XP Security 2012 Unregistred Version virus...please help

**awong** · 2011-08-24, 05:04

Didn't know if the uninstall and Java upgrade would effect the Java related bugs that ESET found so I re-ran both ESET and DDS.

-----------ESET------------actually looks the same on quick look------

C:\Documents and Settings\alexander\Application Data\Sun\Java\Deployment\cache\6.0\55\10a506b7-5b1ae10a a variant of Java/Exploit.CVE-2010-4452.A trojan
C:\Install\Nero\wordview_en-us.exe Win32/Toolbar.AskSBar application
C:\Install\RegistryFix\registryfix-full.exe a variant of Win32/Adware.ErrorClean application
C:\Program Files\RegistryFix8\UninstlDll.dll Win32/Adware.ErrorClean application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1004\A0075300.exe a variant of Win32/Adware.ErrorClean application
F:\Maxtor backup\GROUCHO\C\Install\Nero\wordview_en-us.exe Win32/Toolbar.AskSBar application
F:\Maxtor backup\GROUCHO\C\Install\RegistryFix\registryfix-full.exe a variant of Win32/Adware.ErrorClean application
F:\Office Machine Saved Files\Install\Nero\wordview_en-us.exe Win32/Toolbar.AskSBar application

---------DDS-------------

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 10.0.0
Run by alexander at 19:54:57 on 2011-08-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2325 [GMT -7:00]
.
AV: AVG Internet Security *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Kodak\MediaImpression\ArcMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre7\bin\jqs.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1196144302&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Translator: {ff284f5c-7cf9-4682-8701-d467c1dbb99f} - c:\program files\prmt7\prmtie\prmtie.dll
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [ArcSoft MediaImpression Monitor] c:\program files\kodak\mediaimpression\ArcMonitor.exe
mRun: [Ink Monitor] c:\program files\epson\ink monitor\InkMonitor.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alexan~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - c:\program files\prmt7\prmtie\prmtie5.htm
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - c:\program files\prmt7\prmtie\options.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: DhcpNameServer = 71.9.127.107 68.190.192.35 68.116.46.115
TCP: Interfaces\{7A41F945-17A9-4E84-92CD-7EE3CB9E0AAB} : DhcpNameServer = 71.9.127.107 68.190.192.35 68.116.46.115
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\alexander\application data\mozilla\firefox\profiles\fwwqxfij.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1196144302&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-15 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-2-15 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-15 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-15 29584]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-15 243152]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-11 14336]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-22 2331544]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-22 5897808]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-12-31 1373480]
R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2011-5-28 36224]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-2-15 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-11-15 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-11-15 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-11-15 26192]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-2-15 30104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-19 41272]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-2-20 96416]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-2-20 12704]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-2-20 121504]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2011-5-28 134912]
.
=============== File Associations ===============
.
.reg=Regedit.Document
.
=============== Created Last 30 ================
.
2011-08-23 23:17:36 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-23 15:34:28 -------- d-----w- c:\program files\ESET
2011-08-23 15:05:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-23 01:35:15 1409 ----a-w- c:\windows\QTFont.for
2011-08-22 21:00:19 98816 ----a-w- c:\windows\sed.exe
2011-08-22 21:00:19 518144 ----a-w- c:\windows\SWREG.exe
2011-08-22 21:00:19 256000 ----a-w- c:\windows\PEV.exe
2011-08-22 21:00:19 208896 ----a-w- c:\windows\MBR.exe
2011-08-20 15:32:06 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-08-20 15:32:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-15 21:33:33 203776 ----a-w- c:\windows\system32\EBAPI.dll
2011-08-15 21:33:33 108032 ----a-w- c:\windows\system32\EBUtil.dll
2011-08-10 18:48:00 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 18:47:59 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-08-23 23:17:23 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-19 11:10:32 26112 ----a-w- c:\windows\system32\userinit.exe
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-29 15:43:44 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45:57 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45:57 17408 ------w- c:\windows\system32\corpol.dll
2011-06-21 11:47:20 389120 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 22:15:52 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-20 04:08:02 3749224 ----a-w- c:\program files\common files\adlmint_libFNP.dll
2009-11-20 04:08:02 2941288 ----a-w- c:\program files\common files\adlmint.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.
============= FINISH: 19:56:27.79 ===============

