Solved Google Redirect, Random Pop-up Web Pages

[Bobbye]

Oh my goodness! I really opened a can of worms with the Directory Look for Business Objects! Should have just asked about it! I note that a lot of the files are for map bitmaps and icons for multiple countries. If I do not examine these, please understand that any help I give you will omit these files. They are much too extensive for the 'home' PC.

Problem is there are 2 locked Registry keys that I have been trying to see and they refuse to unlock. There are foreign characters in both so I will ask whethr you know what either or both are for:
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ôw*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

Will you please post the rest of the Combofix log after the Business Objects entries? You do not need to include the rest of them.

 

[kramerd1506]

Oh it's no problem. I have the Xcelsius client installed which is a dashboarding tool based on Excel, it has lots of files. I figured by looking at the list, it was just a whole lot of bitmaps and stuff, as you noted, so that's why I omitted them after a few posts. The rest of the ComboFix Log after the directory look is posted in post number 24 and the HijackThis log starts following that and ends on the next post, number 25.

I do not know what either of those registry keys are for, however, the second one you mentioned
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

has some hits online on various tech support or malware forums. Most of them do not have the exact foreign character string, but something very close. By the way, you asked me before about the web browser redirects. I have not seen those since the first time I ran ComboFix. Thanks.

 

[Bobbye]

Sorry- I just passed by the rest of the Combofix log!
About the 2 Registry entries: They are locked. I have tried twice to open them and again to open and delete> neither worked. I'm going to ask if there is any other way to remove them.

HijackThis is fine- no entries to remove.

Do you realize you have Azureus running and a Globally Open Port for Vuze (same program)? That is not safe with all of the business related software you have.
P2P or 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Azureus/Vuze for these following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on
P2P Warning to help you better understand these dangers.

I'll be back to finish you up in a bit, as soon as I can find out about the 2 Registry keys. I do appreciate you patience.

 

[Bobbye]

Let me try one more thing before I go for a consult:

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ôw *]
"AB141C35E9F4BF344B9FC010BB17F68A"=-
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~ *]
"AB141C35E9F4BF344B9FC010BB17F68A"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================

 

[kramerd1506]

Oh, you don't have to appreciate my patience, I appreciate the assistance.

I don't really use file sharing any more so I can get rid of Vuze. I thought that it would only be running when I launched it though, not all the time. I did know I have an open port for it, but I figured it's okay behind my WEP firewall. I also wasn't leaving sharing on all the time. I just shared specific files for short times - usually movie trailers. I also virus scanned files I got through Vuze and usually launched them on a virtual machine till I knew they were safe. But it's a hassle anyway.

I'll post the ComboFix log when I run it later. Thanks again.

 

[kramerd1506]

CombiFix Log is pasted below.

