Print Page - 139d2e78.exe again

Title: 139d2e78.exe again
Post by: PeterJ on June 19, 2013, 02:39:33 PM

Hi. It seems I have pretty much the same problem as Ovaunda had recently. I am locked out of my account on this PC (which is the Adminstrator's account). I can only access the computer via my wife's account at the moment. My symptoms are that when I try to log into my account I get a command prompt that says '"C:\Documents and Settings\user\My Documents\139d2e78.exe"' is not recognised as an operable program or batch file C:\Documents and Settings\User> - and I then can go no further.

I have a fairly elderly Dell Dimension 8250 running Windows XP Professional Version 5.1.2600 Service Pack 3 Build 2600.

I have tried Malwarebytes which found and removed 139d2e78.dll (not .exe) but the problem persists.

I also bought PC Cleaner Pro on the recommendation I found via Google but I'm regretting that decision already. It has not fixed the problem and their 'expert' technical support service was no help at all. I have now uninstalled it.

One more thing - I have downloaded DDS.scr and run it but the resulting text file is gobblydook - here's a small sample
ÆãK@×lÿà \ÔkÙwÑ`2ˆp!@à•€ØI½o¶
How can I correct that please?

Here is my Checkup log:

Results of screen317's Security Check version 0.99.66
Windows XP Service Pack 3 x86 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Firewall Disabled!
Please wait while WMIC compiles updated MOF files.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
P
C
ECHO is off.
C
l
e
a
n
e
r
ECHO is off.
P
r
o
ECHO is off.
A
V
G
ECHO is off.
A
n
t
i
V
i
r
u
s
ECHO is off.
F
r
e
ECHO is off.
E
d
i
t
i
o
n
ECHO is off.
2
0
1
2
ECHO is off.
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````[/u]
Malwarebytes Anti-Malware version 1.75.0.1300
Java(TM) 6 Update 24
Java version out of Date!
Adobe Flash Player 11.7.700.202
Adobe Reader 10.1.7 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````[/u]
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C:: 22% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````[/u]

Title: Re: 139d2e78.exe again
Post by: Corrine on June 19, 2013, 07:12:54 PM

Hi, PeterJ. Welcome to LandzDown Forum.

We will do our best to assist you. However, in order to do so, please follow all instructions provided in the sequence given. Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use. This may cause conflicts with the tools being used in the cleanup process.

If you have questions regarding any of the instructions or problems running any tools, please let us know.

1. Based on the reputation of PC Cleaner Pro, please consider contacting your credit card company. You may be able to get the charges reversed. See WOT for information about PC Cleaner Pro: http://www.mywot.com/en/scorecard/pccleanerpro.com/event-84510#events

2. Can you log on to our account via Safe Mode, ideally Safe Mode with Networking? To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. Windows will now boot into safe mode with networking and prompt you to login as a user. If so, please see if you get readable DDS logs in Safe Mode.

3. Please download the TDSSKiller.exe (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) by Kaspersky... save it to your Desktop. <-Important!!!. If you can get to safe mode with networking, please do this with your Admin account. Otherwise, we'll see what happens with your wife's account.

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista - W7 users: Right-click and select "Run As Administrator".
If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com). If you don't see file extensions, please see: How to change the file extension (http://www.mediacollege.com/microsoft/windows/extension-change.html).
Click the Start Scan button. Do not use the computer during the scan!
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the "Scan results - Select action for found objects[/b]" and offer 3 options.
- Ensure SKIP is selected... DO NOT attempt to FIX anything yet!
- Now click on Report to open the log file created by TDSSKiller in your root directory C:\
A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 19, 2013, 09:24:46 PM

Thanks Corinne. Unfortunately I paid for PC Cleaner Pro with my debit card, not a credit card, so doubt I'll see my money again :cry: . I guess I'll just have to write that off and try to learn from it!
Before I respond to your instructions I want you to know that it's 10.20pm here in London. Unless you can respond within say the next hour don't worry about it. I'll just get some beauty sleep and pick this up again in the morning.

So....

>I can't get into my account in Safe Mode with Networking.

>Using my wife's account I have tried DSS again when in Safe Mode with Networking and still don't get readable logs.

> I ran a TDSSKiller scan (again in Safe Mode with Networking) but it found nothing. The log reads:

22:06:57.0359 0396 TDSS rootkit removing tool 2.8.18.0 Jun 10 2013 21:44:19
22:06:57.0546 0396 ============================================================
22:06:57.0546 0396 Current date / time: 2013/06/19 22:06:57.0546
22:06:57.0546 0396 SystemInfo:
22:06:57.0546 0396
22:06:57.0546 0396 OS Version: 5.1.2600 ServicePack: 3.0
22:06:57.0546 0396 Product type: Workstation
22:06:57.0546 0396 ComputerName: PETER
22:06:57.0546 0396 UserName: All of Us
22:06:57.0546 0396 Windows directory: C:\WINDOWS
22:06:57.0546 0396 System windows directory: C:\WINDOWS
22:06:57.0546 0396 Processor architecture: Intel x86
22:06:57.0546 0396 Number of processors: 1
22:06:57.0546 0396 Page size: 0x1000
22:06:57.0546 0396 Boot type: Safe boot with network
22:06:57.0546 0396 ============================================================
22:07:05.0468 0396 Drive \Device\Harddisk0\DR0 - Size: 0x953C94000 (37.31 Gb), SectorSize: 0x200, Cylinders: 0x1306, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
22:07:05.0468 0396 Drive \Device\Harddisk1\DR2 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
22:07:05.0500 0396 ============================================================
22:07:05.0500 0396 \Device\Harddisk0\DR0:
22:07:05.0500 0396 MBR partitions:
22:07:05.0500 0396 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4A98C86
22:07:05.0500 0396 \Device\Harddisk1\DR2:
22:07:05.0500 0396 MBR partitions:
22:07:05.0500 0396 \Device\Harddisk1\DR2\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A384C41
22:07:05.0500 0396 ============================================================
22:07:05.0531 0396 C: <-> \Device\Harddisk0\DR0\Partition1
22:07:05.0687 0396 F: <-> \Device\Harddisk1\DR2\Partition1
22:07:05.0687 0396 ============================================================
22:07:05.0687 0396 Initialize success
22:07:05.0687 0396 ============================================================
22:07:21.0343 0408 ============================================================
22:07:21.0343 0408 Scan started
22:07:21.0343 0408 Mode: Manual;
22:07:21.0343 0408 ============================================================
22:07:22.0656 0408 ================ Scan system memory ========================
22:07:22.0656 0408 System memory - ok
22:07:22.0656 0408 ================ Scan services =============================
22:07:22.0781 0408 Abiosdsk - ok
22:07:22.0812 0408 abp480n5 - ok
22:07:22.0890 0408 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:07:22.0890 0408 ACPI - ok
22:07:22.0953 0408 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
22:07:22.0968 0408 ACPIEC - ok
22:07:22.0984 0408 Ad-Watch Connect Filter - ok
22:07:23.0015 0408 ADILOADER - ok
22:07:23.0046 0408 adiusbaw - ok
22:07:23.0171 0408 [ F040037B149FD0F5A5044AE563390FA7 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
22:07:23.0171 0408 AdobeFlashPlayerUpdateSvc - ok
22:07:23.0203 0408 adpu160m - ok
22:07:23.0250 0408 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
22:07:23.0265 0408 aec - ok
22:07:23.0328 0408 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
22:07:23.0343 0408 AFD - ok
22:07:23.0406 0408 [ 08FD04AA961BDC77FB983F328334E3D7 ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
22:07:23.0406 0408 agp440 - ok
22:07:23.0437 0408 Aha154x - ok
22:07:23.0468 0408 aic78u2 - ok
22:07:23.0500 0408 aic78xx - ok
22:07:23.0578 0408 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
22:07:23.0578 0408 Alerter - ok
22:07:23.0640 0408 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
22:07:23.0640 0408 ALG - ok
22:07:23.0671 0408 AliIde - ok
22:07:23.0703 0408 amsint - ok
22:07:23.0828 0408 [ F401929EE0CC92BFE7F15161CA535383 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
22:07:23.0843 0408 Apple Mobile Device - ok
22:07:23.0937 0408 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
22:07:23.0937 0408 AppMgmt - ok
22:07:23.0968 0408 asc - ok
22:07:24.0000 0408 asc3350p - ok
22:07:24.0031 0408 asc3550 - ok
22:07:24.0171 0408 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
22:07:24.0328 0408 aspnet_state - ok
22:07:24.0421 0408 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:07:24.0421 0408 AsyncMac - ok
22:07:24.0484 0408 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
22:07:24.0484 0408 atapi - ok
22:07:24.0515 0408 Atdisk - ok
22:07:24.0562 0408 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:07:24.0593 0408 Atmarpc - ok
22:07:24.0671 0408 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
22:07:24.0671 0408 AudioSrv - ok
22:07:24.0734 0408 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
22:07:24.0734 0408 audstub - ok
22:07:25.0000 0408 [ 231B6AD3DB2866BC3FDB9979E6B2B61E ] AVGIDSAgent C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
22:07:25.0156 0408 AVGIDSAgent - ok
22:07:25.0218 0408 [ EF67527CC2AD77D22AB1405C6470407E ] AVGIDSDriver C:\WINDOWS\system32\DRIVERS\avgidsdriverx.sys
22:07:25.0234 0408 AVGIDSDriver - ok
22:07:25.0281 0408 [ 61A7E0B02F82CFF3DB2445BBE50B3589 ] AVGIDSFilter C:\WINDOWS\system32\DRIVERS\avgidsfilterx.sys
22:07:25.0281 0408 AVGIDSFilter - ok
22:07:25.0343 0408 [ D63D83659EEDF60B3A3E620281A888E5 ] AVGIDSHX C:\WINDOWS\system32\DRIVERS\avgidshx.sys
22:07:25.0343 0408 AVGIDSHX - ok
22:07:25.0390 0408 [ BAF975B72062F53D327788E99D64197E ] AVGIDSShim C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys
22:07:25.0390 0408 AVGIDSShim - ok
22:07:25.0437 0408 [ 6671345A6E2669AF1966BAF68EC5620F ] Avgldx86 C:\WINDOWS\system32\DRIVERS\avgldx86.sys
22:07:25.0453 0408 Avgldx86 - ok
22:07:25.0515 0408 [ CCDD61545AAEA265977E4B1EFDC74E8C ] Avgmfx86 C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
22:07:25.0515 0408 Avgmfx86 - ok
22:07:25.0562 0408 [ 1FD90B28D2C3100BF4500199C8AD6358 ] Avgrkx86 C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
22:07:25.0578 0408 Avgrkx86 - ok
22:07:25.0640 0408 [ 1647C720358DCC98ACF51E597C461C4D ] Avgtdix C:\WINDOWS\system32\DRIVERS\avgtdix.sys
22:07:25.0640 0408 Avgtdix - ok
22:07:25.0703 0408 [ EA1145DEBCD508FD25BD1E95C4346929 ] avgwd C:\Program Files\AVG\AVG2012\avgwdsvc.exe
22:07:25.0718 0408 avgwd - ok
22:07:25.0828 0408 [ 41347688046D49CDE0F6D138A534F73D ] BCMModem C:\WINDOWS\system32\DRIVERS\BCMSM.sys
22:07:25.0875 0408 BCMModem - ok
22:07:25.0921 0408 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
22:07:25.0921 0408 Beep - ok
22:07:26.0015 0408 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
22:07:26.0203 0408 BITS - ok
22:07:26.0265 0408 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
22:07:26.0265 0408 Browser - ok
22:07:26.0328 0408 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
22:07:26.0328 0408 cbidf2k - ok
22:07:26.0406 0408 [ 359E5A91D26D0439933BEF1C29CEDEF7 ] CCALib8 C:\Program Files\Canon\CAL\CALMAIN.exe
22:07:26.0421 0408 CCALib8 - ok
22:07:26.0468 0408 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:07:26.0468 0408 CCDECODE - ok
22:07:26.0500 0408 cd20xrnt - ok
22:07:26.0562 0408 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
22:07:26.0578 0408 Cdaudio - ok
22:07:26.0625 0408 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
22:07:26.0625 0408 Cdfs - ok
22:07:26.0656 0408 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:07:26.0656 0408 Cdrom - ok
22:07:26.0687 0408 Changer - ok
22:07:26.0734 0408 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] cisvc C:\WINDOWS\System32\cisvc.exe
22:07:26.0734 0408 cisvc - ok
22:07:26.0828 0408 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
22:07:26.0828 0408 ClipSrv - ok
22:07:26.0906 0408 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
22:07:27.0156 0408 clr_optimization_v2.0.50727_32 - ok
22:07:27.0171 0408 CmdIde - ok
22:07:27.0203 0408 COMSysApp - ok
22:07:27.0265 0408 Cpqarray - ok
22:07:27.0343 0408 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
22:07:27.0343 0408 CryptSvc - ok
22:07:27.0437 0408 [ B459AE4AFCA570088ADDDBE55EABBC92 ] ctsfm2k C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
22:07:27.0437 0408 ctsfm2k - ok
22:07:27.0468 0408 dac2w2k - ok
22:07:27.0500 0408 dac960nt - ok
22:07:27.0562 0408 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
22:07:27.0578 0408 DcomLaunch - ok
22:07:27.0640 0408 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
22:07:27.0656 0408 Dhcp - ok
22:07:27.0703 0408 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
22:07:27.0703 0408 Disk - ok
22:07:27.0718 0408 dmadmin - ok
22:07:27.0812 0408 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
22:07:27.0828 0408 dmboot - ok
22:07:27.0875 0408 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
22:07:27.0875 0408 dmio - ok
22:07:27.0953 0408 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
22:07:27.0953 0408 dmload - ok
22:07:28.0000 0408 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
22:07:28.0000 0408 dmserver - ok
22:07:28.0046 0408 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
22:07:28.0046 0408 DMusic - ok
22:07:28.0093 0408 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
22:07:28.0093 0408 Dnscache - ok
22:07:28.0156 0408 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
22:07:28.0171 0408 Dot3svc - ok
22:07:28.0187 0408 dpti2o - ok
22:07:28.0234 0408 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
22:07:28.0234 0408 drmkaud - ok
22:07:28.0312 0408 [ 842C20BA5D00FA40E5A25B20FECD0F57 ] E100B C:\WINDOWS\system32\DRIVERS\e100b325.sys
22:07:28.0328 0408 E100B - ok
22:07:28.0390 0408 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
22:07:28.0390 0408 EapHost - ok
22:07:28.0437 0408 [ EFACD8D57A42A93E244A0DBD357E8CB8 ] EAPPkt C:\WINDOWS\system32\DRIVERS\EAPPkt.sys
22:07:28.0437 0408 EAPPkt - ok
22:07:28.0500 0408 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
22:07:28.0500 0408 ERSvc - ok
22:07:28.0546 0408 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
22:07:28.0578 0408 Eventlog - ok
22:07:28.0703 0408 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\System32\es.dll
22:07:28.0718 0408 EventSystem - ok
22:07:28.0781 0408 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
22:07:28.0781 0408 Fastfat - ok
22:07:28.0828 0408 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
22:07:28.0828 0408 FastUserSwitchingCompatibility - ok
22:07:28.0859 0408 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
22:07:28.0859 0408 Fdc - ok
22:07:28.0921 0408 [ B73EC688C29F81F9DA0FCF63682B3ECB ] FilterService C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
22:07:28.0921 0408 FilterService - ok
22:07:29.0000 0408 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
22:07:29.0000 0408 Fips - ok
22:07:29.0031 0408 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
22:07:29.0031 0408 Flpydisk - ok
22:07:29.0109 0408 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
22:07:29.0109 0408 FltMgr - ok
22:07:29.0234 0408 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
22:07:29.0250 0408 FontCache3.0.0.0 - ok
22:07:29.0281 0408 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:07:29.0281 0408 Fs_Rec - ok
22:07:29.0328 0408 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:07:29.0328 0408 Ftdisk - ok
22:07:29.0359 0408 [ 065639773D8B03F33577F6CDAEA21063 ] gameenum C:\WINDOWS\system32\DRIVERS\gameenum.sys
22:07:29.0359 0408 gameenum - ok
22:07:29.0421 0408 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
22:07:29.0421 0408 GEARAspiWDM - ok
22:07:29.0500 0408 [ 8CA4DA1FC8C3FB098B1AADDDB111CD28 ] genmcmn C:\WINDOWS\system32\DRIVERS\gmfiltr.sys
22:07:29.0500 0408 genmcmn - ok
22:07:29.0593 0408 [ 5CC2B1D06AC1962AF5FBBCF88D781DD8 ] GoToAssist C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe
22:07:29.0593 0408 GoToAssist - ok
22:07:29.0640 0408 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:07:29.0640 0408 Gpc - ok
22:07:29.0750 0408 [ F02A533F517EB38333CB12A9E8963773 ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
22:07:29.0765 0408 gupdate - ok
22:07:29.0796 0408 [ F02A533F517EB38333CB12A9E8963773 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
22:07:29.0796 0408 gupdatem - ok
22:07:29.0937 0408 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
22:07:29.0937 0408 helpsvc - ok
22:07:29.0984 0408 HidServ - ok
22:07:30.0031 0408 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:07:30.0031 0408 HidUsb - ok
22:07:30.0109 0408 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
22:07:30.0109 0408 hkmsvc - ok
22:07:30.0140 0408 hpn - ok
22:07:30.0171 0408 hpt3xx - ok
22:07:30.0234 0408 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
22:07:30.0281 0408 HTTP - ok
22:07:30.0359 0408 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
22:07:30.0359 0408 HTTPFilter - ok
22:07:30.0390 0408 i2omgmt - ok
22:07:30.0421 0408 i2omp - ok
22:07:30.0468 0408 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:07:30.0468 0408 i8042prt - ok
22:07:30.0640 0408 [ 1CF03C69B49ACB70C722DF92755C0C8C ] IDriverT C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
22:07:30.0640 0408 IDriverT - ok
22:07:30.0796 0408 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
22:07:30.0875 0408 idsvc - ok
22:07:30.0921 0408 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
22:07:30.0921 0408 Imapi - ok
22:07:30.0984 0408 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\System32\imapi.exe
22:07:30.0984 0408 ImapiService - ok
22:07:31.0031 0408 ini910u - ok
22:07:31.0093 0408 [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
22:07:31.0093 0408 IntelIde - ok
22:07:31.0140 0408 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:07:31.0140 0408 intelppm - ok
22:07:31.0187 0408 [ 3BB22519A194418D5FEC05D800A19AD0 ] ip6fw C:\WINDOWS\system32\drivers\ip6fw.sys
22:07:31.0187 0408 ip6fw - ok
22:07:31.0234 0408 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:07:31.0234 0408 IpFilterDriver - ok
22:07:31.0296 0408 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:07:31.0296 0408 IpInIp - ok
22:07:31.0359 0408 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:07:31.0359 0408 IpNat - ok
22:07:31.0421 0408 [ E6BE7A41A28D8F2DB174957454D32448 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
22:07:31.0468 0408 iPod Service - ok
22:07:31.0531 0408 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:07:31.0531 0408 IPSec - ok
22:07:31.0593 0408 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
22:07:31.0609 0408 IRENUM - ok
22:07:31.0671 0408 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:07:31.0671 0408 isapnp - ok
22:07:31.0796 0408 [ 5E06A9D23727DAF96FAA796F1135FDCD ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
22:07:31.0812 0408 JavaQuickStarterService - ok
22:07:31.0843 0408 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:07:31.0843 0408 Kbdclass - ok
22:07:31.0906 0408 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:07:31.0906 0408 kbdhid - ok
22:07:31.0968 0408 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
22:07:31.0968 0408 kmixer - ok
22:07:32.0046 0408 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
22:07:32.0046 0408 KSecDD - ok
22:07:32.0187 0408 [ 62CEF3CA80FF1E3AF738DD11E3505DB1 ] KService C:\Program Files\Kontiki\KService.exe
22:07:32.0265 0408 KService - ok
22:07:32.0343 0408 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
22:07:32.0343 0408 lanmanserver - ok
22:07:32.0406 0408 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
22:07:32.0406 0408 lanmanworkstation - ok
22:07:32.0437 0408 lbrtfdc - ok
22:07:32.0531 0408 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
22:07:32.0531 0408 LmHosts - ok
22:07:32.0593 0408 [ 1A7DB7A00A4B0D8DA24CD691A4547291 ] LVPr2Mon C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
22:07:32.0593 0408 LVPr2Mon - ok
22:07:32.0703 0408 [ 0DDFDCAA92C7F553328DB06BA599BEA9 ] LVPrcSrv C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
22:07:32.0703 0408 LVPrcSrv - ok
22:07:32.0968 0408 [ A240E42A7402E927A71B6E8AA4629B13 ] LVUVC C:\WINDOWS\system32\DRIVERS\lvuvc.sys
22:07:33.0203 0408 LVUVC - ok
22:07:33.0265 0408 [ 4470E3C1E0C3378E4CAB137893C12C3A ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys
22:07:33.0281 0408 MBAMProtector - ok
22:07:33.0390 0408 [ 65085456FD9A74D7F1A999520C299ECB ] MBAMScheduler C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
22:07:33.0406 0408 MBAMScheduler - ok
22:07:33.0484 0408 [ E0D7732F2D2E24B2DB3F67B6750295B8 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
22:07:33.0531 0408 MBAMService - ok
22:07:33.0640 0408 [ F8B823414A22DBF3BEC10DCAA5F93CD8 ] McciCMService C:\Program Files\Common Files\Motive\McciCMService.exe
22:07:33.0703 0408 McciCMService - ok
22:07:33.0796 0408 [ 8032C19788025BAB2B157AE0BA90B009 ] MDM C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
22:07:33.0812 0408 MDM - ok
22:07:33.0890 0408 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
22:07:33.0890 0408 Messenger - ok
22:07:33.0953 0408 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
22:07:33.0953 0408 mnmdd - ok
22:07:34.0015 0408 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\System32\mnmsrvc.exe
22:07:34.0031 0408 mnmsrvc - ok
22:07:34.0078 0408 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
22:07:34.0078 0408 Modem - ok
22:07:34.0156 0408 [ 1992E0D143B09653AB0F9C5E04B0FD65 ] MODEMCSA C:\WINDOWS\system32\drivers\MODEMCSA.sys
22:07:34.0171 0408 MODEMCSA - ok
22:07:34.0218 0408 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:07:34.0218 0408 Mouclass - ok
22:07:34.0250 0408 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:07:34.0250 0408 mouhid - ok
22:07:34.0296 0408 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
22:07:34.0296 0408 MountMgr - ok
22:07:34.0328 0408 mraid35x - ok
22:07:34.0406 0408 [ 9BD4DCB5412921864A7AACDEDFBD1923 ] MREMP50 C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
22:07:34.0406 0408 MREMP50 - ok
22:07:34.0421 0408 MREMPR5 - ok
22:07:34.0453 0408 MRENDIS5 - ok
22:07:34.0500 0408 [ 07C02C892E8E1A72D6BF35004F0E9C5E ] MRESP50 C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
22:07:34.0500 0408 MRESP50 - ok
22:07:34.0531 0408 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:07:34.0546 0408 MRxDAV - ok
22:07:34.0625 0408 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:07:34.0640 0408 MRxSmb - ok
22:07:34.0703 0408 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\System32\msdtc.exe
22:07:34.0703 0408 MSDTC - ok
22:07:34.0765 0408 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
22:07:34.0765 0408 Msfs - ok
22:07:34.0843 0408 [ 877FFD0FB093B80F5ED6BA64D7921881 ] Msikbd2k C:\WINDOWS\system32\DRIVERS\msikbd2k.sys
22:07:34.0843 0408 Msikbd2k - ok
22:07:34.0859 0408 MSIServer - ok
22:07:34.0906 0408 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:07:34.0921 0408 MSKSSRV - ok
22:07:34.0968 0408 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:07:34.0968 0408 MSPCLOCK - ok
22:07:35.0031 0408 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
22:07:35.0046 0408 MSPQM - ok
22:07:35.0093 0408 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:07:35.0093 0408 mssmbios - ok
22:07:35.0140 0408 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
22:07:35.0140 0408 MSTEE - ok
22:07:35.0218 0408 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
22:07:35.0218 0408 Mup - ok
22:07:35.0265 0408 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:07:35.0265 0408 NABTSFEC - ok
22:07:35.0359 0408 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
22:07:35.0406 0408 napagent - ok
22:07:35.0468 0408 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
22:07:35.0468 0408 NDIS - ok
22:07:35.0515 0408 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:07:35.0515 0408 NdisIP - ok
22:07:35.0578 0408 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:07:35.0578 0408 NdisTapi - ok
22:07:35.0625 0408 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:07:35.0625 0408 Ndisuio - ok
22:07:35.0671 0408 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:07:35.0671 0408 NdisWan - ok
22:07:35.0734 0408 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
22:07:35.0750 0408 NDProxy - ok
22:07:35.0781 0408 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
22:07:35.0781 0408 NetBIOS - ok
22:07:35.0843 0408 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
22:07:35.0843 0408 NetBT - ok
22:07:35.0921 0408 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
22:07:35.0921 0408 NetDDE - ok
22:07:35.0953 0408 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
22:07:35.0953 0408 NetDDEdsdm - ok
22:07:36.0046 0408 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\System32\lsass.exe
22:07:36.0046 0408 Netlogon - ok
22:07:36.0093 0408 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
22:07:36.0093 0408 Netman - ok
22:07:36.0171 0408 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
22:07:36.0187 0408 NetTcpPortSharing - ok
22:07:36.0234 0408 [ 522215532916836B9CA19EE30658F3C1 ] Nhksrv C:\WINDOWS\Nhksrv.exe
22:07:36.0625 0408 Nhksrv - ok
22:07:36.0703 0408 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
22:07:36.0718 0408 Nla - ok
22:07:36.0765 0408 [ CFE3462A9E94A57DCD9676F6B7FE7F67 ] nmwcd C:\WINDOWS\system32\drivers\ccdcmb.sys
22:07:36.0781 0408 nmwcd - ok
22:07:36.0843 0408 [ 8F2A94F991F8C73CEC26B4B5620D1EDC ] nmwcdc C:\WINDOWS\system32\drivers\ccdcmbo.sys
22:07:36.0843 0408 nmwcdc - ok
22:07:36.0921 0408 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
22:07:36.0921 0408 Npfs - ok
22:07:36.0984 0408 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
22:07:37.0000 0408 Ntfs - ok
22:07:37.0046 0408 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\System32\lsass.exe
22:07:37.0046 0408 NtLmSsp - ok
22:07:37.0125 0408 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
22:07:37.0171 0408 NtmsSvc - ok
22:07:37.0234 0408 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
22:07:37.0234 0408 Null - ok
22:07:37.0359 0408 [ 71DBDC08DF86B80511E72953FA1AD6B0 ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
22:07:37.0453 0408 nv - ok
22:07:37.0515 0408 [ 5ED834603C36414B579979B3A9C90F54 ] NVSvc C:\WINDOWS\system32\nvsvc32.exe
22:07:37.0531 0408 NVSvc - ok
22:07:37.0578 0408 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:07:37.0578 0408 NwlnkFlt - ok
22:07:37.0671 0408 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:07:37.0671 0408 NwlnkFwd - ok
22:07:37.0750 0408 [ C720C25B2D0C93DC425155F5B6A707F3 ] ossrv C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
22:07:37.0750 0408 ossrv - ok
22:07:37.0828 0408 [ F051107FF80F132882E71E3A5D302EC1 ] P16X C:\WINDOWS\system32\drivers\P16X.sys
22:07:37.0906 0408 P16X - ok
22:07:37.0968 0408 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
22:07:37.0968 0408 Parport - ok
22:07:38.0015 0408 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
22:07:38.0015 0408 PartMgr - ok
22:07:38.0062 0408 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
22:07:38.0062 0408 ParVdm - ok
22:07:38.0093 0408 pccsmcfd - ok
22:07:38.0140 0408 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
22:07:38.0156 0408 PCI - ok
22:07:38.0171 0408 PCIDump - ok
22:07:38.0203 0408 PCIIde - ok
22:07:38.0265 0408 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
22:07:38.0265 0408 Pcmcia - ok
22:07:38.0296 0408 PDCOMP - ok
22:07:38.0328 0408 PDFRAME - ok
22:07:38.0359 0408 PDRELI - ok
22:07:38.0406 0408 PDRFRAME - ok
22:07:38.0421 0408 perc2 - ok
22:07:38.0453 0408 perc2hib - ok
22:07:38.0578 0408 [ C8A2D6FF660AC601B7BB9A9B16A5C25E ] PfModNT C:\WINDOWS\System32\drivers\PfModNT.sys
22:07:38.0578 0408 PfModNT - ok
22:07:38.0625 0408 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
22:07:38.0625 0408 PlugPlay - ok
22:07:38.0703 0408 [ D0BE72557DE73ACABBAB536496D23115 ] Point32 C:\WINDOWS\system32\DRIVERS\point32.sys
22:07:38.0703 0408 Point32 - ok
22:07:38.0750 0408 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\System32\lsass.exe
22:07:38.0750 0408 PolicyAgent - ok
22:07:38.0812 0408 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:07:38.0812 0408 PptpMiniport - ok
22:07:38.0843 0408 [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys
22:07:38.0843 0408 Processor - ok
22:07:38.0875 0408 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
22:07:38.0875 0408 ProtectedStorage - ok
22:07:38.0937 0408 [ 0E2EB30605CA6ED2509D59AF6A7362B4 ] Ps2 C:\WINDOWS\system32\DRIVERS\PS2.sys
22:07:38.0937 0408 Ps2 - ok
22:07:38.0984 0408 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
22:07:38.0984 0408 PSched - ok
22:07:39.0046 0408 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:07:39.0046 0408 Ptilink - ok
22:07:39.0078 0408 ql1080 - ok
22:07:39.0109 0408 Ql10wnt - ok
22:07:39.0140 0408 ql12160 - ok
22:07:39.0187 0408 ql1240 - ok
22:07:39.0203 0408 ql1280 - ok
22:07:39.0265 0408 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:07:39.0265 0408 RasAcd - ok
22:07:39.0328 0408 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
22:07:39.0328 0408 RasAuto - ok
22:07:39.0390 0408 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:07:39.0390 0408 Rasl2tp - ok
22:07:39.0468 0408 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
22:07:39.0484 0408 RasMan - ok
22:07:39.0531 0408 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:07:39.0531 0408 RasPppoe - ok
22:07:39.0562 0408 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
22:07:39.0562 0408 Raspti - ok
22:07:39.0625 0408 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:07:39.0625 0408 Rdbss - ok
22:07:39.0671 0408 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:07:39.0671 0408 RDPCDD - ok
22:07:39.0718 0408 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:07:39.0765 0408 rdpdr - ok
22:07:39.0843 0408 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
22:07:39.0859 0408 RDPWD - ok
22:07:39.0937 0408 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
22:07:39.0953 0408 RDSessMgr - ok
22:07:40.0031 0408 [ 89525CC2DBAD44F7199B9CC188B3F9C5 ] RealNetworks Downloader Resolver Service C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
22:07:40.0031 0408 RealNetworks Downloader Resolver Service - ok
22:07:40.0078 0408 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
22:07:40.0078 0408 redbook - ok
22:07:40.0140 0408 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
22:07:40.0140 0408 RemoteAccess - ok
22:07:40.0218 0408 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
22:07:40.0218 0408 RemoteRegistry - ok
22:07:40.0312 0408 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\System32\locator.exe
22:07:40.0328 0408 RpcLocator - ok
22:07:40.0390 0408 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\system32\rpcss.dll
22:07:40.0390 0408 RpcSs - ok
22:07:40.0468 0408 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\System32\rsvp.exe
22:07:40.0468 0408 RSVP - ok
22:07:40.0562 0408 [ 463B8AC0130ADF01A85DAEBF646B3DB3 ] RTLWUSB C:\WINDOWS\system32\DRIVERS\wg111v2.sys
22:07:40.0562 0408 RTLWUSB - ok
22:07:40.0593 0408 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
22:07:40.0593 0408 SamSs - ok
22:07:40.0671 0408 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
22:07:40.0671 0408 SCardSvr - ok
22:07:40.0765 0408 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
22:07:40.0781 0408 Schedule - ok
22:07:40.0859 0408 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:07:40.0859 0408 Secdrv - ok
22:07:40.0921 0408 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
22:07:40.0937 0408 seclogon - ok
22:07:40.0984 0408 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
22:07:40.0984 0408 SENS - ok
22:07:41.0031 0408 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
22:07:41.0031 0408 serenum - ok
22:07:41.0093 0408 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
22:07:41.0093 0408 Serial - ok
22:07:41.0171 0408 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
22:07:41.0171 0408 Sfloppy - ok
22:07:41.0265 0408 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
22:07:41.0281 0408 SharedAccess - ok
22:07:41.0328 0408 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
22:07:41.0328 0408 ShellHWDetection - ok
22:07:41.0359 0408 Simbad - ok
22:07:41.0406 0408 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:07:41.0406 0408 SLIP - ok
22:07:41.0468 0408 Sparrow - ok
22:07:41.0531 0408 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
22:07:41.0531 0408 splitter - ok
22:07:41.0593 0408 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
22:07:41.0593 0408 Spooler - ok
22:07:41.0640 0408 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
22:07:41.0640 0408 sr - ok
22:07:41.0703 0408 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\System32\srsvc.dll
22:07:41.0718 0408 srservice - ok
22:07:41.0812 0408 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
22:07:41.0828 0408 Srv - ok
22:07:41.0890 0408 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
22:07:41.0890 0408 SSDPSRV - ok
22:07:41.0968 0408 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
22:07:42.0031 0408 stisvc - ok
22:07:42.0093 0408 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:07:42.0093 0408 streamip - ok
22:07:42.0140 0408 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
22:07:42.0140 0408 swenum - ok
22:07:42.0187 0408 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
22:07:42.0187 0408 swmidi - ok
22:07:42.0218 0408 SwPrv - ok
22:07:42.0281 0408 symc810 - ok
22:07:42.0312 0408 symc8xx - ok
22:07:42.0343 0408 sym_hi - ok
22:07:42.0359 0408 sym_u3 - ok
22:07:42.0421 0408 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
22:07:42.0421 0408 sysaudio - ok
22:07:42.0484 0408 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
22:07:42.0484 0408 SysmonLog - ok
22:07:42.0546 0408 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
22:07:42.0562 0408 TapiSrv - ok
22:07:42.0640 0408 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:07:42.0671 0408 Tcpip - ok
22:07:42.0750 0408 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
22:07:42.0750 0408 TDPIPE - ok
22:07:42.0781 0408 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
22:07:42.0781 0408 TDTCP - ok
22:07:42.0828 0408 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
22:07:42.0828 0408 TermDD - ok
22:07:42.0906 0408 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
22:07:42.0953 0408 TermService - ok
22:07:43.0000 0408 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
22:07:43.0015 0408 Themes - ok
22:07:43.0062 0408 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\System32\tlntsvr.exe
22:07:43.0078 0408 TlntSvr - ok
22:07:43.0109 0408 TosIde - ok
22:07:43.0171 0408 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
22:07:43.0187 0408 TrkWks - ok
22:07:43.0265 0408 [ E266683FC95ABDEC17CD378564E1B54B ] TVICHW32 C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
22:07:43.0265 0408 TVICHW32 - ok
22:07:43.0312 0408 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
22:07:43.0328 0408 Udfs - ok
22:07:43.0359 0408 ultra - ok
22:07:43.0437 0408 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
22:07:43.0453 0408 Update - ok
22:07:43.0515 0408 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
22:07:43.0531 0408 upnphost - ok
22:07:43.0609 0408 [ EC01DA44B090D2651FC032C8B9257232 ] upperdev C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
22:07:43.0609 0408 upperdev - ok
22:07:43.0671 0408 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
22:07:43.0671 0408 UPS - ok
22:07:43.0734 0408 [ EAFE1E00739AFE6C51487A050E772E17 ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
22:07:43.0734 0408 USBAAPL - ok
22:07:43.0812 0408 [ E919708DB44ED8543A7C017953148330 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys
22:07:43.0812 0408 usbaudio - ok
22:07:43.0875 0408 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:07:43.0875 0408 usbccgp - ok
22:07:43.0937 0408 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:07:43.0937 0408 usbehci - ok
22:07:44.0000 0408 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:07:44.0000 0408 usbhub - ok
22:07:44.0046 0408 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:07:44.0046 0408 usbprint - ok
22:07:44.0078 0408 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:07:44.0078 0408 usbscan - ok
22:07:44.0140 0408 [ 1C888B000C2F9492F4B15B5B6B84873E ] usbser C:\WINDOWS\system32\drivers\usbser.sys
22:07:44.0140 0408 usbser - ok
22:07:44.0203 0408 [ 4ABD37CFBD710E64F01F9DA8710C73F7 ] UsbserFilt C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
22:07:44.0203 0408 UsbserFilt - ok
22:07:44.0234 0408 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:07:44.0234 0408 USBSTOR - ok
22:07:44.0281 0408 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:07:44.0281 0408 usbuhci - ok
22:07:44.0328 0408 [ 63BBFCA7F390F4C49ED4B96BFB1633E0 ] usbvideo C:\WINDOWS\system32\Drivers\usbvideo.sys
22:07:44.0328 0408 usbvideo - ok
22:07:44.0406 0408 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
22:07:44.0406 0408 VgaSave - ok
22:07:44.0437 0408 ViaIde - ok
22:07:44.0468 0408 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
22:07:44.0468 0408 VolSnap - ok
22:07:44.0546 0408 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
22:07:44.0562 0408 VSS - ok
22:07:44.0640 0408 [ 16409C468CEEE99B6B129FCAA5C0F206 ] vulfnths C:\WINDOWS\System32\Drivers\vulfnth.sys
22:07:44.0640 0408 vulfnths - ok
22:07:44.0687 0408 [ E76FB35E30FB885124479A4A0ACA3923 ] vulfntrs C:\WINDOWS\System32\Drivers\vulfntr.sys
22:07:44.0687 0408 vulfntrs - ok
22:07:44.0750 0408 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\System32\w32time.dll
22:07:44.0765 0408 W32Time - ok
22:07:44.0828 0408 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:07:44.0828 0408 Wanarp - ok
22:07:44.0890 0408 [ DC7F91B2ED24A738C807EA07F298928C ] wceusbsh C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
22:07:44.0890 0408 wceusbsh - ok
22:07:44.0984 0408 [ D918617B46457B9AC28027722E30F647 ] Wdf01000 C:\WINDOWS\system32\Drivers\wdf01000.sys
22:07:45.0000 0408 Wdf01000 - ok
22:07:45.0031 0408 WDICA - ok
22:07:45.0109 0408 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
22:07:45.0125 0408 wdmaud - ok
22:07:45.0171 0408 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
22:07:45.0171 0408 WebClient - ok
22:07:45.0265 0408 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
22:07:45.0281 0408 winmgmt - ok
22:07:45.0437 0408 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
22:07:45.0468 0408 WmdmPmSN - ok
22:07:45.0562 0408 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
22:07:45.0593 0408 Wmi - ok
22:07:45.0687 0408 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\System32\wbem\wmiapsrv.exe
22:07:45.0703 0408 WmiApSrv - ok
22:07:45.0828 0408 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
22:07:45.0859 0408 WMPNetworkSvc - ok
22:07:45.0937 0408 [ CF4DEF1BF66F06964DC0D91844239104 ] WpdUsb C:\WINDOWS\system32\Drivers\wpdusb.sys
22:07:45.0937 0408 WpdUsb - ok
22:07:46.0000 0408 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:07:46.0000 0408 WS2IFSL - ok
22:07:46.0078 0408 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
22:07:46.0093 0408 wscsvc - ok
22:07:46.0156 0408 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:07:46.0156 0408 WSTCODEC - ok
22:07:46.0234 0408 [ EAA6324F51214D2F6718977EC9CE0DEF ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:07:46.0234 0408 WudfPf - ok
22:07:46.0281 0408 [ F91FF1E51FCA30B3C3981DB7D5924252 ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:07:46.0281 0408 WudfRd - ok
22:07:46.0343 0408 [ DDEE3682FE97037C45F4D7AB467CB8B6 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
22:07:46.0343 0408 WudfSvc - ok
22:07:46.0437 0408 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
22:07:46.0468 0408 WZCSVC - ok
22:07:46.0515 0408 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
22:07:46.0515 0408 xmlprov - ok
22:07:46.0593 0408 ================ Scan global ===============================
22:07:46.0609 0408 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
22:07:46.0671 0408 [ 69AE2B2E6968C316536E5B10B9702E63 ] C:\WINDOWS\system32\winsrv.dll
22:07:46.0718 0408 [ 69AE2B2E6968C316536E5B10B9702E63 ] C:\WINDOWS\system32\winsrv.dll
22:07:46.0750 0408 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
22:07:46.0750 0408 [Global] - ok
22:07:46.0765 0408 ================ Scan MBR ==================================
22:07:46.0796 0408 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
22:07:47.0015 0408 \Device\Harddisk0\DR0 - ok
22:07:47.0062 0408 [ 739B36F7A373FC81121D831231B6D311 ] \Device\Harddisk1\DR2
22:07:47.0593 0408 \Device\Harddisk1\DR2 - ok
22:07:47.0593 0408 ================ Scan VBR ==================================
22:07:47.0609 0408 [ 1086596E8A679CF460806CED6B8F6DEA ] \Device\Harddisk0\DR0\Partition1
22:07:47.0609 0408 \Device\Harddisk0\DR0\Partition1 - ok
22:07:47.0625 0408 [ FBE638CB666E8ABB5DEA7F454977D62D ] \Device\Harddisk1\DR2\Partition1
22:07:47.0640 0408 \Device\Harddisk1\DR2\Partition1 - ok
22:07:47.0640 0408 ============================================================
22:07:47.0640 0408 Scan finished
22:07:47.0640 0408 ============================================================
22:07:47.0671 0432 Detected object count: 0
22:07:47.0671 0432 Actual detected object count: 0
22:08:05.0750 0392 Deinitialize success