--------attaching ATTACH.txt as ATTACH_D.zip------

**Blade81** · 2011-08-24, 06:49

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\Documents and Settings\alexander\Application Data\Sun\Java\Deployment\cache\6.0\55\10a506b7-5b1ae10a
Folder::
C:\Install\RegistryFix
C:\Program Files\RegistryFix8
F:\Maxtor backup\GROUCHO\C\Install\RegistryFix

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log. How's the system running?

**awong** · 2011-08-24, 08:15

Ratz,
While trying to implement your last instructions I started getting a notification that ComboFix has expired. Do I want to quit or run in a reduced mode?

Do I need to download CF again?
Should I uninstall my existing CF first?

Please advise.

My system is running pretty much normally.
I haven't tried to run Malwarebyte's Anti-Malware, so I'm not sure if the XP security 2012 Unregistred Version notification will come up again.

I haven't looked in my processes to see if fuf.exe is showing up, but I suspect that it's gone.

You've done a great job so far! I really appreciate your time and patience with me. It's a tremendous relief.

Thanks
AWhang

**Blade81** · 2011-08-24, 09:10

Please let ComboFix update itself.

**awong** · 2011-08-24, 17:26

I assume that means to just drag and drop and let CF update itself then, so I clicked 'Yes" to let it run in reduced functionality mode?

I did notice that each time I run CF, it extracts a lot of files, but I don't notice it accessing anything on-line to update, and the error message comes after the extractions and before doing any processes...

Incidentally, this time, CF started at process 49? Was that due to the instructions in the script I dragged and dropped to start CF?