////////////////////////Begin ComboFix Log\\\\\\\\\\\\\\\\\\\\\\

ComboFix 10-09-28.03 - Dan 09/29/2010 6:30.5.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2568 [GMT -5:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-29 05:46 . 2010-09-29 10:32 41197 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3166u3164te.bin
2010-09-29 05:12 . 2010-09-29 10:32 108825 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_243d242kv.bin
2010-09-28 11:47 . 2010-09-28 11:47 388096 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-28 11:47 . 2010-09-28 11:47 -------- d-----w- c:\program files\Trend Micro
2010-09-28 06:41 . 2010-09-28 10:46 42135 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3164u3162ka.bin
2010-09-28 05:02 . 2010-09-28 10:46 317 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_242d241gl.bin
2010-09-27 06:43 . 2010-09-27 10:46 72592 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3162u3160tb.bin
2010-09-27 05:04 . 2010-09-27 10:46 609 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_355d354cm.bin
2010-09-26 07:08 . 2010-09-26 14:25 7623 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3160u3159hx.bin
2010-09-26 05:29 . 2010-09-26 10:45 1131 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_354d3539a.bin
2010-09-25 17:52 . 2010-09-26 10:45 38435 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3159u3158jm.bin
2010-09-25 06:43 . 2010-09-25 10:46 50604 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3158u3156nv.bin
2010-09-24 12:20 . 2010-09-24 12:20 -------- d-----w- c:\program files\ESET
2010-09-24 06:43 . 2010-09-24 09:55 66383 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3156u3154bi.bin
2010-09-24 05:00 . 2010-09-24 09:55 884 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_353d351f.bin
2010-09-23 14:29 . 2010-09-23 14:29 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 14:29 . 2010-09-23 14:29 4093792 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-09-23 14:29 . 2010-09-23 14:29 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-23 14:29 . 2010-09-23 14:29 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 14:29 . 2010-09-23 14:29 1377632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 14:29 . 2010-09-23 14:29 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 14:29 . 2010-09-23 14:29 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 14:29 . 2010-09-23 14:29 4371296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-09-23 14:29 . 2010-09-23 14:29 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 14:29 . 2010-09-23 14:29 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-09-23 06:43 . 2010-09-23 10:51 52641 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3154u3152ph.bin
2010-09-22 17:52 . 2010-09-23 10:51 731 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_351d349dt.bin
2010-09-22 13:57 . 2010-09-23 10:51 317 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_241d2407a.bin
2010-09-22 06:44 . 2010-09-22 14:30 11271 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3152u3151ew.bin
2010-09-22 05:01 . 2010-09-22 14:30 887 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_349d348sd.bin
2010-09-22 05:00 . 2010-09-22 14:30 7542 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_240d239sc.bin
2010-09-21 22:23 . 2010-09-22 10:51 50409 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3151u3149en.bin
2010-09-21 06:43 . 2010-09-21 14:46 21602 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3149u3148ix.bin
2010-09-21 05:00 . 2010-09-21 14:46 797 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_348d347ob.bin
2010-09-21 05:00 . 2010-09-21 14:46 4296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_239d238ob.bin
2010-09-20 17:10 . 2010-09-21 09:20 30197 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3148u3147mr.bin
2010-09-20 06:42 . 2010-09-20 10:36 71646 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3147u3145pp.bin
2010-09-20 05:01 . 2010-09-20 10:36 1906 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_347d346kb.bin
2010-09-20 05:00 . 2010-09-20 10:36 24577 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_238d237ka.bin
2010-09-19 06:41 . 2010-09-19 09:51 100504 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3145u3143wj.bin
2010-09-18 22:01 . 2010-09-18 22:01 -------- d-----w- c:\program files\Paint.NET
2010-09-18 22:01 . 2010-09-18 22:06 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Paint.NET
2010-09-18 11:36 . 2010-09-23 14:29 42387 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9lng855df.bin
2010-09-18 06:42 . 2010-09-18 17:49 194290 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3143u3138su.bin
2010-09-17 05:00 . 2010-09-18 17:49 875 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_346d34387.bin
2010-09-16 06:41 . 2010-09-16 13:50 26193 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3138u3137ej.bin
2010-09-16 05:00 . 2010-09-18 17:49 7824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_237d23646.bin
2010-09-15 18:42 . 2010-09-16 09:41 41045 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3137u3136kl.bin
2010-09-15 06:44 . 2010-09-15 09:40 38105 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3136u3134yq.bin
2010-09-15 05:01 . 2010-09-15 09:40 773 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_343d3426.bin
2010-09-15 05:00 . 2010-09-15 09:40 374771 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_236d2355.bin
2010-09-14 06:42 . 2010-09-14 13:49 20660 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3134u3133ar.bin
2010-09-14 05:00 . 2010-09-14 13:49 940 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_342d341w3.bin