Title: Re: 139d2e78.exe again
Post by: Corrine on June 20, 2013, 01:38:08 AM

Its actually good that TDSSKiller didn't find anything, Peter. You can delete it from the computer. Unfortunately, 139d2e78.exe is a trojan downloader. Although original variants are old, in researching it, I see that there are new variants, which is likely what has infected your account.

Please follow the instructions at here (http://securitygarden.blogspot.com/2011/06/setting-up-microsoft-standalone-system.html) for running Windows Defender Offline. You will need a writable CD or DVD or a USB stick so you can "write" (save) Windows Defender Offline to it and boot your computer from that media to scan. Note that it will be a "boot scan", which means you will start the computer with the CD/DVD or USB in the computer.

In the event that does not allow you to provide the logs, since you use AVG as your antivirus solution, please follow the instructions for running the AVG Rescue CD (http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=68967).

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 20, 2013, 01:16:50 PM

OK. I've tried booting Windows Defender from a USB stick but with no success. I'm only given 4 options to boot from: Normal, Diskette Drive, Harddisk Drive C , and IDE CD-ROM Device. And yes, I did make sure I'd downloaded the 32 bit version.

I then tried to do it from a CD. Tried many times on different CD's but the best I ver got was a screen with a blue 'windows' graphic on t, followed by the message "Your computer needs to restart. Hold down the power button. Ref 0x0000005D "

I then tried creating an AVG Rescue CD, but can't get that to boot either . Again I tried it several times on different CD's (burned using Nero). I don't even get the blue windows graphic with this one. I've wasted a whole morning it seems :(

BTW I have discovered that my wife's account does have admin rights.

I also tried re-installing DDS but I'm still not getting logs with readable text - which I notice is being created in 'AuotCAD Script'.

Pete

Title: Re: 139d2e78.exe again
Post by: Corrine on June 20, 2013, 01:38:26 PM

Ok, since your wife's account has admin rights, that gives us a different avenue.

Please follow these instructions carefully.

Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe).

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.

Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html).

Now, please run ComboFix:

Note: If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
Double-click ComboFix.exe on your desktop and follow the prompts.
As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC1.png&hash=29e6fe1eb864e58b4b66611caa7d7b6be84a47f8)

After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC2.png&hash=e111f6aa2d657579d44cabc5fb4258fd1dce26eb)

Click "Yes" to continue scanning for malware.

When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 20, 2013, 03:30:40 PM

I've run CombiFix - log below.

I had to do it twice as the first time it was interrupted near the end by a message from AVG and it didn't produce a log file .

The AVG message said it had detected a threat ('REGT.EXE') and I was asked to quarantine it (or ignore it, which I didn't want to do). I think this is probably because I had disabled AVG for 15 mins so I think it may have restarted at this point, before CombiFix had finished. Combifex then sent a message to say 'REGT is not recognised', or something like that.

So I disabled AVG again and re-ran CombiFix. Log follows.

ComboFix 13-06-20.01 - All of Us 20/06/2013 16:03:38.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.674 [GMT 1:00]
Running from: c:\documents and settings\All of Us\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All of Us\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\All of Us\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\All of Us\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\All of Us\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\All of Us\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\All of Us\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\All of Us\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\All of Us\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\All of Us\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\All of Us\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\All of Us\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\All of Us\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\All of Us\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\All of Us\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\All of Us\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\All of Us\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\All of Us\Application Data\alot\configurator\configurator.xml
c:\documents and settings\All of Us\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\All of Us\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\All of Us\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\All of Us\Application Data\alot\products\products.xml
c:\documents and settings\All of Us\Application Data\alot\products\products.xml.backup
c:\documents and settings\All of Us\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_2\images\default_1008_alot_map_widget_default.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_2\images\default_1008_alot_map_widget_default.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_3\images\default_1182_alot_map_guides.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_3\images\default_1182_alot_map_guides.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_4\images\clear.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_4\images\cloudy.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_4\images\default_1007_alot_weather_widget.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_4\images\default_1007_alot_weather_widget.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_4\images\mcloud.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_4\images\nclear.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_4\images\nmcloud.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_4\images\pcloud.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_4\images\rain.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_4\images\shower.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_5\images\default_1272_alot_map_travel.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_5\images\default_1272_alot_map_travel.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_6\images\default_1273_alot_map_guides.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_6\images\default_1273_alot_map_guides.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_7\images\default_1596_alot_mrkt_typewriter.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Button_7\images\default_1596_alot_mrkt_typewriter.png
c:\documents and settings\All of Us\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\All of Us\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\All of Us\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\All of Us\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\All of Us\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\All of Us\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\All of Us\Application Data\alot\toolbar.xml
c:\documents and settings\All of Us\Application Data\alot\toolbar.xml.backup
c:\documents and settings\All of Us\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\All of Us\Application Data\alot\Updater\Updater.xml
c:\documents and settings\All of Us\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\All of Us\GoToAssistDownloadHelper.exe
c:\documents and settings\All of Us\System\win_qs8.jqx
c:\windows\system32\c.bat
F:\Setup.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_npf
.
.
((((((((((((((((((((((((( Files Created from 2013-05-20 to 2013-06-20 )))))))))))))))))))))))))))))))
.
.
2013-06-20 14:49 . 2008-04-14 00:11   21504   -c--a-w-   c:\windows\system32\dllcache\hidserv.dll
2013-06-20 10:27 . 2008-05-02 13:25   465920   -c----w-   c:\windows\system32\dllcache\imapi2fs.dll
2013-06-20 10:27 . 2008-05-02 13:25   465920   ------w-   c:\windows\system32\imapi2fs.dll
2013-06-20 10:27 . 2008-05-02 13:25   317952   -c----w-   c:\windows\system32\dllcache\imapi2.dll
2013-06-20 10:27 . 2008-05-02 13:25   317952   ------w-   c:\windows\system32\imapi2.dll
2013-06-19 09:53 . 2013-06-19 09:53   --------   dc----w-   C:\Configuration
2013-06-18 07:46 . 2013-06-18 07:46   --------   d-----w-   c:\program files\Uniblue
2013-06-18 07:33 . 2013-06-18 07:33   --------   d-----w-   c:\windows\system32\wbem\Repository
2013-06-18 06:20 . 2013-06-18 06:20   --------   d-----w-   c:\documents and settings\All of Us\Local Settings\Application Data\Citrix
2013-05-29 20:22 . 2013-05-29 20:22   --------   d-----w-   c:\documents and settings\All of Us\SyncFolder
2013-05-29 19:59 . 2013-06-19 09:21   --------   d-----w-   c:\program files\MyPC Backup
2013-05-29 19:59 . 2013-06-18 20:48   5404880   ----a-w-   c:\documents and settings\All Users\Application Data\pclunst.exe
2013-05-29 19:59 . 2013-06-19 07:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC1Data
2013-05-29 13:42 . 2013-05-29 19:14   --------   d-----w-   c:\program files\Webroot
2013-05-25 08:52 . 2013-05-25 08:52   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2013-05-25 08:52 . 2013-04-04 13:50   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-15 09:02 . 2012-12-13 15:58   692104   -c--a-w-   c:\windows\system32\FlashPlayerApp.exe
2013-05-15 09:02 . 2011-06-04 07:33   71048   -c--a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-16 22:17 . 2004-01-08 15:23   920064   ----a-w-   c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2001-08-23 12:00   43520   ------w-   c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2001-08-23 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 05:59   385024   ------w-   c:\windows\system32\html.iec
2013-04-11 02:18 . 2010-09-07 02:49   302368   -c--a-w-   c:\windows\system32\drivers\avgtdix.sys
2013-04-10 01:31 . 2001-08-23 12:00   1876352   ----a-w-   c:\windows\system32\win32k.sys
2013-04-02 07:58 . 2003-03-18 22:14   499712   -c--a-w-   c:\windows\system32\msvcp71.dll
2013-04-02 07:58 . 2003-02-21 04:42   348160   -c--a-w-   c:\windows\system32\msvcr71.dll
2007-12-24 08:03 . 2007-12-24 08:03   2293848   -c--a-w-   c:\program files\FLV PlayerFCSetup.exe
2007-10-13 22:44 . 2007-10-13 22:44   55088   -c--a-w-   c:\program files\MFInstall.exe
2007-02-13 07:01 . 2007-02-13 07:01   5727280   -c--a-w-   c:\program files\Firefox Setup 2.0.0.1.exe
2006-06-26 19:36 . 2006-06-26 19:36   3963304   -c--a-w-   c:\program files\MSASYNC.EXE
2005-10-15 07:38 . 2005-10-15 07:38   9624128   -c--a-w-   c:\program files\NapsterSetup-GB-3.1.1.8.exe
2005-06-26 22:22 . 2005-06-26 22:22   761344   -c--a-w-   c:\program files\ESS4CLEAR.exe
2005-01-21 00:53 . 2005-12-25 13:17   45056   -c----r-   c:\program files\SetAttrib.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"="c:\documents and settings\All of Us\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2012-05-19 932528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-11-19 2598520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-2-10 745472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-10-07 22:05   16680   ----a-w-   c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Documents and Settings\\All of Us\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\BearShare Applications\\MediaBar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\iMesh Applications\\MediaBar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [19/04/2012 04:50 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 03:48 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 03:48 250080]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [07/09/2010 03:49 302368]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [02/11/2012 04:51 5174392]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [14/02/2012 04:53 193288]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/02/2007 14:18 66048]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [24/02/2005 10:43 28672]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [23/12/2011 13:32 142176]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [23/12/2011 13:32 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [23/12/2011 13:32 17232]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [24/02/2005 10:43 6942]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [25/05/2013 09:52 22856]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [10/02/2007 14:18 167808]
S4 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [25/05/2013 09:52 418376]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [25/05/2013 09:52 701512]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [06/03/2013 02:21 39056]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?id=2&vv=700&lc=1033
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: bbc.co.uk\www
Trusted Zone: hotmail.com\www
Trusted Zone: tiscali.co.uk\www
TCP: DhcpNameServer = 192.168.0.1
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKU-Default-Run-NTSF MICROSOFT SYSTEM - fylez.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-20 16:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(908)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(2884)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-06-20 16:17:16
ComboFix-quarantined-files.txt 2013-06-20 15:17
.
Pre-Run: 8,145,833,984 bytes free
Post-Run: 8,117,256,192 bytes free
.
- - End Of File - - 46F4E9DD3EAD14ACB4B93CB47D3F2411
8F558EB6672622401DA993E1E865C861

Title: Re: 139d2e78.exe again
Post by: Corrine on June 20, 2013, 05:07:06 PM

Is there any change to your user account?

That log does not show any signs of the 139d2378.exe file. However, seeing the file association for .scr set to AutoCADScriptFile is a likely explanation as to why you had problems with DDS.scr. Please try the alternate version from here (http://download.bleepingcomputer.com/sUBs/dds.exe) as the additional information will be helpful.

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 20, 2013, 07:01:13 PM

Here's dds.txt. Do you want Attach as well?

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by All of Us at 19:53:29 on 2013-06-20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.490 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Documents and Settings\All of Us\Application Data\Spotify\Data\SpotifyWebHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://login.live.com/login.srf?id=2&vv=700&lc=1033
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg2012\avgssie.dll
BHO: EWPBrowseObject Class: {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [Spotify Web Helper] "c:\documents and settings\all of us\application data\spotify\data\SpotifyWebHelper.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-System: HideShutdownScripts = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{942D3D83-9953-4E89-B7F4-CD01E1AD0915} : DHCPNameServer = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellHook Class - {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\program files\markany\contentsafer\MACSMANAGER.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 250080]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 302368]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-2-10 66048]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2005-2-24 28672]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 142176]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2005-2-24 6942]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-11-2 5174392]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-5-25 22856]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2007-2-10 167808]
S4 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-5-25 418376]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-5-25 701512]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2013-3-6 39056]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile="c:\windows\notepad.exe" "%1"
ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~2\office10\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2013-06-20 14:49:33   21504   -c--a-w-   c:\windows\system32\dllcache\hidserv.dll
2013-06-20 14:34:31   --------   dcsha-r-   C:\cmdcons
2013-06-20 14:32:34   98816   ----a-w-   c:\windows\sed.exe
2013-06-20 14:32:34   256000   ----a-w-   c:\windows\PEV.exe
2013-06-20 14:32:34   208896   ----a-w-   c:\windows\MBR.exe
2013-06-20 10:27:16   465920   -c----w-   c:\windows\system32\dllcache\imapi2fs.dll
2013-06-20 10:27:16   465920   ------w-   c:\windows\system32\imapi2fs.dll
2013-06-20 10:27:16   317952   -c----w-   c:\windows\system32\dllcache\imapi2.dll
2013-06-20 10:27:16   317952   ------w-   c:\windows\system32\imapi2.dll
2013-06-19 09:53:26   --------   dc----w-   C:\Configuration
2013-06-18 07:46:55   --------   d-----w-   c:\program files\Uniblue
2013-06-18 07:33:27   --------   d-----w-   c:\windows\system32\wbem\repository\FS
2013-06-18 07:33:26   --------   d-----w-   c:\windows\system32\wbem\Repository
2013-06-18 06:20:22   --------   d-----w-   c:\documents and settings\all of us\local settings\application data\Citrix
2013-05-29 20:22:46   --------   d-----w-   c:\documents and settings\all of us\SyncFolder
2013-05-29 19:59:55   --------   d-----w-   c:\program files\MyPC Backup
2013-05-29 19:59:03   5404880   ----a-w-   c:\documents and settings\all users\application data\pclunst.exe
2013-05-29 19:59:00   --------   d-----w-   c:\documents and settings\all users\application data\PC1Data
2013-05-29 13:42:36   --------   d-----w-   c:\program files\Webroot
2013-05-25 08:52:41   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-05-25 08:52:41   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2013-05-15 09:02:31   71048   -c--a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-15 09:02:31   692104   -c--a-w-   c:\windows\system32\FlashPlayerApp.exe
2013-04-16 22:17:15   920064   ----a-w-   c:\windows\system32\wininet.dll
2013-04-16 22:17:14   43520   ------w-   c:\windows\system32\licmgr10.dll
2013-04-16 22:17:14   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2013-04-12 23:28:55   385024   ------w-   c:\windows\system32\html.iec
2013-04-11 02:18:40   302368   -c--a-w-   c:\windows\system32\drivers\avgtdix.sys
2013-04-10 01:31:19   1876352   ----a-w-   c:\windows\system32\win32k.sys
2013-04-02 07:58:42   499712   -c--a-w-   c:\windows\system32\msvcp71.dll
2013-04-02 07:58:42   348160   -c--a-w-   c:\windows\system32\msvcr71.dll
2007-12-24 08:03:22   2293848   -c--a-w-   c:\program files\FLV PlayerFCSetup.exe
2007-10-13 22:44:21   55088   -c--a-w-   c:\program files\MFInstall.exe
2007-02-13 07:01:55   5727280   -c--a-w-   c:\program files\Firefox Setup 2.0.0.1.exe
2006-06-26 19:36:08   3963304   -c--a-w-   c:\program files\MSASYNC.EXE
2005-10-15 07:38:31   9624128   -c--a-w-   c:\program files\NapsterSetup-GB-3.1.1.8.exe
2005-06-26 22:22:57   761344   -c--a-w-   c:\program files\ESS4CLEAR.exe
2005-01-21 00:53:22   45056   -c----r-   c:\program files\SetAttrib.exe
.
============= FINISH: 19:55:42.95 ===============

Title: Re: 139d2e78.exe again
Post by: Corrine on June 20, 2013, 08:26:24 PM

Yes, please copy/paste Attach.txt.