Here's the resulting CF log-------

ComboFix 11-08-18.03 - alexander 08/24/2011 7:55.6.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2756 [GMT -7:00]
Running from: c:\documents and settings\alexander\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\alexander\Desktop\CFScript.txt
AV: AVG Internet Security *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
- REDUCED FUNCTIONALITY MODE -
.
FILE ::
"c:\documents and settings\alexander\Application Data\Sun\Java\Deployment\cache\6.0\55\10a506b7-5b1ae10a"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\alexander\Application Data\Sun\Java\Deployment\cache\6.0\55\10a506b7-5b1ae10a
c:\install\RegistryFix
c:\install\RegistryFix\registryfix-full.exe
c:\program files\RegistryFix8
c:\program files\RegistryFix8\logs\1-10-2010 (9-36-30).txt
c:\program files\RegistryFix8\logs\12-6-2011 (10-44-44).txt
c:\program files\RegistryFix8\logs\12-6-2011 (10-51-14).txt
c:\program files\RegistryFix8\logs\13-7-2011 (9-45-12).txt
c:\program files\RegistryFix8\logs\16-4-2011 (8-45-16).txt
c:\program files\RegistryFix8\logs\18-6-2011 (23-21-57).txt
c:\program files\RegistryFix8\logs\19-3-2011 (18-57-5).txt
c:\program files\RegistryFix8\logs\19-5-2011 (6-33-55).txt
c:\program files\RegistryFix8\logs\20-8-2011 (8-13-9).txt
c:\program files\RegistryFix8\logs\21-10-2010 (20-59-30).txt
c:\program files\RegistryFix8\logs\22-7-2011 (11-49-48).txt
c:\program files\RegistryFix8\logs\25-7-2011 (0-0-7).txt
c:\program files\RegistryFix8\logs\28-11-2010 (9-3-39).txt
c:\program files\RegistryFix8\logs\29-12-2010 (20-20-43).txt
c:\program files\RegistryFix8\logs\29-5-2011 (15-31-55).txt
c:\program files\RegistryFix8\logs\4-7-2011 (6-37-13).txt
c:\program files\RegistryFix8\logs\5-12-2010 (7-2-45).txt
c:\program files\RegistryFix8\logs\5-9-2010 (23-10-6).txt
c:\program files\RegistryFix8\logs\7-6-2011 (23-10-57).txt
c:\program files\RegistryFix8\logs\7-9-2010 (13-33-36).txt
c:\program files\RegistryFix8\logs\8-4-2011 (16-38-40).txt
c:\program files\RegistryFix8\logs\8-4-2011 (16-49-44).txt
c:\program files\RegistryFix8\RegBackup\5,29,2011_22,30,55.cab
c:\program files\RegistryFix8\RegistryFix8Backup\10,1,2010_9,44,35.cab
c:\program files\RegistryFix8\RegistryFix8Backup\10,21,2010_21,6,3.cab
c:\program files\RegistryFix8\RegistryFix8Backup\12,29,2010_20,47,52.cab
c:\program files\RegistryFix8\RegistryFix8Backup\12,5,2010_7,9,42.cab
c:\program files\RegistryFix8\RegistryFix8Backup\3,19,2011_19,5,23.cab
c:\program files\RegistryFix8\RegistryFix8Backup\4,16,2011_8,51,19.cab
c:\program files\RegistryFix8\RegistryFix8Backup\4,8,2011_16,49,38.cab
c:\program files\RegistryFix8\RegistryFix8Backup\4,8,2011_16,53,38.cab
c:\program files\RegistryFix8\RegistryFix8Backup\5,29,2011_22,29,19.cab
c:\program files\RegistryFix8\RegistryFix8Backup\6,12,2011_10,50,34.cab
c:\program files\RegistryFix8\RegistryFix8Backup\6,18,2011_23,31,3.cab
c:\program files\RegistryFix8\RegistryFix8Backup\6,7,2011_23,44,36.cab
c:\program files\RegistryFix8\RegistryFix8Backup\7,13,2011_9,57,33.cab
c:\program files\RegistryFix8\RegistryFix8Backup\7,22,2011_12,2,4.cab
c:\program files\RegistryFix8\RegistryFix8Backup\7,25,2011_8,37,24.cab
c:\program files\RegistryFix8\RegistryFix8Backup\7,4,2011_6,52,7.cab
c:\program files\RegistryFix8\RegistryFix8Backup\8,20,2011_8,22,6.cab
c:\program files\RegistryFix8\RegistryFix8Backup\9,6,2010_8,47,59.cab
c:\program files\RegistryFix8\RegistryFix8Backup\9,7,2010_13,40,37.cab
c:\program files\RegistryFix8\unins000.dat
c:\program files\RegistryFix8\unins000.exe
c:\program files\RegistryFix8\UninstlDll.dll
c:\program files\RegistryFix8\Updater.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))
.
.
2011-08-23 23:17 . 2011-08-23 23:17 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-23 15:34 . 2011-08-23 15:34 -------- d-----w- c:\program files\ESET
2011-08-23 15:05 . 2011-08-23 15:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-23 01:35 . 2011-08-23 01:35 1409 ----a-w- c:\windows\QTFont.for
2011-08-20 15:32 . 2011-08-21 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-08-20 15:32 . 2011-08-20 19:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-15 21:33 . 1999-07-19 17:27 203776 ----a-w- c:\windows\system32\EBAPI.dll
2011-08-15 21:33 . 1998-04-04 00:15 108032 ----a-w- c:\windows\system32\EBUtil.dll
2011-08-10 18:48 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 18:47 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-23 23:17 . 2010-04-16 04:14 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-19 11:10 . 2004-08-11 22:00 26112 ----a-w- c:\windows\system32\userinit.exe
