HKLM\SOFTWARE\Fun Web Products\Settings\Promos

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.numActive

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.0

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqNone

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.numActive

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.0

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqUninstalled

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.numActive

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.numActive2

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.1

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.2

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.3

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.4

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.5

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.6

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.7

HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.8

HKU\S-1-5-21-2049136128-3216804590-1937335049-1000\SOFTWARE\MyWebSearch

HKLM\SOFTWARE\MyWebSearch

HKLM\SOFTWARE\MyWebSearch\bar

HKLM\SOFTWARE\MyWebSearch\bar#pid

HKLM\SOFTWARE\MyWebSearch\bar#fwp

HKLM\SOFTWARE\MyWebSearch\bar#tiec

HKLM\SOFTWARE\MyWebSearch\bar#Dir

HKLM\SOFTWARE\MyWebSearch\bar#Id

HKLM\SOFTWARE\MyWebSearch\bar#CurInstall

HKLM\SOFTWARE\MyWebSearch\bar#SettingsDir

HKLM\SOFTWARE\MyWebSearch\bar#sr

HKLM\SOFTWARE\MyWebSearch\bar#pl

HKLM\SOFTWARE\MyWebSearch\bar#HistoryDir

HKLM\SOFTWARE\MyWebSearch\SearchAssistant

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pid

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#fwp

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Dir

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#esh

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#lsp

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Id

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#CurInstall

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#sr

HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pl

HKLM\SOFTWARE\MyWebSearch\SkinTools

HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}

HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}

HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid

HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32

HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib

HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version

HKLM\Software\FocusInteractive

HKLM\Software\FocusInteractive\bar

HKLM\Software\FocusInteractive\bar\Switches

HKLM\Software\FocusInteractive\bar\Switches#incmail.exe

HKLM\Software\FocusInteractive\bar\Switches#msimn.exe

HKLM\Software\FocusInteractive\bar\Switches#msn.exe

HKLM\Software\FocusInteractive\bar\Switches#outlook.exe

HKLM\Software\FocusInteractive\bar\Switches#waol.exe

HKLM\Software\FocusInteractive\bar\Switches#aim.exe

HKLM\Software\FocusInteractive\bar\Switches#icq.exe

HKLM\Software\FocusInteractive\bar\Switches#icqlite.exe

HKLM\Software\FocusInteractive\bar\Switches#msmsgs.exe

HKLM\Software\FocusInteractive\bar\Switches#msnmsgr.exe

HKLM\Software\FocusInteractive\bar\Switches#ypager.exe

HKLM\Software\FocusInteractive\bar\Switches#au

HKLM\Software\FocusInteractive\bar\Switches#mwsSrcAs.dll

HKLM\Software\FocusInteractive\bar\Switches#ps

HKLM\Software\FocusInteractive\bar\Switches#ok

HKLM\Software\FocusInteractive\bar\Switches#od

HKLM\Software\FocusInteractive\bar\Switches#nk

HKLM\Software\FocusInteractive\bar\Switches#nd

HKLM\Software\FocusInteractive\Email-IM

HKLM\Software\FocusInteractive\Email-IM\0

HKLM\Software\FocusInteractive\Email-IM\0#Toolbar

HKLM\Software\FocusInteractive\Email-IM\0#AppName

HKLM\Software\FocusInteractive\Outlook

C:\Program Files\MyWebSearch\bar\History

C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat

C:\Program Files\MyWebSearch\bar\Settings

C:\Program Files\MyWebSearch\bar

C:\Program Files\MyWebSearch

THANKS FOR THE quick reply...

[gyan19]

The complete scan log with current definitions shows only harmless registry traces. If you're comfortable editing the registry, I recommend you delete the key HKey_Local_Machine\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS. I expect you'll find that Windows won't allow that key to be deleted until you adjust the permissions.

If you're not comfortable editing the registry, it's safe to ignore or trust/allow those items. If you decide to trust the items, be sure to select the individual items, not the Rootkit.Agent/Gen-ESQUL detection itself.

How can i delete the HKEY thing? sorry im not that techy... and if ever how to adjust permission? thanks... you're a big help. im now considering buying the full verdion of SAS!!! =)

[Jormungandr]

I hope I'm not out of line here, by posting about another forum, but there is currently a thread on the Norton Forums concerning ESQULSERV.SYS and the development of a procedure for the removal of it and its components that may interest the original poster.

http://community.norton.com/norton/boar ... d.id=16935