Was DDS run from your account or your wife's account?

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 20, 2013, 08:59:16 PM

Soory, I forgot say that no, I still can't get into my account. I'm still using my wife's ...

.

DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 23/02/2005 17:15:29
System Uptime: 20/06/2013 19:45:51 (0 hours ago)
.
Motherboard: Dell Computer Corp. | |
Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | Microprocessor | 2651/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 7.55 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 466 GiB total, 451.3 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: C-DillaCdaC11BA
Device ID: ROOT\LEGACY_C-DILLACDAC11BA\0000
Manufacturer:
Name: C-DillaCdaC11BA
PNP Device ID: ROOT\LEGACY_C-DILLACDAC11BA\0000
Service:
.
==== System Restore Points ===================
.
RP1791: 27/03/2013 07:45:49 - System Checkpoint
RP1792: 28/03/2013 08:37:35 - System Checkpoint
RP1793: 04/04/2013 08:54:06 - System Checkpoint
RP1794: 10/04/2013 10:40:19 - System Checkpoint
RP1795: 10/04/2013 16:25:47 - Software Distribution Service 3.0
RP1796: 12/04/2013 15:24:11 - System Checkpoint
RP1797: 15/04/2013 14:43:02 - System Checkpoint
RP1798: 17/04/2013 09:39:34 - System Checkpoint
RP1799: 20/04/2013 10:58:39 - System Checkpoint
RP1800: 21/04/2013 23:07:54 - System Checkpoint
RP1801: 23/04/2013 09:45:17 - System Checkpoint
RP1802: 25/04/2013 22:26:06 - System Checkpoint
RP1803: 29/04/2013 09:34:59 - System Checkpoint
RP1804: 02/05/2013 09:41:47 - System Checkpoint
RP1805: 03/05/2013 08:31:01 - Printer Driver CUSTPDF Writer Installed
RP1806: 03/05/2013 11:52:19 - Removed greenstreet Publisher 4 Home Edition
RP1807: 05/05/2013 18:20:11 - System Checkpoint
RP1808: 07/05/2013 20:22:55 - System Checkpoint
RP1809: 08/05/2013 20:50:32 - System Checkpoint
RP1810: 15/05/2013 06:26:05 - System Checkpoint
RP1811: 15/05/2013 15:52:54 - Software Distribution Service 3.0
RP1812: 18/05/2013 08:49:55 - System Checkpoint
RP1813: 20/05/2013 15:02:47 - System Checkpoint
RP1814: 24/05/2013 10:54:07 - System Checkpoint
RP1815: 30/05/2013 12:58:50 - System Checkpoint
RP1816: 03/06/2013 15:02:45 - System Checkpoint
RP1817: 17/06/2013 11:40:23 - System Checkpoint
RP1818: 18/06/2013 08:32:35 - Restore Operation
RP1819: 18/06/2013 08:50:01 - Restore Operation
RP1820: 19/06/2013 09:13:34 - System Checkpoint
RP1821: 20/06/2013 10:46:22 - Removed Windows Media Player Firefox Plugin
RP1822: 20/06/2013 11:31:16 - Installed Windows XP KB932716-v2.
.
==== Installed Programs ======================
.
4oD
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop 6.0
Adobe Reader X (10.1.7)
Adobe Shockwave Player 11
Adobe SVG Viewer
Ahead Nero Burning ROM
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft MediaImpression 2
AVG 2012
AVS Screen Capture version 2.0.1
AVS Update Manager 1.0
AVS Video Editor 6
AVS Video Recorder 2.5
AVS4YOU Software Navigator 1.4
BCM V.92 56K Modem
BearShare
BT Broadband Desktop Help
BT Broadband Support Tools
Canon MP Navigator EX 1.2
Canon MP160 User Registration
Canon MP190 series MP Drivers
Canon MP190 series User Registration
Canon Utilities CameraWindow DC 8
Canon Utilities ImageBrowser EX
Canon Utilities My Printer
Canon Utilities PhotoStitch
Canon Utilities Solution Menu
Citrix Web Client
Compatibility Pack for the 2007 Office system
CyberTweak Version 1.3 Final
Dan Elwell's Broadband Speed Test
Easy-WebPrint
ecobutton
EmoDio
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.5
Free PDF to Word Doc Converter v1.1
Google Earth Plug-in
Google Update Helper
GoToAssist Corporate
greenstreet Publisher 4 Home Edition
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB932716-v2)
Intel(R) PRO Ethernet Adapter and Software
iTunes
Java Auto Updater
Java(TM) 6 Update 24
Juniper Networks, Inc. Setup Client Activex Control
Logitech Webcam Software
Logitech Webcam Software Driver Package
Malwarebytes Anti-Malware version 1.75.0.1300
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.5
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Project 2000
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSVC80_x86_v2
MSVC90_x86
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nokia Connectivity Cable Driver
Nokia Ovi Suite
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
OGA Notifier 2.0.0048.0
OLYMPUS CAMEDIA Master 4.2
Ovi Desktop Sync Engine
OviMPlatform
PC Pitstop Optimize 1.0v
QuickTime
RealDownloader
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealNetworks - Microsoft Visual C++ 2010 Runtime
RealPlayer
RealUpgrade 1.1
ScanSoft OmniPage SE 4.0
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Segoe UI
SmartFTP Client
Sound Blaster Live!
Spotify
Uniblue DriverScanner
Uniblue PowerSuite
Uniblue RegistryBooster
Uniblue SpeedUpMyPC
Uninstall Startup Inspector
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB971029)
WebFldrs XP
WG111v2 Configuration Utility
Wincore MediaBar
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip
.
==== Event Viewer Messages From Past Week ========
.
20/06/2013 15:53:17, error: Service Control Manager [7023] - The Help and Support service terminated with the following error: The specified module could not be found.
20/06/2013 15:31:49, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
20/06/2013 10:19:23, error: Print [19] - Sharing printer failed + 1722, Printer Canon MP190 series Printer share name Canon MP190 series Printer.
19/06/2013 14:56:12, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
19/06/2013 14:56:12, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
19/06/2013 14:56:12, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
19/06/2013 14:55:51, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
18/06/2013 09:08:31, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
18/06/2013 08:00:45, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 Fips intelppm
18/06/2013 08:00:25, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
18/06/2013 06:38:59, error: Service Control Manager [7001] - The Fast User Switching Compatibility service depends on the Terminal Services service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
18/06/2013 06:38:59, error: Service Control Manager [7000] - The General Purpose USB Driver (adildr.sys) service failed to start due to the following error: The system cannot find the file specified.
17/06/2013 19:46:46, error: Service Control Manager [7034] - The McciCMService service terminated unexpectedly. It has done this 1 time(s).
16/06/2013 10:54:07, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
.
==== End Of File ===========================

Title: Re: 139d2e78.exe again
Post by: Corrine on June 20, 2013, 10:59:08 PM

Thank you, Peter.

Below is a list of programs to be uninstalled, with a brief explanation why:

Bearshare is a P2P program. With P2P file sharing, what means do you have of identifying or authenticating the source of the download? In addition, a file can be distributed among many hosts, and peers will provide for download the sections that they have already downloaded. This results in the distinct possibility of a distribution method in which malicious bits are mixed with with good files.
Java has had critical security updates and will need to be updated if it is really needed. At this point, let's just uninstall the old version.
I hope you haven't run Uniblue or PC Pitstop Optimize as programs of this nature tend to do more harm than good and tend to damage the registry.

Please uninstall:

BearShare
Java(TM) 6 Update 24
PC Pitstop Optimize 1.0v
Uniblue DriverScanner
Uniblue PowerSuite
Uniblue RegistryBooster
Uniblue SpeedUpMyPC

We'll get to Adobe Reader later. First, let's take a look at a different set of logs. After removing the above, restart the computer and please download the 32-bit version of Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your desktop.

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 21, 2013, 08:25:55 AM

Thanks.

I have uninstalled Bearshare (which I haven't used for a couple of years) but it still appears in my Add or Remove programs list.

I have uninstalled PC Pitstop Optimize

I can't uninstall Java (TM) 6 Update 24. I get a message to say 'Windows Installer Service cannot be accessed'.

I tried to uninstall all the Uniblue programs but for each of them I get a message to say ' \(program name)\unins000.msg is missing. Cannot uninstall ' Except for Powersuite for which the message reads '\PowerSuite\unins0000.dat does not exist.'

One other thing: For many years I've been unable to remove the program called greenstreet Publisher 4 Home Edition.

Title: Re: 139d2e78.exe again
Post by: Corrine on June 21, 2013, 09:45:39 PM

Hi, Peter.

Please use JavaRa to remove Java. Use the "Remove JRE" option. It is available from here: http://singularlabs.com/software/javara/ Since most people do not need Java these days, we'll get back to whether or not you need to install the current version later. My goal here is to get the vulnerable/potentially dangerous programs off your computer.

Let's see if we can take care of those files with ComboFix. Be patient if it takes a bit to process them.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:

Code Select


Folder::
c:\program files\greenstreet Publisher 4 Home Edition
c:\program files\Uniblue DriverScanner
c:\program files\Uniblue PowerSuite
c:\program files\Uniblue RegistryBooster
c:\program files\Uniblue SpeedUpMyPC

Save this as CFScript.txt and place it on your desktop.
Close any open browsers.
Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_CFScript.gif&hash=19cdd291c9ded999b7ed69b7a82ebed7c9d0ab01)

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

After that, please follow the instructions above for Farbar's Recovery Scan Tool.

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 22, 2013, 07:33:20 AM

OK here's the lates ComboFix log...

ComboFix 13-06-22.01 - All of Us 22/06/2013 8:12.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.638 [GMT 1:00]
Running from: c:\documents and settings\All of Us\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\All of Us\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2013-05-22 to 2013-06-22 )))))))))))))))))))))))))))))))
.
.
2013-06-21 07:28 . 2013-06-21 07:28   --------   d-----w-   c:\documents and settings\All of Us\Local Settings\Application Data\PackageAware
2013-06-20 14:49 . 2008-04-14 00:11   21504   -c--a-w-   c:\windows\system32\dllcache\hidserv.dll
2013-06-20 10:27 . 2008-05-02 13:25   465920   -c----w-   c:\windows\system32\dllcache\imapi2fs.dll
2013-06-20 10:27 . 2008-05-02 13:25   465920   ------w-   c:\windows\system32\imapi2fs.dll
2013-06-20 10:27 . 2008-05-02 13:25   317952   -c----w-   c:\windows\system32\dllcache\imapi2.dll
2013-06-20 10:27 . 2008-05-02 13:25   317952   ------w-   c:\windows\system32\imapi2.dll
2013-06-19 09:53 . 2013-06-19 09:53   --------   dc----w-   C:\Configuration
2013-06-18 07:46 . 2013-06-18 07:46   --------   d-----w-   c:\program files\Uniblue
2013-06-18 07:33 . 2013-06-18 07:33   --------   d-----w-   c:\windows\system32\wbem\Repository
2013-06-18 06:20 . 2013-06-18 06:20   --------   d-----w-   c:\documents and settings\All of Us\Local Settings\Application Data\Citrix
2013-05-29 20:22 . 2013-05-29 20:22   --------   d-----w-   c:\documents and settings\All of Us\SyncFolder
2013-05-29 19:59 . 2013-06-19 09:21   --------   d-----w-   c:\program files\MyPC Backup
2013-05-29 19:59 . 2013-06-18 20:48   5404880   ----a-w-   c:\documents and settings\All Users\Application Data\pclunst.exe
2013-05-29 19:59 . 2013-06-19 07:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC1Data
2013-05-29 13:42 . 2013-05-29 19:14   --------   d-----w-   c:\program files\Webroot
2013-05-25 08:52 . 2013-05-25 08:52   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2013-05-25 08:52 . 2013-04-04 13:50   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-15 09:02 . 2012-12-13 15:58   692104   -c--a-w-   c:\windows\system32\FlashPlayerApp.exe
2013-05-15 09:02 . 2011-06-04 07:33   71048   -c--a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-07 22:30 . 2004-01-08 15:23   920064   ----a-w-   c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2001-08-23 12:00   43520   ------w-   c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2001-08-23 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2004-08-04 05:59   385024   ------w-   c:\windows\system32\html.iec
2013-05-03 01:26 . 2001-08-23 12:00   2193536   ----a-w-   c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2001-08-17 13:48   2070144   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2013-04-11 02:18 . 2010-09-07 02:49   302368   -c--a-w-   c:\windows\system32\drivers\avgtdix.sys
2013-04-10 01:31 . 2001-08-23 12:00   1876352   ----a-w-   c:\windows\system32\win32k.sys
2013-04-02 07:58 . 2003-03-18 22:14   499712   -c--a-w-   c:\windows\system32\msvcp71.dll
2013-04-02 07:58 . 2003-02-21 04:42   348160   -c--a-w-   c:\windows\system32\msvcr71.dll
2007-12-24 08:03 . 2007-12-24 08:03   2293848   -c--a-w-   c:\program files\FLV PlayerFCSetup.exe
2007-10-13 22:44 . 2007-10-13 22:44   55088   -c--a-w-   c:\program files\MFInstall.exe
2007-02-13 07:01 . 2007-02-13 07:01   5727280   -c--a-w-   c:\program files\Firefox Setup 2.0.0.1.exe
2006-06-26 19:36 . 2006-06-26 19:36   3963304   -c--a-w-   c:\program files\MSASYNC.EXE
2005-10-15 07:38 . 2005-10-15 07:38   9624128   -c--a-w-   c:\program files\NapsterSetup-GB-3.1.1.8.exe
2005-06-26 22:22 . 2005-06-26 22:22   761344   -c--a-w-   c:\program files\ESS4CLEAR.exe
2005-01-21 00:53 . 2005-12-25 13:17   45056   -c----r-   c:\program files\SetAttrib.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"="c:\documents and settings\All of Us\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2012-05-19 932528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-11-19 2598520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-2-10 745472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Documents and Settings\\All of Us\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\BearShare Applications\\MediaBar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\iMesh Applications\\MediaBar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [19/04/2012 04:50 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 03:48 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 03:48 250080]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [07/09/2010 03:49 302368]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [02/11/2012 04:51 5174392]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [14/02/2012 04:53 193288]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/02/2007 14:18 66048]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [24/02/2005 10:43 28672]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [23/12/2011 13:32 142176]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [23/12/2011 13:32 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [23/12/2011 13:32 17232]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [24/02/2005 10:43 6942]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [25/05/2013 09:52 22856]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [10/02/2007 14:18 167808]
S4 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [25/05/2013 09:52 418376]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [25/05/2013 09:52 701512]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [06/03/2013 02:21 39056]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?id=2&vv=700&lc=1033
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: bbc.co.uk\www
Trusted Zone: hotmail.com\www
Trusted Zone: tiscali.co.uk\www
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-22 08:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3212)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-06-22 08:26:02
ComboFix-quarantined-files.txt 2013-06-22 07:25
ComboFix2.txt 2013-06-22 07:00
ComboFix3.txt 2013-06-20 15:17
.
Pre-Run: 7,921,274,880 bytes free
Post-Run: 7,927,902,208 bytes free
.
- - End Of File - - E1AF95C4B1E1864C7D5694859C97AFDC
8F558EB6672622401DA993E1E865C861

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 22, 2013, 07:51:10 AM

And the Farbar log.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-06-2013 02
Ran by All of Us (administrator) on 22-06-2013 08:45:15
Running from C:\Documents and Settings\All of Us\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [461584 2005-12-04] (Microsoft Corporation)
HKLM\...\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe" [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
HKCU\...\Run: [Spotify Web Helper] "C:\Documents and Settings\All of Us\Application Data\Spotify\Data\SpotifyWebHelper.exe" [932528 2012-05-19] ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WG111v2 Smart Wizard Wireless Setting.lnk
ShortcutTarget: WG111v2 Smart Wizard Wireless Setting.lnk -> C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe ()
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&vv=700&lc=1033
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD21} URL = http://dts.search-results.com/sr?src=ieb&appid=393&systemid=1&sr=0&q={searchTerms}
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD22} URL = http://dts.search-results.com/sr?src=ieb&appid=102&systemid=2&sr=0&q={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
Toolbar: HKLM - Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
Toolbar: HKCU -No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
Toolbar: HKCU -No Name - {A057A204-BACC-4D26-9990-79A187E2698E} - No File
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: ipp - No CLSID Value -
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler: msdaipp - No CLSID Value -
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
ShellExecuteHooks: ShellHook Class - {88485281-8b4b-4f8d-9ede-82e29a064277} - C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [192512 2004-11-23] (MarkAny Cooperation.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\All of Us\Application Data\Mozilla\Firefox\Profiles\0hhuted3.default
FF Homepage: hxxp://search.bearshare.com
FF Keyword.URL: hxxp://dts.search-results.com/sr?src=ffb&appid=102&systemid=2&sr=0&q=
FF Extension: Wincore Mediabar - C:\Documents and Settings\All of Us\Application Data\Mozilla\Firefox\Profiles\0hhuted3.default\Extensions\{28387537-e3f9-4ed7-860c-11e69af4a8a0}
FF Extension: Wincore Mediabar - C:\Documents and Settings\All of Us\Application Data\Mozilla\Firefox\Profiles\0hhuted3.default\Extensions\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}
FF Extension: No Name - C:\Documents and Settings\All of Us\Application Data\Mozilla\Firefox\Profiles\0hhuted3.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi

========================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe [5174392 2012-11-02] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
S4 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [96334 2009-09-08] (Canon Inc.)
S2 KService; C:\Program Files\Kontiki\KService.exe [3068352 2007-04-23] (Kontiki Inc.)
S4 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S4 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 Nhksrv; C:\Windows\Nhksrv.exe [28672 2001-08-06] ()
S4 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-03-06] ()
S2 helpsvc; %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dlles\pchsvc.dll

S4 HidServ; %SystemRoot%\System32\hidserv.dll
==================== Drivers (Whitelisted) ====================