2011-07-15 13:29 . 2005-06-22 13:02 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-11 22:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52 . 2009-01-19 19:45 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-07 02:52 . 2009-01-19 19:45 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-29 15:43 . 2009-11-09 04:59 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10 . 2004-08-11 22:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45 . 2004-08-11 22:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45 . 2004-08-11 22:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll
2011-06-21 11:47 . 2004-08-11 22:00 389120 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-11 22:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2004-08-11 22:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 22:15 . 2011-05-29 22:15 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-20 04:08 . 2009-11-20 04:08 3749224 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
2009-11-20 04:08 . 2009-11-20 04:08 2941288 ----a-w- c:\program files\Common Files\adlmint.dll
2011-08-18 14:51 . 2011-05-13 23:01 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-06-22 98304]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"ArcSoft MediaImpression Monitor"="c:\program files\Kodak\MediaImpression\ArcMonitor.exe" [2010-12-16 80448]
"Ink Monitor"="c:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2001-10-16 258118]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
.
c:\documents and settings\alexander\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\eileen\Start Menu\Programs\Startup\
Kuma_Tray.lnk - c:\documents and settings\alexander\My Documents\Kuma Games\kgsystray\Kuma_tray.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-15 108544]
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2005-8-22 135680]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-22 16:37 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /m \??\G:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"56488:TCP"= 56488:TCP:Pando Media Booster
"56488:UDP"= 56488:UDP:Pando Media Booster
.
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [11/15/2009 12:52 AM 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2/15/2009 2:18 AM 52872]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/15/2009 12:20 AM 216400]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/15/2009 12:21 AM 243152]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/11/2004 3:00 PM 14336]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/22/2010 9:37 AM 308136]
S2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [6/22/2010 9:37 AM 2331544]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [6/22/2010 9:37 AM 5897808]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [12/31/2008 5:43 PM 1373480]
S3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [5/28/2011 11:07 PM 36224]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2/15/2009 12:19 AM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2/15/2009 12:19 AM 30104]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [11/15/2009 12:51 AM 122448]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [11/15/2009 12:51 AM 30288]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [11/15/2009 12:51 AM 26192]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/19/2009 12:45 PM 41272]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2/20/2011 10:21 PM 96416]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2/20/2011 10:21 PM 12704]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2/20/2011 10:21 PM 121504]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [5/28/2011 11:07 PM 134912]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ArcRec
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1196144302&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855
TCP: DhcpNameServer = 71.9.127.107 68.190.192.35 68.116.46.115
FF - ProfilePath - c:\documents and settings\alexander\Application Data\Mozilla\Firefox\Profiles\fwwqxfij.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1196144302&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Registry Fix_is1 - c:\program files\RegistryFix8\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-24 07:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|ù•Ôw*]
"91A14B995DF7C0B42ABAA16065968F3A"="c:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(232)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2011-08-24 08:03:59
ComboFix-quarantined-files.txt 2011-08-24 15:03
ComboFix2.txt 2011-08-23 14:43
ComboFix3.txt 2011-08-23 00:16
.
Pre-Run: 141,605,625,856 bytes free
Post-Run: 141,586,403,328 bytes free
.
- - End Of File - - D1A6CBB6FFDE42C6A18FB3F88E31B970