S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [142176 2012-12-10] (AVG Technologies CZ, s.r.o. )
S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [24896 2012-04-19] (AVG Technologies CZ, s.r.o. )
S3 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. )
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [250080 2012-11-08] (AVG Technologies CZ, s.r.o.)
S1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [31952 2012-01-31] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [302368 2013-04-11] (AVG Technologies CZ, s.r.o.)
S3 BCMModem; C:\Windows\System32\DRIVERS\BCMSM.sys [1101696 2003-08-29] (Broadcom Corporation)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S2 EAPPkt; C:\Windows\System32\DRIVERS\EAPPkt.sys [66048 2005-04-01] (Windows (R) 2000 DDK provider)
S3 FilterService; C:\Windows\System32\DRIVERS\lvuvcflt.sys [23832 2009-10-07] (Logitech Inc.)
S3 genmcmn; C:\Windows\System32\DRIVERS\gmfiltr.sys [7812 2002-05-29] ( Emouse Driver )
R0 Imagedrv; C:\Windows\System32\DRIVERS\imagedrv.sys [89184 2003-03-29] (Ahead Software AG and its licensors)
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-07] ()
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 MREMP50; C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [21248 2009-12-07] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [20096 2009-12-07] (Printing Communications Assoc., Inc. (PCAUSA))
R3 Msikbd2k; C:\Windows\System32\DRIVERS\msikbd2k.sys [6942 2000-10-03] (Netropa Corporation)
S3 NABTSFEC; C:\Windows\System32\DRIVERS\NABTSFEC.sys [85248 2008-04-13] (Microsoft Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
S3 P16X; C:\Windows\System32\drivers\P16X.sys [1330048 2003-09-22] (Creative Technology Ltd.)
S2 PfModNT; C:\WINDOWS\System32\drivers\PfModNT.sys [15840 2003-03-05] (Creative Technology Ltd.)
S3 RTLWUSB; C:\Windows\System32\DRIVERS\wg111v2.sys [167808 2006-03-16] (NETGEAR Inc.)
S3 SLIP; C:\Windows\System32\DRIVERS\SLIP.sys [11136 2008-04-13] (Microsoft Corporation)
S3 streamip; C:\Windows\System32\DRIVERS\StreamIP.sys [15232 2008-04-13] (Microsoft Corporation)
S3 TVICHW32; C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS [23600 2006-05-01] (EnTech Taiwan)
R3 vulfnths; C:\Windows\System32\Drivers\vulfnth.sys [6912 2002-10-24] (VIA Technologies, Inc.)
R3 vulfntrs; C:\Windows\System32\Drivers\vulfntr.sys [10240 2002-10-31] (VIA Technologies, Inc.)
S3 wceusbsh; C:\Windows\System32\DRIVERS\wceusbsh.sys [104064 2004-12-06] (Microsoft Corporation)
S3 WSTCODEC; C:\Windows\System32\DRIVERS\WSTCODEC.SYS [19200 2008-04-13] (Microsoft Corporation)
S4 Abiosdsk; No ImagePath
S4 abp480n5; No ImagePath
S3 Ad-Watch Connect Filter; No ImagePath
S2 ADILOADER; System32\Drivers\adildr.sys
S3 adiusbaw; System32\DRIVERS\adiusbaw.sys
S4 adpu160m; No ImagePath
S4 Aha154x; No ImagePath
S4 aic78u2; No ImagePath
S4 aic78xx; No ImagePath
S4 AliIde; No ImagePath
S4 amsint; No ImagePath
S4 asc; No ImagePath
S4 asc3350p; No ImagePath
S4 asc3550; No ImagePath
S4 Atdisk; No ImagePath
S3 catchme; \??\C:\DOCUME~1\ALLOFU~1\LOCALS~1\Temp\catchme.sys
S4 cd20xrnt; No ImagePath
S1 Changer; No ImagePath
S4 CmdIde; No ImagePath
S4 Cpqarray; No ImagePath
U4 dac2w2k; No ImagePath
S4 dac960nt; No ImagePath
S4 dpti2o; No ImagePath
S4 hpn; No ImagePath
S4 hpt3xx; No ImagePath
S1 i2omgmt; No ImagePath
S4 i2omp; No ImagePath
S4 ini910u; No ImagePath
S1 lbrtfdc; No ImagePath
S4 mraid35x; No ImagePath
S3 MREMPR5; No ImagePath
S3 MRENDIS5; No ImagePath
S3 pccsmcfd; system32\DRIVERS\pccsmcfd.sys
S1 PCIDump; No ImagePath
S4 PCIIde; No ImagePath
S3 PDCOMP; No ImagePath
S3 PDFRAME; No ImagePath
S3 PDRELI; No ImagePath
S3 PDRFRAME; No ImagePath
S4 perc2; No ImagePath
S4 perc2hib; No ImagePath
S4 ql1080; No ImagePath
S4 Ql10wnt; No ImagePath
S4 ql12160; No ImagePath
S4 ql1240; No ImagePath
S4 ql1280; No ImagePath
S4 Simbad; No ImagePath
S4 Sparrow; No ImagePath
S4 symc810; No ImagePath
S4 symc8xx; No ImagePath
S4 sym_hi; No ImagePath
S4 sym_u3; No ImagePath
S4 TosIde; No ImagePath
S4 ultra; No ImagePath
S4 ViaIde; No ImagePath
S3 WDICA; No ImagePath
U3 Winsock - Google Desktop Search Backup Before First Install; No ImagePath
U3 Winsock - Google Desktop Search Backup Before Last Install; No ImagePath

========================== Drivers MD5 =======================

C:\Windows\System32\DRIVERS\ACPI.sys 8FD99680A539792A30E97944FDAECF17
C:\Windows\System32\Drivers\ACPIEC.sys 9859C0F6936E723E4892D7141B1327D5
C:\Windows\System32\drivers\aec.sys 8BED39E3C35D6A489438B8141717A557
C:\Windows\System32\drivers\afd.sys 1E44BC1E83D8FD2305F8D452DB109CF9
C:\Windows\System32\DRIVERS\agp440.sys 08FD04AA961BDC77FB983F328334E3D7
C:\Windows\System32\DRIVERS\asyncmac.sys B153AFFAC761E7F5FCFA822B9C4E97BC
C:\Windows\System32\DRIVERS\atapi.sys 9F3A2F5AA6875C72BF062C712CFA2674
C:\Windows\System32\DRIVERS\atmarpc.sys 9916C1225104BA14794209CFA8012159
C:\Windows\System32\DRIVERS\audstub.sys D9F724AA26C010A217C97606B160ED68
C:\Windows\System32\DRIVERS\avgidsdriverx.sys EF67527CC2AD77D22AB1405C6470407E
C:\Windows\System32\DRIVERS\avgidsfilterx.sys 61A7E0B02F82CFF3DB2445BBE50B3589
C:\Windows\System32\DRIVERS\avgidshx.sys D63D83659EEDF60B3A3E620281A888E5
C:\Windows\System32\DRIVERS\avgidsshimx.sys BAF975B72062F53D327788E99D64197E
C:\Windows\System32\DRIVERS\avgldx86.sys 6671345A6E2669AF1966BAF68EC5620F
C:\Windows\System32\DRIVERS\avgmfx86.sys CCDD61545AAEA265977E4B1EFDC74E8C
C:\Windows\System32\DRIVERS\avgrkx86.sys 1FD90B28D2C3100BF4500199C8AD6358
C:\Windows\System32\DRIVERS\avgtdix.sys 1647C720358DCC98ACF51E597C461C4D
C:\Windows\System32\DRIVERS\BCMSM.sys 41347688046D49CDE0F6D138A534F73D
C:\Windows\System32\Drivers\Beep.sys DA1F27D85E0D1525F6621372E7B685E9
C:\Windows\System32\Drivers\cbidf2k.sys 90A673FC8E12A79AFBED2576F6A7AAF9
C:\Windows\System32\DRIVERS\CCDECODE.sys 0BE5AEF125BE881C4F854C554F2B025C
C:\Windows\System32\Drivers\Cdaudio.sys C1B486A7658353D33A10CC15211A873B
C:\Windows\System32\Drivers\Cdfs.sys C885B02847F5D2FD45A24E219ED93B32
C:\Windows\System32\DRIVERS\cdrom.sys 4B0A100EAF5C49EF3CCA8C641431EACC
C:\Windows\System32\DRIVERS\ctsfm2k.sys B459AE4AFCA570088ADDDBE55EABBC92
C:\Windows\System32\DRIVERS\disk.sys 044452051F3E02E7963599FC8F4F3E25
C:\Windows\System32\drivers\dmboot.sys D992FE1274BDE0F84AD826ACAE022A41
C:\Windows\System32\drivers\dmio.sys 7C824CF7BBDE77D95C08005717A95F6F
C:\Windows\System32\drivers\dmload.sys E9317282A63CA4D188C0DF5E09C6AC5F
C:\Windows\System32\drivers\DMusic.sys 8A208DFCF89792A484E76C40E5F50B45
C:\Windows\System32\drivers\drmkaud.sys 8F5FCFF8E8848AFAC920905FBD9D33C8
C:\Windows\System32\DRIVERS\e100b325.sys 842C20BA5D00FA40E5A25B20FECD0F57
C:\Windows\System32\DRIVERS\EAPPkt.sys EFACD8D57A42A93E244A0DBD357E8CB8
C:\Windows\System32\Drivers\Fastfat.sys 38D332A6D56AF32635675F132548343E
C:\Windows\System32\DRIVERS\fdc.sys 92CDD60B6730B9F50F6A1A0C1F8CDC81
C:\Windows\System32\DRIVERS\lvuvcflt.sys B73EC688C29F81F9DA0FCF63682B3ECB
C:\Windows\System32\Drivers\Fips.sys D45926117EB9FA946A6AF572FBE1CAA3
C:\Windows\System32\DRIVERS\flpydisk.sys 9D27E7B80BFCDF1CDD9B555862D5E7F0
C:\Windows\System32\drivers\fltmgr.sys B2CF4B0786F8212CB92ED2B50C6DB6B0
C:\Windows\System32\Drivers\Fs_Rec.sys 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A
C:\Windows\System32\DRIVERS\ftdisk.sys 6AC26732762483366C3969C9E4D2259D
C:\Windows\System32\DRIVERS\gameenum.sys 065639773D8B03F33577F6CDAEA21063
C:\Windows\System32\DRIVERS\GEARAspiWDM.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\gmfiltr.sys 8CA4DA1FC8C3FB098B1AADDDB111CD28
C:\Windows\System32\DRIVERS\msgpc.sys 0A02C63C8B144BD8C86B103DEE7C86A2
C:\Windows\System32\DRIVERS\hidusb.sys CCF82C5EC8A7326C3066DE870C06DAF1
C:\Windows\System32\Drivers\HTTP.sys F80A415EF82CD06FFAF0D971528EAD38
C:\Windows\System32\DRIVERS\i8042prt.sys 4A0B06AA8943C1E332520F7440C0AA30
C:\Windows\System32\DRIVERS\imagedrv.sys FCCF4AE4EF72CBABA6D6BEFEFD77E940
C:\Windows\System32\DRIVERS\imapi.sys 083A052659F5310DD8B6A6CB05EDCF8E
C:\Windows\System32\DRIVERS\intelide.sys B5466A9250342A7AA0CD1FBA13420678
C:\Windows\System32\DRIVERS\intelppm.sys 8C953733D8F36EB2133F5BB58808B66B
C:\Windows\System32\drivers\ip6fw.sys 3BB22519A194418D5FEC05D800A19AD0
C:\Windows\System32\DRIVERS\ipfltdrv.sys 731F22BA402EE4B62748ADAF6363C182
C:\Windows\System32\DRIVERS\ipinip.sys B87AB476DCF76E72010632B5550955F5
C:\Windows\System32\DRIVERS\ipnat.sys CC748EA12C6EFFDE940EE98098BF96BB
C:\Windows\System32\DRIVERS\ipsec.sys 23C74D75E36E7158768DD63D92789A91
C:\Windows\System32\DRIVERS\irenum.sys C93C9FF7B04D772627A3646D89F7BF89
C:\Windows\System32\DRIVERS\isapnp.sys 05A299EC56E52649B1CF2FC52D20F2D7
C:\Windows\System32\DRIVERS\kbdclass.sys 463C1EC80CD17420A542B7F36A36F128
C:\Windows\System32\DRIVERS\kbdhid.sys 9EF487A186DEA361AA06913A75B3FA99
C:\Windows\System32\drivers\kmixer.sys 692BCF44383D056AED41B045A323D378
C:\Windows\System32\Drivers\KSecDD.sys B467646C54CC746128904E1654C750C1
C:\Windows\System32\DRIVERS\LVPr2Mon.sys 1A7DB7A00A4B0D8DA24CD691A4547291
C:\Windows\System32\DRIVERS\lvuvc.sys A240E42A7402E927A71B6E8AA4629B13
C:\WINDOWS\system32\drivers\mbam.sys 4470E3C1E0C3378E4CAB137893C12C3A
C:\Windows\System32\Drivers\mnmdd.sys 4AE068242760A1FB6E1A44BF4E16AFA6
C:\Windows\System32\Drivers\Modem.sys DFCBAD3CEC1C5F964962AE10E0BCC8E1
C:\Windows\System32\drivers\MODEMCSA.sys 1992E0D143B09653AB0F9C5E04B0FD65
C:\Windows\System32\DRIVERS\mouclass.sys 35C9E97194C8CFB8430125F8DBC34D04
C:\Windows\System32\DRIVERS\mouhid.sys B1C303E17FB9D46E87A98E4BA6769685
C:\Windows\System32\Drivers\MountMgr.sys A80B9A0BAD1B73637DBCBBA7DF72D3FD
C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS 9BD4DCB5412921864A7AACDEDFBD1923
C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS 07C02C892E8E1A72D6BF35004F0E9C5E
C:\Windows\System32\DRIVERS\mrxdav.sys 11D42BB6206F33FBB3BA0288D3EF81BD
C:\Windows\System32\DRIVERS\mrxsmb.sys 7D304A5EB4344EBEEAB53A2FE3FFB9F0
C:\Windows\System32\Drivers\Msfs.sys C941EA2454BA8350021D774DAF0F1027
C:\Windows\System32\DRIVERS\msikbd2k.sys 877FFD0FB093B80F5ED6BA64D7921881
C:\Windows\System32\drivers\MSKSSRV.sys D1575E71568F4D9E14CA56B7B0453BF1
C:\Windows\System32\drivers\MSPCLOCK.sys 325BB26842FC7CCC1FCCE2C457317F3E
C:\Windows\System32\drivers\MSPQM.sys BAD59648BA099DA4A17680B39730CB3D
C:\Windows\System32\DRIVERS\mssmbios.sys AF5F4F3F14A8EA2C26DE30F7A1E17136
C:\Windows\System32\drivers\MSTEE.sys E53736A9E30C45FA9E7B5EAC55056D1D
C:\Windows\System32\Drivers\Mup.sys DE6A75F5C270E756C5508D94B6CF68F5
C:\Windows\System32\DRIVERS\NABTSFEC.sys 5B50F1B2A2ED47D560577B221DA734DB
C:\Windows\System32\Drivers\NDIS.sys 1DF7F42665C94B825322FAE71721130D
C:\Windows\System32\DRIVERS\NdisIP.sys 7FF1F1FD8609C149AA432F95A8163D97
C:\Windows\System32\DRIVERS\ndistapi.sys 0109C4F3850DFBAB279542515386AE22
C:\Windows\System32\DRIVERS\ndisuio.sys F927A4434C5028758A842943EF1A3849
C:\Windows\System32\DRIVERS\ndiswan.sys EDC1531A49C80614B2CFDA43CA8659AB
C:\Windows\System32\Drivers\NDProxy.sys 9282BD12DFB069D3889EB3FCC1000A9B
C:\Windows\System32\DRIVERS\netbios.sys 5D81CF9A2F1A3A756B66CF684911CDF0
C:\Windows\System32\DRIVERS\netbt.sys 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\Windows\System32\drivers\ccdcmb.sys CFE3462A9E94A57DCD9676F6B7FE7F67
C:\Windows\System32\drivers\ccdcmbo.sys 8F2A94F991F8C73CEC26B4B5620D1EDC
C:\Windows\System32\Drivers\Npfs.sys 3182D64AE053D6FB034F44B6DEF8034A
C:\Windows\System32\Drivers\Ntfs.sys 78A08DD6A8D65E697C18E1DB01C5CDCA
C:\Windows\System32\Drivers\Null.sys 73C1E1F395918BC2C6DD67AF7591A3AD
C:\Windows\System32\DRIVERS\nv4_mini.sys 71DBDC08DF86B80511E72953FA1AD6B0
C:\Windows\System32\DRIVERS\nwlnkflt.sys B305F3FAD35083837EF46A0BBCE2FC57
C:\Windows\System32\DRIVERS\nwlnkfwd.sys C99B3415198D1AAB7227F2C88FD664B9
C:\Windows\System32\DRIVERS\ctoss2k.sys C720C25B2D0C93DC425155F5B6A707F3
C:\Windows\System32\drivers\P16X.sys F051107FF80F132882E71E3A5D302EC1
C:\Windows\System32\DRIVERS\parport.sys 5575FAF8F97CE5E713D108C2A58D7C7C
C:\Windows\System32\Drivers\PartMgr.sys BEB3BA25197665D82EC7065B724171C6
C:\Windows\System32\Drivers\ParVdm.sys 70E98B3FD8E963A6A46A2E6247E0BEA1
C:\Windows\System32\DRIVERS\pci.sys A219903CCF74233761D92BEF471A07B1
C:\Windows\System32\Drivers\Pcmcia.sys 9E89EF60E9EE05E3F2EEF2DA7397F1C1
C:\WINDOWS\System32\drivers\PfModNT.sys C8A2D6FF660AC601B7BB9A9B16A5C25E
C:\Windows\System32\DRIVERS\point32.sys D0BE72557DE73ACABBAB536496D23115
C:\Windows\System32\DRIVERS\raspptp.sys EFEEC01B1D3CF84F16DDD24D9D9D8F99
C:\Windows\System32\DRIVERS\processr.sys A32BEBAF723557681BFC6BD93E98BD26
C:\Windows\System32\DRIVERS\PS2.sys 0E2EB30605CA6ED2509D59AF6A7362B4
C:\Windows\System32\DRIVERS\psched.sys 09298EC810B07E5D582CB3A3F9255424
C:\Windows\System32\DRIVERS\ptilink.sys 80D317BD1C3DBC5D4FE7B1678C60CADD
C:\Windows\System32\DRIVERS\rasacd.sys FE0D99D6F31E4FAD8159F690D68DED9C
C:\Windows\System32\DRIVERS\rasl2tp.sys 11B4A627BC9614B885C4969BFA5FF8A6
C:\Windows\System32\DRIVERS\raspppoe.sys 5BC962F2654137C9909C3D4603587DEE
C:\Windows\System32\DRIVERS\raspti.sys FDBB1D60066FCFBB7452FD8F9829B242
C:\Windows\System32\DRIVERS\rdbss.sys 7AD224AD1A1437FE28D89CF22B17780A
C:\Windows\System32\DRIVERS\RDPCDD.sys 4912D5B403614CE99C28420F75353332
C:\Windows\System32\DRIVERS\rdpdr.sys 15CABD0F7C00C47C70124907916AF3F1
C:\Windows\System32\Drivers\RDPWD.sys 43AF5212BD8FB5BA6EED9754358BD8F7
C:\Windows\System32\DRIVERS\redbook.sys F828DD7E1419B6653894A8F97A0094C5
C:\Windows\System32\DRIVERS\wg111v2.sys 463B8AC0130ADF01A85DAEBF646B3DB3
C:\Windows\System32\DRIVERS\secdrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serenum.sys 0F29512CCD6BEAD730039FB4BD2C85CE
C:\Windows\System32\DRIVERS\serial.sys CCA207A8896D4C6A0C9CE29A4AE411A7
C:\Windows\System32\Drivers\Sfloppy.sys 8E6B8C671615D126FDC553D1E2DE5562
C:\Windows\System32\DRIVERS\SLIP.sys 866D538EBE33709A5C9F5C62B73B7D14
C:\Windows\System32\drivers\splitter.sys AB8B92451ECB048A4D1DE7C3FFCB4A9F
C:\Windows\System32\DRIVERS\sr.sys 76BB022C2FB6902FD5BDD4F78FC13A5D
C:\Windows\System32\DRIVERS\srv.sys 47DDFC2F003F7F9F0592C6874962A2E7
C:\Windows\System32\DRIVERS\StreamIP.sys 77813007BA6265C4B6098187E6ED79D2
C:\Windows\System32\DRIVERS\swenum.sys 3941D127AEF12E93ADDF6FE6EE027E0F
C:\Windows\System32\drivers\swmidi.sys 8CE882BCC6CF8A62F2B2323D95CB3D01
C:\Windows\System32\drivers\sysaudio.sys 8B83F3ED0F1688B4958F77CD6D2BF290
C:\Windows\System32\DRIVERS\tcpip.sys 9AEFA14BD6B182D61E3119FA5F436D3D
C:\Windows\System32\Drivers\TDPIPE.sys 6471A66807F5E104E4885F5B67349397
C:\Windows\System32\Drivers\TDTCP.sys C56B6D0402371CF3700EB322EF3AAF61
C:\Windows\System32\DRIVERS\termdd.sys 88155247177638048422893737429D9E
C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS E266683FC95ABDEC17CD378564E1B54B
C:\Windows\System32\Drivers\Udfs.sys 5787B80C2E3C5E2F56C2A233D91FA2C9
C:\Windows\System32\DRIVERS\update.sys 402DDC88356B1BAC0EE3DD1580C76A31
C:\Windows\System32\DRIVERS\usbser_lowerflt.sys EC01DA44B090D2651FC032C8B9257232
C:\Windows\System32\Drivers\usbaapl.sys EAFE1E00739AFE6C51487A050E772E17
C:\Windows\System32\drivers\usbaudio.sys E919708DB44ED8543A7C017953148330
C:\Windows\System32\DRIVERS\usbccgp.sys 173F317CE0DB8E21322E71B7E60A27E8
C:\Windows\System32\DRIVERS\usbehci.sys 65DCF09D0E37D4C6B11B5B0B76D470A7
C:\Windows\System32\DRIVERS\usbhub.sys 1AB3CDDE553B6E064D2E754EFE20285C
C:\Windows\System32\DRIVERS\usbprint.sys A717C8721046828520C9EDF31288FC00
C:\Windows\System32\DRIVERS\usbscan.sys A0B8CF9DEB1184FBDD20784A58FA75D4
C:\Windows\System32\drivers\usbser.sys 1C888B000C2F9492F4B15B5B6B84873E
C:\Windows\System32\DRIVERS\usbser_lowerfltj.sys 4ABD37CFBD710E64F01F9DA8710C73F7
C:\Windows\System32\DRIVERS\USBSTOR.SYS A32426D9B14A089EAA1D922E0C5801A9
C:\Windows\System32\DRIVERS\usbuhci.sys 26496F9DEE2D787FC3E61AD54821FFE6
C:\Windows\System32\Drivers\usbvideo.sys 63BBFCA7F390F4C49ED4B96BFB1633E0
C:\Windows\System32\drivers\vga.sys 0D3A8FAFCEACD8B7625CD549757A7DF1
C:\Windows\System32\Drivers\VolSnap.sys 4C8FCB5CC53AAB716D810740FE59D025
C:\Windows\System32\Drivers\vulfnth.sys 16409C468CEEE99B6B129FCAA5C0F206
C:\Windows\System32\Drivers\vulfntr.sys E76FB35E30FB885124479A4A0ACA3923
C:\Windows\System32\DRIVERS\wanarp.sys E20B95BAEDB550F32DD489265C1DA1F6
C:\Windows\System32\DRIVERS\wceusbsh.sys DC7F91B2ED24A738C807EA07F298928C
C:\Windows\System32\Drivers\wdf01000.sys D918617B46457B9AC28027722E30F647
C:\Windows\System32\drivers\wdmaud.sys 6768ACF64B18196494413695F0C3A00F
C:\Windows\System32\Drivers\wpdusb.sys CF4DEF1BF66F06964DC0D91844239104
C:\Windows\System32\drivers\ws2ifsl.sys 6ABE6E225ADB5A751622A9CC3BC19CE8
C:\Windows\System32\DRIVERS\WSTCODEC.SYS C98B39829C2BBD34E454150633C62C78
C:\Windows\System32\DRIVERS\WudfPf.sys EAA6324F51214D2F6718977EC9CE0DEF
C:\Windows\System32\DRIVERS\wudfrd.sys F91FF1E51FCA30B3C3981DB7D5924252