--------question------

Every time my machine is restarted (like after CF to get my internet connection back), an annoying ATI Explorer Window pops up. C:\Program Files\ ATI.
I thought I had cleared it from my Startup directory, but it keeps coming back. Is there a way I can stop this from happening? I've checked on-line and it doesn't seem to be a virus or malicious...just really annoying.
Thanks for everything so far Blade81!
-AW

**Blade81** · 2011-08-24, 18:21

Hi,

Is there specific title for that ATI window? If you could grab a screenshot that would help.

**awong** · 2011-08-24, 20:17

Here's a screen grab of the annoying window.
Thanks!
-AW

**Blade81** · 2011-08-24, 22:35

Hi,

Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

Code:

REGEDIT 4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"=-

It should look like this ->

Doubleclick fix.reg, press Yes and ok. Reboot to see if problem got resolved (post back fresh dds.txt log if it didn't).

**awong** · 2011-08-25, 03:13

Hi Blade81,
I copy/pasted the text to notepad and saved as (all files) fix.reg. I had to hunt down regedit to open fix.reg, but was able to run it.
I restarted and the Pop-up showed again:( It's a tough little bugger!
Thanks
AW

--------requested DDS log---------

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 10.0.0
Run by alexander at 17:56:11 on 2011-08-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2149 [GMT -7:00]
.
AV: AVG Internet Security *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Kodak\MediaImpression\ArcMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1196144302&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Translator: {ff284f5c-7cf9-4682-8701-d467c1dbb99f} - c:\program files\prmt7\prmtie\prmtie.dll
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [ArcSoft MediaImpression Monitor] c:\program files\kodak\mediaimpression\ArcMonitor.exe
mRun: [Ink Monitor] c:\program files\epson\ink monitor\InkMonitor.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alexan~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - c:\program files\prmt7\prmtie\prmtie5.htm
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - c:\program files\prmt7\prmtie\options.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: DhcpNameServer = 71.9.127.107 68.190.192.35 68.116.46.115
TCP: Interfaces\{7A41F945-17A9-4E84-92CD-7EE3CB9E0AAB} : DhcpNameServer = 71.9.127.107 68.190.192.35 68.116.46.115
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\alexander\application data\mozilla\firefox\profiles\fwwqxfij.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1196144302&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-15 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-2-15 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-15 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-15 29584]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-15 243152]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-11 14336]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-22 2331544]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-22 5897808]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-12-31 1373480]
R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2011-5-28 36224]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-2-15 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-11-15 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-11-15 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-11-15 26192]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-2-15 30104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-19 41272]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-2-20 96416]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-2-20 12704]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-2-20 121504]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2011-5-28 134912]
.
=============== File Associations ===============
.
.reg=Regedit.Document
.
=============== Created Last 30 ================
.
2011-08-24 15:14:06 -------- d-----w- c:\documents and settings\alexander\local settings\application data\Sun
2011-08-24 14:54:02 98816 ----a-w- c:\windows\sed.exe
2011-08-24 14:54:02 518144 ----a-w- c:\windows\SWREG.exe
2011-08-24 14:54:02 256000 ----a-w- c:\windows\PEV.exe
2011-08-24 14:54:02 208896 ----a-w- c:\windows\MBR.exe
2011-08-23 23:17:36 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-23 15:34:28 -------- d-----w- c:\program files\ESET
2011-08-23 15:05:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-20 15:32:06 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-08-20 15:32:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-15 21:33:33 203776 ----a-w- c:\windows\system32\EBAPI.dll
2011-08-15 21:33:33 108032 ----a-w- c:\windows\system32\EBUtil.dll
2011-08-10 18:48:00 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 18:47:59 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-08-23 23:17:23 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-19 11:10:32 26112 ----a-w- c:\windows\system32\userinit.exe
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-29 15:43:44 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45:57 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45:57 17408 ------w- c:\windows\system32\corpol.dll
2011-06-21 11:47:20 389120 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 22:15:52 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-20 04:08:02 3749224 ----a-w- c:\program files\common files\adlmint_libFNP.dll
2009-11-20 04:08:02 2941288 ----a-w- c:\program files\common files\adlmint.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.
============= FINISH: 17:57:46.59 ===============

**Blade81** · 2011-08-25, 06:30

In the explorer window, go to Tools / Options / View tab / uncheck Restore previous folder windows at logon if checked. Any effect?

Thread: XP Security 2012 Unregistred Version virus...please help

Thread Tools

Display

Installed Java...re-ran ESET and DDS

ComboFix expired?!

ComboFix expiered...ran anyways...and another question...

Annoying ATI Window pop-up...

ATI pop-up still popping up...

Posting Permissions