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-22 08:44 - 2013-06-22 08:44 - 00000000 ___DC C:\FRST
2013-06-22 08:42 - 2013-06-22 08:42 - 01369341 ____A (Farbar) C:\Documents and Settings\All of Us\Desktop\FRST.exe
2013-06-22 08:26 - 2013-06-22 08:26 - 00011460 ___AC C:\ComboFix.txt
2013-06-21 08:46 - 2013-06-21 08:46 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$
2013-06-21 08:28 - 2013-06-21 08:28 - 00000000 ____D C:\Documents and Settings\All of Us\Local Settings\Application Data\PackageAware
2013-06-21 08:20 - 2013-06-21 08:27 - 00014514 ____A C:\Windows\KB2838727-IE8.log
2013-06-20 23:11 - 2013-06-21 08:46 - 00020452 ____A C:\Windows\KB2839229.log
2013-06-20 19:55 - 2013-06-20 19:55 - 00017086 ____A C:\Documents and Settings\All of Us\Desktop\attach.txt
2013-06-20 19:55 - 2013-06-20 19:55 - 00011204 ____A C:\Documents and Settings\All of Us\Desktop\dds.txt
2013-06-20 19:52 - 2013-06-20 19:52 - 00688992 ____R (Swearware) C:\Documents and Settings\All of Us\Desktop\dds.exe
2013-06-20 15:49 - 2008-04-14 01:11 - 00021504 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\hidserv.dll
2013-06-20 15:34 - 2013-06-20 15:34 - 00000000 RASHDC C:\cmdcons
2013-06-20 15:34 - 2013-06-18 09:53 - 00000211 ___AC C:\Boot.bak
2013-06-20 15:34 - 2004-08-03 23:00 - 00260272 RASHC C:\cmldr
2013-06-20 15:32 - 2013-06-22 08:26 - 00000000 __ADC C:\Qoobox
2013-06-20 15:32 - 2011-06-26 07:45 - 00256000 ____A C:\Windows\PEV.exe
2013-06-20 15:32 - 2010-11-07 18:20 - 00208896 ____A C:\Windows\MBR.exe
2013-06-20 15:32 - 2009-04-20 05:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-06-20 15:32 - 2000-08-31 01:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-06-20 15:32 - 2000-08-31 01:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-06-20 15:32 - 2000-08-31 01:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
2013-06-20 15:32 - 2000-08-31 01:00 - 00098816 ____A C:\Windows\sed.exe
2013-06-20 15:32 - 2000-08-31 01:00 - 00080412 ____A C:\Windows\grep.exe
2013-06-20 15:32 - 2000-08-31 01:00 - 00068096 ____A C:\Windows\zip.exe
2013-06-20 15:28 - 2013-06-22 08:10 - 05082201 ____R (Swearware) C:\Documents and Settings\All of Us\Desktop\ComboFix.exe
2013-06-20 11:30 - 2013-06-20 11:30 - 00000000 __HDC C:\Windows\$NtUninstallKB932716-v2$
2013-06-20 11:27 - 2013-06-20 11:42 - 00006790 ____A C:\Windows\KB932716-v2.log
2013-06-20 11:27 - 2008-05-02 14:25 - 00465920 ____N (Microsoft Corporation) C:\Windows\System32\imapi2fs.dll
2013-06-20 11:27 - 2008-05-02 14:25 - 00465920 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\imapi2fs.dll
2013-06-20 11:27 - 2008-05-02 14:25 - 00317952 ____N (Microsoft Corporation) C:\Windows\System32\imapi2.dll
2013-06-20 11:27 - 2008-05-02 14:25 - 00317952 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\imapi2.dll
2013-06-19 10:53 - 2013-06-19 10:53 - 00000000 ___DC C:\Configuration
2013-06-18 08:46 - 2013-06-18 08:46 - 00000000 ____D C:\Program Files\Uniblue
2013-06-18 07:20 - 2013-06-18 07:20 - 00000000 ____D C:\Documents and Settings\All of Us\Local Settings\Application Data\Citrix
2013-06-11 21:51 - 2013-06-21 09:34 - 00014762 ____A C:\Windows\setupapi.log
2013-06-11 21:51 - 2013-06-21 09:34 - 00000277 ____A C:\Windows\setupact.log
2013-06-11 21:51 - 2013-06-11 21:51 - 00000000 ____A C:\Windows\setuperr.log
2013-05-30 08:31 - 2013-05-30 08:31 - 02104374 ____A C:\Documents and Settings\All of Us\My Documents\BH May13 d.bmp
2013-05-30 08:30 - 2013-05-30 08:30 - 02104374 ____A C:\Documents and Settings\All of Us\My Documents\BH May13 c.bmp
2013-05-30 08:30 - 2013-05-30 08:30 - 02104374 ____A C:\Documents and Settings\All of Us\My Documents\BH May13 b.bmp
2013-05-30 08:29 - 2013-05-30 08:29 - 02104374 ____A C:\Documents and Settings\All of Us\My Documents\BH May13 a.bmp
2013-05-29 21:23 - 2013-05-29 21:23 - 00025312 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-05-29 21:22 - 2013-05-29 21:22 - 00000000 ____D C:\Documents and Settings\All of Us\SyncFolder
2013-05-29 20:59 - 2013-06-19 10:21 - 00000000 ____D C:\Program Files\MyPC Backup
2013-05-29 20:59 - 2013-06-19 08:33 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PC1Data
2013-05-29 20:59 - 2013-06-18 21:48 - 05404880 ____A (PC Cleaners) C:\Documents and Settings\All Users\Application Data\pclunst.exe
2013-05-29 14:42 - 2013-05-29 20:14 - 00000000 ____D C:\Program Files\Webroot
2013-05-25 09:52 - 2013-05-25 09:52 - 00000802 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-25 09:52 - 2013-05-25 09:52 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-05-25 09:52 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

==================== One Month Modified Files and Folders ========

2013-06-22 08:44 - 2013-06-22 08:44 - 00000000 ___DC C:\FRST
2013-06-22 08:42 - 2013-06-22 08:42 - 01369341 ____A (Farbar) C:\Documents and Settings\All of Us\Desktop\FRST.exe
2013-06-22 08:38 - 2005-02-25 01:04 - 00000062 _ASHC C:\Documents and Settings\All of Us\Local Settings\desktop.ini
2013-06-22 08:38 - 2001-08-23 13:00 - 00002206 ___AC C:\Windows\System32\wpa.dbl
2013-06-22 08:37 - 2005-02-23 18:30 - 00000062 _ASHC C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-06-22 08:36 - 2008-01-16 19:40 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Kontiki
2013-06-22 08:36 - 2005-02-25 01:04 - 00000278 __SHC C:\Documents and Settings\All of Us\ntuser.ini
2013-06-22 08:36 - 2005-02-24 11:53 - 01094587 ___AC C:\Windows\WindowsUpdate.log
2013-06-22 08:36 - 2005-02-23 18:30 - 00032556 ___AC C:\Windows\SchedLgU.Txt
2013-06-22 08:36 - 2005-02-23 18:13 - 00000006 __AHC C:\Windows\Tasks\SA.DAT
2013-06-22 08:36 - 2005-02-23 17:51 - 00000216 ___AC C:\Windows\wiadebug.log
2013-06-22 08:26 - 2013-06-22 08:26 - 00011460 ___AC C:\ComboFix.txt
2013-06-22 08:26 - 2013-06-20 15:32 - 00000000 __ADC C:\Qoobox
2013-06-22 08:23 - 2001-08-23 13:00 - 00000227 ___AC C:\Windows\system.ini
2013-06-22 08:10 - 2013-06-20 15:28 - 05082201 ____R (Swearware) C:\Documents and Settings\All of Us\Desktop\ComboFix.exe
2013-06-22 07:41 - 2005-02-23 17:51 - 00000050 ___AC C:\Windows\wiaservc.log
2013-06-22 07:27 - 2005-02-23 18:30 - 00000062 _ASHC C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-06-22 07:20 - 2005-02-23 18:10 - 00000000 ____D C:\Windows\Registration
2013-06-22 06:46 - 2010-10-21 09:56 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2013-06-21 09:34 - 2013-06-11 21:51 - 00014762 ____A C:\Windows\setupapi.log
2013-06-21 09:34 - 2013-06-11 21:51 - 00000277 ____A C:\Windows\setupact.log
2013-06-21 09:04 - 2005-02-25 23:36 - 00539462 ___AC C:\Windows\netfxocm.log
2013-06-21 09:04 - 2005-02-25 23:36 - 00212875 ___AC C:\Windows\MedCtrOC.log
2013-06-21 09:04 - 2005-02-25 23:35 - 00154384 ___AC C:\Windows\tabletoc.log
2013-06-21 09:04 - 2005-02-23 17:49 - 03219055 ___AC C:\Windows\FaxSetup.log
2013-06-21 09:04 - 2005-02-23 17:49 - 01580977 ___AC C:\Windows\iis6.log
2013-06-21 09:04 - 2005-02-23 17:49 - 01545658 ___AC C:\Windows\ocgen.log
2013-06-21 09:04 - 2005-02-23 17:49 - 01477092 ___AC C:\Windows\tsoc.log
2013-06-21 09:04 - 2005-02-23 17:49 - 01043487 ___AC C:\Windows\comsetup.log
2013-06-21 09:04 - 2005-02-23 17:49 - 01000576 ___AC C:\Windows\msmqinst.log
2013-06-21 09:04 - 2005-02-23 17:49 - 00633694 ___AC C:\Windows\ntdtcsetup.log
2013-06-21 09:04 - 2005-02-23 17:49 - 00169854 ___AC C:\Windows\ocmsn.log
2013-06-21 09:04 - 2005-02-23 17:49 - 00161578 ___AC C:\Windows\msgsocm.log
2013-06-21 09:04 - 2005-02-23 17:49 - 00001917 ____A C:\Windows\imsins.log
2013-06-21 08:46 - 2013-06-21 08:46 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$
2013-06-21 08:46 - 2013-06-20 23:11 - 00020452 ____A C:\Windows\KB2839229.log
2013-06-21 08:46 - 2005-02-23 17:49 - 00001374 ____A C:\Windows\imsins.BAK
2013-06-21 08:29 - 2011-11-20 21:26 - 00000000 ____D C:\Program Files\BearShare Applications
2013-06-21 08:28 - 2013-06-21 08:28 - 00000000 ____D C:\Documents and Settings\All of Us\Local Settings\Application Data\PackageAware
2013-06-21 08:28 - 2005-05-11 18:32 - 73381792 ___AC (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-21 08:27 - 2013-06-21 08:20 - 00014514 ____A C:\Windows\KB2838727-IE8.log
2013-06-21 08:27 - 2005-04-14 22:20 - 00429535 ___AC C:\Windows\updspapi.log
2013-06-21 08:26 - 2011-02-20 14:11 - 00000000 ____D C:\Windows\ie8updates
2013-06-20 19:55 - 2013-06-20 19:55 - 00017086 ____A C:\Documents and Settings\All of Us\Desktop\attach.txt
2013-06-20 19:55 - 2013-06-20 19:55 - 00011204 ____A C:\Documents and Settings\All of Us\Desktop\dds.txt
2013-06-20 19:52 - 2013-06-20 19:52 - 00688992 ____R (Swearware) C:\Documents and Settings\All of Us\Desktop\dds.exe
2013-06-20 16:14 - 2011-02-22 09:45 - 00000000 ____D C:\Windows\ERDNT
2013-06-20 15:53 - 2011-10-31 10:59 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVG2012
2013-06-20 15:50 - 2011-02-22 20:09 - 00008192 ___AH C:\Windows\System32\config\SECURITY.tmp.LOG
2013-06-20 15:50 - 2005-02-23 17:48 - 00057344 ____A C:\Windows\System32\config\SECURITY.bak
2013-06-20 15:50 - 2005-02-23 17:48 - 00024576 ____A C:\Windows\System32\config\SAM.bak
2013-06-20 15:50 - 2005-02-23 17:47 - 41410560 ____A C:\Windows\System32\config\software.bak
2013-06-20 15:50 - 2005-02-23 17:47 - 09699328 ____A C:\Windows\System32\config\system.bak
2013-06-20 15:50 - 2005-02-23 17:47 - 00536576 ____A C:\Windows\System32\config\default.bak
2013-06-20 15:34 - 2013-06-20 15:34 - 00000000 RASHDC C:\cmdcons
2013-06-20 15:34 - 2005-02-23 17:47 - 00000327 RASHC C:\boot.ini
2013-06-20 11:42 - 2013-06-20 11:27 - 00006790 ____A C:\Windows\KB932716-v2.log
2013-06-20 11:30 - 2013-06-20 11:30 - 00000000 __HDC C:\Windows\$NtUninstallKB932716-v2$
2013-06-19 15:05 - 2005-02-23 17:45 - 00000000 ____D C:\Windows\Help
2013-06-19 14:47 - 2007-02-13 08:03 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-19 10:53 - 2013-06-19 10:53 - 00000000 ___DC C:\Configuration
2013-06-19 10:21 - 2013-05-29 20:59 - 00000000 ____D C:\Program Files\MyPC Backup
2013-06-19 08:33 - 2013-05-29 20:59 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PC1Data
2013-06-18 21:48 - 2013-05-29 20:59 - 05404880 ____A (PC Cleaners) C:\Documents and Settings\All Users\Application Data\pclunst.exe
2013-06-18 09:53 - 2013-06-20 15:34 - 00000211 ___AC C:\Boot.bak
2013-06-18 09:53 - 2001-08-23 13:00 - 00000805 ___AC C:\Windows\win.ini
2013-06-18 08:46 - 2013-06-18 08:46 - 00000000 ____D C:\Program Files\Uniblue
2013-06-18 07:57 - 2005-11-19 14:35 - 00000000 ____D C:\Windows\pss
2013-06-18 07:20 - 2013-06-18 07:20 - 00000000 ____D C:\Documents and Settings\All of Us\Local Settings\Application Data\Citrix
2013-06-18 06:53 - 2009-11-27 10:39 - 00000000 ____D C:\Documents and Settings\All of Us\Application Data\uniblue
2013-06-11 21:51 - 2013-06-11 21:51 - 00000000 ____A C:\Windows\setuperr.log
2013-05-30 08:31 - 2013-05-30 08:31 - 02104374 ____A C:\Documents and Settings\All of Us\My Documents\BH May13 d.bmp
2013-05-30 08:30 - 2013-05-30 08:30 - 02104374 ____A C:\Documents and Settings\All of Us\My Documents\BH May13 c.bmp
2013-05-30 08:30 - 2013-05-30 08:30 - 02104374 ____A C:\Documents and Settings\All of Us\My Documents\BH May13 b.bmp
2013-05-30 08:29 - 2013-05-30 08:29 - 02104374 ____A C:\Documents and Settings\All of Us\My Documents\BH May13 a.bmp
2013-05-29 21:23 - 2013-05-29 21:23 - 00025312 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-05-29 21:22 - 2013-05-29 21:22 - 00000000 ____D C:\Documents and Settings\All of Us\SyncFolder
2013-05-29 21:16 - 2012-08-08 16:27 - 00000000 ____D C:\Documents and Settings\All of Us\My Documents\2012_08_08
2013-05-29 21:16 - 2009-11-27 11:09 - 00000000 ____D C:\Documents and Settings\All of Us\Application Data\System Tweaker
2013-05-29 21:16 - 2009-04-30 12:14 - 00000000 ____D C:\Windows\Minidump
2013-05-29 21:16 - 2007-02-13 06:20 - 00000000 ____D C:\Windows\System32\NtmsData
2013-05-29 21:15 - 2013-02-08 11:27 - 00000000 ____D C:\Documents and Settings\All of Us\Application Data\TeamViewer
2013-05-29 21:15 - 2005-02-23 18:12 - 00000000 __SHD C:\Documents and Settings\All Users\DRM
2013-05-29 20:14 - 2013-05-29 14:42 - 00000000 ____D C:\Program Files\Webroot
2013-05-29 13:49 - 2011-04-15 18:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2508429$
2013-05-25 09:52 - 2013-05-25 09:52 - 00000802 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-25 09:52 - 2013-05-25 09:52 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 22, 2013, 07:55:34 AM

And Farbar Addition txt

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 21-06-2013 02
Ran by All of Us at 2013-06-22 08:46:24 Run:
Running from C:\Documents and Settings\All of Us\Desktop
Boot Mode: Safe Mode (with Networking)
==========================================================

==================== Installed Programs =======================

4oD (Version: 2.0.23.0)
Adobe Flash Player 11 ActiveX (Version: 11.7.700.202)
Adobe Flash Player 11 Plugin (Version: 11.7.700.202)
Adobe Photoshop 6.0 (Version: 6.0)
Adobe Reader X (10.1.7) (Version: 10.1.7)
Adobe Shockwave Player 11 (Version: 11)
Adobe SVG Viewer (Version: 1.0)
Ahead Nero Burning ROM
Apple Application Support (Version: 2.1.9)
Apple Mobile Device Support (Version: 5.2.0.6)
Apple Software Update (Version: 2.1.3.127)
ArcSoft MediaImpression 2 (Version: 2.0.53.907)
AVG 2012 (Version: 12.0.3199)
AVG 2012 (Version: 12.1.2242)
AVG 2012 (Version: 2012.1.2242)
AVS Screen Capture version 2.0.1
AVS Update Manager 1.0
AVS Video Editor 6
AVS Video Recorder 2.5
AVS4YOU Software Navigator 1.4
BCM V.92 56K Modem
BearShare (Version: 10.0.0.117589)
BT Broadband Desktop Help
BT Broadband Support Tools
Canon MP Navigator EX 1.2
Canon MP160 User Registration
Canon MP190 series MP Drivers
Canon MP190 series User Registration
Canon Utilities CameraWindow DC 8 (Version: 8.7.0.11)
Canon Utilities ImageBrowser EX (Version: 1.1.1.19)
Canon Utilities My Printer
Canon Utilities PhotoStitch (Version: 3.1.23.47)
Canon Utilities Solution Menu
Citrix Web Client
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
CyberTweak Version 1.3 Final
Dan Elwell's Broadband Speed Test (Version: Dan Elwell's Broadband Speed Test (version 3))
Easy-WebPrint
ecobutton
EmoDio (Version: 1.0)
FinePix Studio
FinePixViewer Resource (Version: 1.2)
FinePixViewer Ver.5.5 (Version: 5.5)
Free PDF to Word Doc Converter v1.1 (Version: 1.1)
Google Earth Plug-in (Version: 7.0.3.8542)
Google Update Helper (Version: 1.3.21.145)
GoToAssist Corporate (Version: 9.0.570)
greenstreet Publisher 4 Home Edition
Intel(R) PRO Ethernet Adapter and Software
iTunes (Version: 10.6.3.25)
Java(TM) 6 Update 24 (Version: 6.0.240)
Juniper Networks, Inc. Setup Client Activex Control (Version: 2.1.1.1)
Logitech Webcam Software (Version: 12.10.1113)
Logitech Webcam Software Driver Package (Version: 12.10.1110)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft IntelliPoint 5.5 (Version: 5.50.661.0)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage (Version: 10.0.6626.0)
Microsoft Project 2000 (Version: 9.00.3821)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
MSVC80_x86_v2 (Version: 1.0.3.0)
MSVC90_x86 (Version: 1.0.1.2)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Nokia Connectivity Cable Driver (Version: 7.1.45.0)
Nokia Ovi Suite (Version: 3.1.1.90)
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
OLYMPUS CAMEDIA Master 4.2
Ovi Desktop Sync Engine (Version: 1.5.266.0)
OviMPlatform (Version: 2.7.72.0)
QuickTime (Version: 7.70.80.34)
RealDownloader (Version: 1.3.1)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0)
RealPlayer (Version: 16.0.0)
RealUpgrade 1.1 (Version: 1.1.0)
ScanSoft OmniPage SE 4.0 (Version: 15.00.0020)
Segoe UI (Version: 14.0.4327.805)
SmartFTP Client (Version: 1.5.990)
Sound Blaster Live!
Spotify (Version: 0.8.3.222.g317ab79d)
Uniblue DriverScanner (Version: 4.0.1.9)
Uniblue PowerSuite
Uniblue RegistryBooster
Uniblue SpeedUpMyPC
Uninstall Startup Inspector
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1)
Update for Windows Internet Explorer 7 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB2447568) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
WebFldrs XP (Version: 9.50.5318)
WG111v2 Configuration Utility (Version: 1.00)
Wincore MediaBar (Version: 4.0.0.2736)
Windows Genuine Advantage v1.3.0254.0 (Version: 1.3.0254.0)
Windows Internet Explorer 7 (Version: 20061107.210142)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Sign-in Assistant (Version: 5.000.818.6)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)
WinZip (Version: 9.0 SR-1 (6224))

==================== Restore Points =========================

27-03-2013 07:45:49 System Checkpoint
28-03-2013 08:37:35 System Checkpoint
04-04-2013 07:54:06 System Checkpoint
10-04-2013 09:40:19 System Checkpoint
10-04-2013 15:25:47 Software Distribution Service 3.0
12-04-2013 14:24:11 System Checkpoint
15-04-2013 13:43:02 System Checkpoint
17-04-2013 08:39:34 System Checkpoint
20-04-2013 09:58:39 System Checkpoint
21-04-2013 22:07:54 System Checkpoint
23-04-2013 08:45:17 System Checkpoint
25-04-2013 21:26:06 System Checkpoint
29-04-2013 08:34:59 System Checkpoint
02-05-2013 08:41:47 System Checkpoint
03-05-2013 07:31:01 Printer Driver CUSTPDF Writer Installed
03-05-2013 10:52:19 Removed greenstreet Publisher 4 Home Edition
05-05-2013 17:20:11 System Checkpoint
07-05-2013 19:22:55 System Checkpoint
08-05-2013 19:50:32 System Checkpoint
15-05-2013 05:26:05 System Checkpoint
15-05-2013 14:52:54 Software Distribution Service 3.0
18-05-2013 07:49:55 System Checkpoint
20-05-2013 14:02:47 System Checkpoint
24-05-2013 09:54:07 System Checkpoint
30-05-2013 11:58:50 System Checkpoint
03-06-2013 14:02:45 System Checkpoint
17-06-2013 10:40:23 System Checkpoint
18-06-2013 07:32:35 Restore Operation
18-06-2013 07:50:01 Restore Operation
19-06-2013 08:13:34 System Checkpoint
20-06-2013 09:46:22 Removed Windows Media Player Firefox Plugin
20-06-2013 10:31:16 Installed Windows XP KB932716-v2.
21-06-2013 07:19:20 Software Distribution Service 3.0

==================== Faulty Device Manager Devices =============

Name: C-DillaCdaC11BA
Description: C-DillaCdaC11BA
Class Guid:
Manufacturer:
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (06/21/2013 11:17:25 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/20/2013 09:40:43 AM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientmssswizard.exe4.2.223.00x80070070callistowizard__cwizardflow__runusbflow - getcreateusbactionmorrobootstraper__cflow__processflowactionresult0wdotoolNILNILNIL

Error: (05/29/2013 09:22:50 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/29/2013 09:22:50 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/18/2013 10:11:52 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/18/2013 10:11:52 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/14/2013 08:30:11 AM) (Source: Microsoft Office 10) (User: )
Description: Faulting application winword.exe, version 10.0.6866.0, faulting module winword.exe, version 10.0.6866.0, fault address 0x0001ea84.

Error: (04/19/2013 00:21:50 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.19412, fault address 0x000b9dc8.
Processing media-specific event for [iexplore.exe!ws!]

Error: (04/12/2013 00:30:40 PM) (Source: Microsoft Office 10) (User: )
Description: Faulting application excel.exe, version 10.0.6871.0, faulting module excel.exe, version 10.0.6871.0, fault address 0x000893ec.

Error: (04/12/2013 00:10:23 PM) (Source: Microsoft Office 10) (User: )
Description: Faulting application excel.exe, version 10.0.6871.0, faulting module excel.exe, version 10.0.6871.0, fault address 0x000893ec.

System errors:
=============
Error: (06/22/2013 08:43:18 AM) (Source: DCOM) (User: PETER)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (06/22/2013 08:39:28 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Avgldx86
Avgmfx86
Fips
intelppm

Error: (06/22/2013 08:39:28 AM) (Source: Service Control Manager) (User: )
Description: The Help and Support service terminated with the following error:
%%126

Error: (06/22/2013 08:39:28 AM) (Source: Service Control Manager) (User: )
Description: The Fast User Switching Compatibility service depends on the Terminal Services service which failed to start because of the following error:
%%1058

Error: (06/22/2013 08:39:00 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (06/22/2013 08:38:35 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (06/22/2013 08:38:30 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (06/22/2013 07:47:36 AM) (Source: Service Control Manager) (User: )
Description: The Process Monitor service terminated unexpectedly. It has done this 1 time(s).

Error: (06/22/2013 07:27:23 AM) (Source: Service Control Manager) (User: )
Description: The Help and Support service terminated with the following error:
%%126

Error: (06/22/2013 07:27:23 AM) (Source: Service Control Manager) (User: )
Description: The Fast User Switching Compatibility service depends on the Terminal Services service which failed to start because of the following error:
%%1058

Microsoft Office Sessions:
=========================
Error: (06/21/2013 11:17:25 AM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (06/20/2013 09:40:43 AM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientmssswizard.exe4.2.223.00x80070070callistowizard__cwizardflow__runusbflow - getcreateusbactionmorrobootstraper__cflow__processflowactionresult0wdotoolNILNILNIL

Error: (05/29/2013 09:22:50 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/29/2013 09:22:50 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/18/2013 10:11:52 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/18/2013 10:11:52 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/14/2013 08:30:11 AM) (Source: Microsoft Office 10)(User: )
Description: winword.exe10.0.6866.0winword.exe10.0.6866.00001ea84

Error: (04/19/2013 00:21:50 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702mshtml.dll8.0.6001.19412000b9dc8

Error: (04/12/2013 00:30:40 PM) (Source: Microsoft Office 10)(User: )
Description: excel.exe10.0.6871.0excel.exe10.0.6871.0000893ec

Error: (04/12/2013 00:10:23 PM) (Source: Microsoft Office 10)(User: )
Description: excel.exe10.0.6871.0excel.exe10.0.6871.0000893ec

==================== Memory info ===========================

Percentage of memory in use: 39%
Total physical RAM: 1022.98 MB
Available physical RAM: 615.56 MB
Total Pagefile: 2458.85 MB
Available Pagefile: 2193.57 MB
Total Virtual: 2047.88 MB
Available Virtual: 1933.48 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:37.3 GB) (Free:7.36 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive f: (Expansion Drive) (Fixed) (Total:465.76 GB) (Free:451.34 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 37 GB) (Disk ID: E305E305)
Partition 1: (Active) - (Size=37 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 466 GB) (Disk ID: 0A000192)
Partition 1: (Active) - (Size=466 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Title: Re: 139d2e78.exe again
Post by: Corrine on June 22, 2013, 07:05:30 PM

Hi, Peter.

Farbar's tool was run "Boot Mode: Safe Mode (with Networking)". Was this also from your wife's account and, if so, I thought that account works in "normal mode".

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 22, 2013, 07:51:07 PM

Yes I did run it from my wife's account, which works fine in both Safe or Normal mode. My account is still inaccessible.

Do you want me to run Farbar's tool again, in Normal mode?

Peter

Title: Re: 139d2e78.exe again
Post by: Corrine on June 22, 2013, 11:54:47 PM

No, you don't need to run it from your wife's account. I was just concerned that there was a problem with her account.

From everything I've reviewed in your logs, I am not seeing anything that is causing the problem, most particularly, I am not seeing C:\Documents and Settings\user\My Documents\139d2e78.exe". Unless this last step turns up the file, I will have to determine that your account has become corrupt. If you have a lot of files, I am concerned about there being sufficient space for creating a new user account and copying your files over. The computer is also highly fragmented.

So, first, let's see try one last effort to locate that file.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

Code Select


:file
C:\Documents and Settings\user\My Documents\139d2e78.exe

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 23, 2013, 08:45:21 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 09:44 on 23/06/2013 by All of Us
Administrator - Elevation successful

========== file ==========

C:\Documents and Settings\user\My Documents\139d2e78.exe - Unable to find/read file.

-= EOF =-

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 23, 2013, 09:10:54 AM

Corinne.

My 'Add or Remove Programs' listing continues to show Bearshare, Java and all the Uniblue applications that we've tried to get rid of in the last couple of days. Any idea why?

Pete

Title: Re: 139d2e78.exe again
Post by: Corrine on June 23, 2013, 04:59:40 PM

Hi, Pete.

Yes, I saw that but wanted to have another look for 139d2e78.exe first. As I indicated yesterday, we may be in a position where your profile is corrupt and it will be necessary to create a new profile and copy your files to it.

1. Did you run JavaRa?

2. Do you know what this file is: C:\Documents and Settings\All of Us\My Documents\BH May13 a.bmp (also saved as b.bmp, c.bmp and d.bmp)?

3. Please download AdwCleaner (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner) by Xplode to your Desktop.

Double-click AdwCleaner.exe to run the tool.
Click Delete.
Everything that was found will be deleted.
Save any open files and approve the reboot. A text file will open after the restart.
Please post the contents of that logfile with your next reply.

Note: The log can also be found at C:\AdwCleaner[XX].txt where XX denotes the number of times the application has been run, i.e., S1

4. Following that, please run FRST:

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.

Code Select


Toolbar: HKCU -No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU -No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
2013-06-18 08:46 - 2013-06-18 08:46 - 00000000 ____D C:\Program Files\Uniblue
2013-06-21 08:29 - 2011-11-20 21:26 - 00000000 ____D C:\Program Files\BearShare Applications
2013-06-19 08:33 - 2013-05-29 20:59 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PC1Data
2013-06-18 21:48 - 2013-05-29 20:59 - 05404880 ____A (PC Cleaners) C:\Documents and Settings\All Users\Application Data\pclunst.exe

Click Format and ensure Wordwrap is unchecked.
Save as Fixlist.txt to your Desktop (Must be in this location)
Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

Please provide the answers to the above questions along with the two requested logs.

Thanks.

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 23, 2013, 07:59:43 PM

BH May13 files are nothing to worry about I hope. They are graphics for a blog I maintain about a historic site here in England called Basing House.

I'll get to your latest instructions later this evening..

Pete

Title: Re: 139d2e78.exe again
Post by: Corrine on June 23, 2013, 08:47:21 PM

Feel free to add a link to the Basing House blog to our thread for Member's Websites (http://www.landzdown.com/landzdown-lounge/member%27s-websites/). We have a lot of U.K. members here.

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 23, 2013, 11:00:26 PM

Thanks Corinne. That's nice idea.

I confirm that yes, I did run JavaRa.

Here's the AdwCleaner log:

# AdwCleaner v2.303 - Logfile created 06/23/2013 at 23:48:01
# Updated 08/06/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : All of Us - PETER
# Boot Mode : Normal
# Running from : C:\Documents and Settings\All of Us\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\Mozilla Firefox\extensions\{1FD91A9C-410C-4090-BBCC-55D3450EF433}
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
File Deleted : C:\Program Files\Mozilla FireFox\searchplugins\Search_Results.xml
Folder Deleted : C:\Documents and Settings\All of Us\Application Data\mediabarim
Folder Deleted : C:\Documents and Settings\All of Us\Application Data\Mozilla\Firefox\Profiles\0hhuted3.default\extensions\{28387537-e3f9-4ed7-860c-11e69af4a8a0}
Folder Deleted : C:\Documents and Settings\All of Us\Application Data\Mozilla\Firefox\Profiles\0hhuted3.default\extensions\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}
Folder Deleted : C:\Documents and Settings\All of Us\Application Data\Mozilla\Firefox\Profiles\0hhuted3.default\mediabarim
Folder Deleted : C:\Documents and Settings\All of Us\Local Settings\Application Data\PackageAware
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\boost_interprocess
Folder Deleted : C:\Program Files\iMesh Applications

***** [Registry] *****

Key Deleted : HKCU\Software\alot
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\5255ded1b53ced44
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\toolband.eb_explorerbar
Key Deleted : HKLM\SOFTWARE\Classes\toolband.eb_explorerbar.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.fh_hookeventsink
Key Deleted : HKLM\SOFTWARE\Classes\toolband.fh_hookeventsink.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitem
Key Deleted : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitem.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_dialogeventshandler
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_dialogeventshandler.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_launcher
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_launcher.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_printmanager
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_printmanager.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallback
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallback.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandler
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandler.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_printdialogcallback
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_printdialogcallback.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.tbtoolband
Key Deleted : HKLM\SOFTWARE\Classes\toolband.tbtoolband.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.useroptions
Key Deleted : HKLM\SOFTWARE\Classes\toolband.useroptions.1
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wincore MediaBar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wincore MediaBar
Key Deleted : HKLM\SOFTWARE\Software
Key Deleted : HKLM\Software\TENCENT

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - bProtectTabs] = hxxp://www2.delta-search.com/?affID=121845&tt=gc_&babsrc=NT_ss&mntrId=9C080007E9D71322 --> hxxp://www.google.com

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Documents and Settings\All of Us\Application Data\Mozilla\Firefox\Profiles\0hhuted3.default\prefs.js

Deleted : user_pref("browser.startup.homepage", "hxxp://search.bearshare.com");
Deleted : user_pref("keyword.URL", "hxxp://dts.search-results.com/sr?src=ffb&appid=102&systemid=2&sr=0&q=");

*************************

AdwCleaner[R1].txt - [6003 octets] - [23/06/2013 23:46:17]
AdwCleaner[S1].txt - [6039 octets] - [23/06/2013 23:48:01]

########## EOF - C:\AdwCleaner[S1].txt - [6099 octets] ##########

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 23, 2013, 11:14:00 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 22-06-2013
Ran by All of Us at 2013-06-24 00:11:08 Run:1
Running from C:\Documents and Settings\All of Us\Desktop
Boot Mode: Normal

==============================================

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} => Value deleted successfully.
HKCR\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E} => Key not found.
C:\Program Files\Uniblue => Moved successfully.
C:\Program Files\BearShare Applications => Moved successfully.
C:\Documents and Settings\All Users\Application Data\PC1Data => Moved successfully.
C:\Documents and Settings\All Users\Application Data\pclunst.exe => Moved successfully.

==== End of Fixlog ====

Title: Re: 139d2e78.exe again
Post by: Corrine on June 24, 2013, 12:50:03 AM

One more tool to run, which is really more general cleanup and not likely to solve the problem with your account. If after a restart, I think it is time for you to create a new account and move your files. I'll provide links to instructions for accomplishing it.

Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/) to your desktop.

Disable your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 24, 2013, 07:11:01 AM

Here's the log. Sadly my account is still inaccessible.
Pete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by All of Us on 24/06/2013 at 7:56:39.64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{A057A204-BACC-4D26-9990-79A187E2698F}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{A057A204-BACC-4D26-9990-79A187E26990}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\start menu\programs\pc cleaners"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 24/06/2013 at 7:59:45.62
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Title: Re: 139d2e78.exe again
Post by: Corrine on June 24, 2013, 08:52:20 PM

Hi, Pete.

1. I didn't expect it to solve the problem as it merely removed adware and browser hijackers from the computer. It is not uncommon for accounts to become corrupt. Microsoft provides instructions on how to create a new account as well as how to copy data from the old account to the new, with specific files not to copy. The instructions are available here: How to copy data from a corrupted user profile to a new profile in Windows XP (http://support.microsoft.com/kb/811151).

2. Before you create the new account, you should clean up the tools that we used. Security Check, TDSSKiller, Farber's tool and the Junkware Removal Tool can be deleted from your desktop.

Please do the following to uninstall AdwCleaner.

Double-click AdwCleaner.exe to run the tool.
Click Uninstall
Confirm with yes

Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal (https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=combofix%40live%2ecom&item_name=ComboFix&no_shipping=0&no_note=1&tax=0&currency_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8).

3. It would be wise to perform some general maintenance prior to copying the data from your corrupt account to the new one. One such step is Disk Cleanup. The Disk Cleanup tool helps you free up space on your hard disk by searching your disk for files that you can safely delete. You can choose to delete some or all of the files. It can also be used to clear all but the most recent System Restore point.

First, create a fresh restore point:

1. Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
2. Click Create a Restore Point, and then click Next.
3. Name your restore point. (i.e., clean)
4. Click the Create button.
5. When the new restore point has been created, click Close.

Now select the files to be removed as well as all but the new restore points:

Click start-->Run and type cleanmgr into the run box and then click "OK".
Select the drive where Windows is installed (if you have more than one drive) and click "OK".
When the scan completes, check/uncheck desired boxes.
Next, please click the More Options tab at the top.
Click the "Clean up..." button under the System Restore section at the bottom.
Answer Yes to the question "Are you sure you want to delete all but the most recent restore point?".
Click OK and answer Yes[/b] again.

The disk clean up utility will remove the selected items. When it completes, please restart the computer to properly record the changes made to the hard disk.

4. The next step, particularly since Security Check showed the computer as "Total Fragmentation on Drive C:: 22%", is to defrag the hard drive. Instructions are available here: How to Defragment Your Disk Drive Volumes in Windows XP (http://support.microsoft.com/kb/314848).

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 24, 2013, 11:30:41 PM

Bad news I'm afraid.

I deleted all recent tools and logs, did a disk clean, created a new restore point and deleted the old ones, and finally did a defrag. Then I followed the instructions on the Microsoft website, created a new account for myself and then tried

3.Locate the C:\Documents and Settings\Old_Username folder, where C is the drive on which Windows XP is installed, and Old_Username is the name of the profile you want to copy user data from.

..and the respohnswe was "C:\Documents and Settings\Pete is not accessible. Access denied" !
There seems, then, to be no way to get at the files in my old account (although 'Properties' says there no files or folders in my profile anyway). Is this the end of the road?

Pete

Title: Re: 139d2e78.exe again
Post by: Corrine on June 24, 2013, 11:52:59 PM

See if this helps: "Access is Denied" error message when you try to open a folder (http://support.microsoft.com/kb/810881).

An alternate option to try is a very nice recovery Linux LiveCD called Trinity Rescue Kit. It can be used to retrieve files from dead/dying/infected computers, and to also do some virus scanning as well as removing passwords, etc. You can get it from here: Trinity Rescue Kit (http://trinityhome.org/Home/index.php?content=TRINITY_RESCUE_KIT____CPR_FOR_YOUR_COMPUTER&front_id=12&lang=en&locale=en).

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 25, 2013, 09:35:23 PM

Hi Corinne. I tried your 1st suggestion - and it worked!! I can now see my docs again,(Which is a big. relief. I didn't tell you this before but I lost my backup copies when I was trying to create a boot disk a couple of days ago and inserted the wrong USB stick and wiped them! Doh. )

Theituation now is that using my wife's account (called 'All of us' because the kids used to use it too) I can see in My Computer a folder called "All of us's Documents" and another called "Pete's Documents".

However when I try to access my account/profile called 'Pete' there's no change - I still get the "139d2e78.exe is not recognised..." message and can't get in. Can I delete that account now and create a new one for myself? Can I then transfer "Pete's Documents'" into it?

Pete

Title: Re: 139d2e78.exe again
Post by: Corrine on June 25, 2013, 11:12:45 PM

Yipes, Pete! I can just about imagine what you yelled at the computer when you used the wrong USB stick.

I thought you already created the new account for yourself? It is from that new account that you want to follow the Microsoft instructions to copy the files and folders (except the 3 listed in the Microsoft instructions) from "Pete's Documents" over to your new account. After you have completed that and are certain you have all the files copied over and a new backup to replace the backup you lost, then you can delete the old account. I wouldn't advise deleting the old account before that.

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 26, 2013, 05:35:20 AM

Oops , I forgot to back to 'How to copy data from a corrupted user profile to a new profile in Windows XP' after getting past the 'Access is denied' problem.

OK, I've now created a new User profile called 'Pete2' but get stuck at "6.Locate the C:\Documents and Settings\New_Username folder, where C is the drive on which Windows XP is installed, and New_Username is the name of the user profile that you created in the "Create a New User Profile" section."

I can't see 'Pete2' in Windows Explorer C:\Documents and Settings, even after restart. (But it does show as an option on the welcome screen on starting up.)

I can see the 'All of us' profile, and 'Pete' (my corrupt one ) and also 'All Users' and 'Default User' and 'TEMP.PETER'
(also NetworkService and LocalService). Pete2 doesn't show up after a restart either.

One other thing - I can't see a file called 'ntuser.ini' in 'Pete'. I see
ntuser (DAT file according to Properties)
ntuser (Configuration settings according to Properties)
ntuser.bak
ntuser.dat (text file)
ntuser.tmp

Title: Re: 139d2e78.exe again
Post by: Corrine on June 26, 2013, 04:39:47 PM

When logged in as "All of us", did you show hidden folders?

QuoteIn Windows Explorer, click Tools, click Folder Options, click the View tab, click Show hidden files and folders, click to clear the Hide protected operating system files check box, and then click OK.

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 26, 2013, 04:58:49 PM

Yes, and I just tried it again but nothing's changed.

Pete

Title: Re: 139d2e78.exe again
Post by: Corrine on June 27, 2013, 01:10:45 AM

Hi, Pete.

I'm not ignoring you -- I'm looking to find out what the problem is. I'm also wondering where the "TEMP.PETER" came from. If I don't find anything, you may need to try Trinity Rescue in order to see if it can find your files so you can back them up.

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 27, 2013, 08:29:04 AM

That's OK Corinne. I thought that might be the case.

There's been some progress in that I can now see Pete2 in C:\Documents and Settings (Perhaps because on start up this time I actually logged into Pete2 for the first time?)

I have copied across all the files and folders from Pete according to the MS instructions. However if I log in to Pete2 none of it seems to have much effect. None of my personalised Desktop folders or IE Favourites for example. And the My Documents folder only contains My Music and My Pictures folders and both are empty.

Oh, and TEMP.PETE is still showing in C:\Documents and Settings.

Looking on the bright side, I can access my personal docs now, which is very useful because I'm doing a job application and need to refer to my CV and previous applcations I've written - something that was not possible a few days ago (since I wiped my backup :D )

I'm sorry this is turning into such a marathon. I'm so grateful for your patience and perservance.

Pete

Title: Re: 139d2e78.exe again
Post by: Corrine on June 28, 2013, 12:25:48 AM

Hi, Pete.

I've asked the team if anyone has any suggestions or sees something we are missing.

Title: Re: 139d2e78.exe again
Post by: PeterJ on June 30, 2013, 10:10:48 PM

Hi Corinne.
Do you or any of colleagues have any further suggestions?
Maybe I should try again to move my docs across to my new profile?

Pete

Title: Re: 139d2e78.exe again
Post by: Corrine on July 01, 2013, 01:01:39 AM

Hi, Pete. Yes, we've been having a discussion behind the scenes.

1. A main concern is that you were not able to do a boot scan (e.g. Windows Defender Offline). I take it you reviewed the Windows Defender Offline: frequently asked questions (http://windows.microsoft.com/en-US/windows/windows-defender-offline-faq). The reason I ask is because there is another boot scan option (Hitman Pro) which has also had some success but if you couldn't run either of the other two options, it seems a waste of time to put you through that exercise, unless you're willing to give it a go.

2. We have seen where Emsisoft has been successful lately. It can't hurt to give it a try:

Download and save the Emsisoft Anti-Malware setup program to your desktop from here: http://www.emsisoft.com/en/software/antimalware/download/

Note: This is a large file so please be patient. After the download has been completed, please do the following:

Double-click on the EmsisoftAntiMalwareSetup.exe icon to start the program. If Windows Smart Screen issues an alert, please allow it to run anyway.
If there is an alert about safe mode, please click on the Yes button to continue. Select the language you wish to use and press the OK button.
On the "Licensing" screen, select the "Freeware mode" link located below the "I have a license" box.
Make any selections you wish on the screen about Emsisoft's Anti-Malware network and click Next.
Be patient while the definitions are updated.
Click on the Clean computer now button.
At the display a screen asking what type of scan you would like to perform, select the Deep Scan option and then click on the Scan button.
Please be patient while Emsisoft Anti-Malware scans your computer as this will take some time.
When the scan has finished, click on the Quarantine Selected Objects button.
Restart your computer into the normal Windows mode.

3. I also provided the option of the Trinity Rescue Kit which can be used to retrieve files from dead/dying/infected computers, and to also do some virus scanning as well as removing passwords, etc. It is available from here: Trinity Rescue Kit (http://trinityhome.org/Home/index.php?content=TRINITY_RESCUE_KIT____CPR_FOR_YOUR_COMPUTER&front_id=12&lang=en&locale=en).

4. Since you can now access your files, it was suggested simply copying them to a CD or large memory stick; then deleting all accounts relating to Pete. Reboot, defrag and then create a new account. Once the new account is established copy the files back off the CD/memory stick. You could do that or simply try again to move your documents to your new profile.

Title: Re: 139d2e78.exe again
Post by: PeterJ on July 02, 2013, 06:37:40 AM

Thanks Corinne.

I copied all the docs in C:\Documents and Settings\Pete to a USB stick, and from there into C:\Documents and Settings\Pete2. Most went across Ok this time , except for Nethood, Printhood, Privacie, Recent and Send to. However, the great new is I do now have a new account that works!!

I then, for added reassurance ran Emsisoft Anti-Malware withe following results. One of these items is desacribed as a "Trojan Downloader" Maybe that's the one that's caused all the problems?

Pete

Emsisoft Anti-Malware - Version 7.0
quarantine log

Date   Source   Event   Behavior/Infection
02/07/2013 02:00:03   Key: HKEY_USERS\S-1-5-21-1757981266-299502267-725345543-1003\SOFTWARE\IMESH   Moved to quarantine   Trace.Registry.IMesh (A)
02/07/2013 02:00:10   Value: HKEY_USERS\S-1-5-21-1757981266-299502267-725345543-1003\SOFTWARE\IMESH -> LASTOPENFILEDIR   Moved to quarantine   Trace.Registry.IMesh (A)
02/07/2013 01:59:55   Key: HKEY_USERS\S-1-5-21-1757981266-299502267-725345543-1005\SOFTWARE\NOADWARE3   Moved to quarantine   Trace.Registry.NoAdware (A)
02/07/2013 02:00:10   Value: HKEY_USERS\S-1-5-21-1757981266-299502267-725345543-1003\SOFTWARE\IMESH -> LASTOPENFILEDIR   Moved to quarantine   Trace.Registry.IMesh (A)
02/07/2013 02:00:03   Key: HKEY_USERS\S-1-5-21-1757981266-299502267-725345543-1003\SOFTWARE\IMESH   Moved to quarantine   Trace.Registry.IMesh (A)
02/07/2013 01:59:55   Key: HKEY_USERS\S-1-5-21-1757981266-299502267-725345543-1005\SOFTWARE\NOADWARE3   Moved to quarantine   Trace.Registry.NoAdware (A)
02/07/2013 01:59:38   C:\Program Files\LimeWire\riding j sean.mp3   Moved to quarantine   Trojan.Wimad.Gen.1 (B)
02/07/2013 01:59:29   C:\Program Files\LimeWire\my boy lollipop.mp3   Moved to quarantine   Trojan.Wimad.Gen.1 (B)
02/07/2013 01:59:20   C:\Program Files\LimeWire\mrs robinson siomin garfunkel.mp3   Moved to quarantine   Trojan.Wimad.Gen.1 (B)
02/07/2013 01:59:12   C:\Program Files\LimeWire\eez wizz pulp.mp3   Moved to quarantine   Trojan.Wimad.Gen.1 (B)
02/07/2013 01:59:03   C:\Program Files\LimeWire\Bob Dylan - Romance In Durango.mp3   Moved to quarantine   Trojan.Wimad.Gen.1 (B)
02/07/2013 01:58:54   C:\RECYCLER\S-1-5-21-1757981266-299502267-725345543-1005\Dc20\Sun\Java\Deployment\cache\6.0\48\625f7870-72308af9   Moved to quarantine   Exploit.Java.CVE-2012-1723.M (B)
02/07/2013 01:58:46   C:\RECYCLER\S-1-5-21-1757981266-299502267-725345543-1005\Dc20\Sun\Java\Deployment\cache\6.0\60\13661cfc-717411a9   Moved to quarantine   Exploit.Java.CVE.H (B)
02/07/2013 01:58:38   C:\RECYCLER\S-1-5-21-1757981266-299502267-725345543-1005\Dc20\Sun\Java\Deployment\cache\6.0\61\2f7f79fd-2ec4292c   Moved to quarantine   Trojan.Downloader.Java.OpenConnection.AU (B)
02/07/2013 01:58:30   C:\RECYCLER\S-1-5-21-1757981266-299502267-725345543-1005\Dc20\Sun\Java\Deployment\cache\6.0\8\28b67fc8-180bfb0f   Moved to quarantine   Exploit.JPEJ (B)
02/07/2013 01:58:20   C:\RECYCLER\S-1-5-21-1757981266-299502267-725345543-1005\Dc20\Sun\Java\Deployment\cache\6.0\61\3b660cfd-3cb64e66   Moved to quarantine   Exploit.JPEJ (B)

Title: Re: 139d2e78.exe again
Post by: Corrine on July 02, 2013, 05:35:21 PM

Hi, Pete.

The "trojan downloader" Emsisoft found was in the recycle bin. The other files that were quarantined were older files from what appears to be infected files your children downloaded using Limewire, which appears to have been removed from your computer since it hasn't shown up in the logs until now. If I've missed it and it is still installed, I strongly advise removing it!

It appears as though you are good to go. Good luck with the job application and don't forget to add a link to the Basing House blog to our thread in the Lounge!

Please refer to the Safe Computing Practices and other recommendations in this updated copy of "So how did I get infected in the first place?" (http://securitygarden.blogspot.com/p/blog-page.html).

Title: Re: 139d2e78.exe again
Post by: PeterJ on July 02, 2013, 09:46:01 PM

Thank you so much Corinne. I don't know what I've done without your excellent advice.

One thing I am determined to do after this experience is get a proper backup system in place. If you know of a good inexpensive or free one then please let me know.

Best wishes,

Pete (one VERY satisfied customer!)

Title: Re: 139d2e78.exe again
Post by: Corrine on July 02, 2013, 11:58:59 PM

Hi, Pete. (Check your messages, please.)

I am very happy that I was able to help you.

There are probably as many recommendations as there are backup options. This review may help you decide: The best free disk imaging program: a comparative analysis (updated) - freewaregenius.com (http://www.freewaregenius.com/the-best-free-disk-imaging-program-a-comparative-analysis/).

You may also want to consider placing a copy of important documents (such as your CV!) on SkyDrive. SkyDrive is accessible from Outlook.com (the renamed Hotmail). If you already have a "Hotmail" account, you already have access to SkyDrive. If not, all you need is a Microsoft Account and you get 7 GB of free cloud storage on SkyDrive that is accessible from anywhere.

Information about Outlook.com: Outlook.com - Microsoft Office email (http://windows.microsoft.com/en-us/windows/outlook-overview#1TC=t1)
Information about SkyDrive: SkyDrive - Microsoft Windows (http://windows.microsoft.com/en-US/skydrive/download)

Most important for you to consider is to start setting aside funds for a new computer. Not only is support ending for Windows XP on April 8, 2014, your OS was installed eight years ago -- 23/02/2005! It is generally indicated that the average lifespan of a computer is 3-5 years. So, although your computer is working, keep in mind that the hardware is old and parts may be wearing out.

Title: Re: 139d2e78.exe again
Post by: MikeW on July 03, 2013, 08:16:31 AM

Quote from: PeterJ on July 02, 2013, 09:46:01 PM
Thank you so much Corinne. I don't know what I've done without your excellent advice.

One thing I am determined to do after this experience is get a proper backup system in place. If you know of a good inexpensive or free one then please let me know.

Best wishes,

Pete (one VERY satisfied customer!)

This is the back-up program I have been using for some years Peter. Its simple to use and best of all Free
http://www.freebyte.com/fbbackup/

LandzDown Forum

Security => Analysis and Malware Removal => Topic started by: PeterJ on June 19, 2013, 02:39:33 PM