2010-09-13 18:41 . 2010-09-14 09:40 14920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3133u3132cl.bin
2010-09-13 06:42 . 2010-09-13 13:50 12858 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3132u3131pi.bin
2010-09-13 05:00 . 2010-09-13 13:50 868 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_341d339s2.bin
2010-09-12 18:40 . 2010-09-13 09:40 17494 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3131u3130bd.bin
2010-09-12 06:42 . 2010-09-12 09:40 39481 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3130u3128sl.bin
2010-09-11 06:43 . 2010-09-11 09:41 25285 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3128u3126ob.bin
2010-09-10 07:14 . 2010-09-10 14:34 38359 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3126u3125zc.bin
2010-09-10 05:00 . 2010-09-13 13:50 9056 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_235d234fz.bin
2010-09-09 18:39 . 2010-09-10 09:40 20825 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3125u3124lw.bin
2010-09-09 15:00 . 2010-09-23 14:29 400 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9lsimg855b847ga.bin
2010-09-09 15:00 . 2010-09-23 14:29 129578 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9lsie856b845pu.bin
2010-09-09 15:00 . 2010-09-23 14:29 111242 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9lsff855b847dg.bin
2010-09-09 15:00 . 2010-09-23 14:29 4562 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9lngus855b851cy.bin
2010-09-09 15:00 . 2010-09-23 14:29 157572 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9krnl855b847ny.bin
2010-09-09 15:00 . 2010-09-23 14:29 263053 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9core856b846dn.bin
2010-09-09 15:00 . 2010-09-23 14:29 207612 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9ui856b832zm.bin
2010-09-09 15:00 . 2010-09-23 14:29 140187 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9upd855b839vh.bin
2010-09-09 15:00 . 2010-09-23 14:29 326598 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9setup855b832me.bin
2010-09-09 15:00 . 2010-09-23 14:29 62192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9nsx855b832dt.bin
2010-09-09 14:59 . 2010-09-23 14:29 27706 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9chjc855b832ur.bin
2010-09-09 06:42 . 2010-09-09 09:40 70039 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3124u3121fz.bin
2010-09-09 05:00 . 2010-09-09 09:40 1917 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_339d338by.bin
2010-09-09 05:00 . 2010-09-09 09:40 18992 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_234d233by.bin
2010-09-08 06:14 . 2010-09-08 09:40 55106 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3121u3119sk.bin
2010-09-08 05:00 . 2010-09-08 13:49 1129 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_338d3367x.bin
2010-09-07 06:42 . 2010-09-07 09:40 40810 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3119u3117lg.bin
2010-09-06 06:42 . 2010-09-06 09:40 19103 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3117u3115iv.bin
2010-09-06 05:00 . 2010-09-06 09:40 523 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_336d335zu.bin
2010-09-05 06:42 . 2010-09-05 15:46 61335 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3115u3113qp.bin
2010-09-05 05:20 . 2010-09-05 15:46 656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_335d334wd.bin
2010-09-05 05:20 . 2010-09-05 15:46 413430 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_233d232wd.bin
2010-09-04 14:56 . 2010-09-04 14:56 -------- d-----w- c:\documents and settings\Dan\Application Data\XcelsiuscustomThemesAutoInfo
2010-09-04 14:56 . 2010-09-04 14:56 -------- d-----w- c:\documents and settings\Dan\Application Data\XcelsiuscustomThemes
2010-09-04 14:56 . 2010-09-04 16:39 -------- d-----w- c:\documents and settings\Dan\Application Data\Xcelsius
2010-09-04 14:55 . 2010-09-04 14:55 -------- d-----w- c:\windows\system32\Binaries
2010-09-04 14:38 . 2010-09-04 14:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-09-04 06:42 . 2010-09-04 13:49 13470 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3113u3112bp.bin
2010-09-04 05:18 . 2010-09-04 13:49 581 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_334d333sa.bin
2010-09-03 18:41 . 2010-09-04 09:40 43244 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3112u3111zm.bin
2010-09-03 06:41 . 2010-09-03 09:43 53472 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3111u3108sg.bin
2010-09-03 05:00 . 2010-09-03 09:43 1136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_333d332nr.bin
2010-09-02 06:41 . 2010-09-02 13:20 31029 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3108u3107iu.bin
2010-09-02 05:53 . 2010-09-02 13:20 768 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_332d331l7.bin
2010-09-02 05:53 . 2010-09-02 13:20 8986 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_232d231l7.bin
2010-09-01 18:41 . 2010-09-02 09:43 51872 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3107u3106uz.bin
2010-09-01 06:42 . 2010-09-01 13:19 15966 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3106u3105uk.bin
2010-09-01 05:00 . 2010-09-01 13:19 557 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_331d330fp.bin
2010-08-31 18:41 . 2010-09-01 09:43 25189 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3105u3104ui.bin
2010-08-31 18:04 . 2010-09-01 09:43 747 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_330d329ef.bin
2010-08-31 18:04 . 2010-09-01 09:43 13440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_231d230ef.bin
2010-08-31 06:42 . 2010-08-31 09:43 47803 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3104u3102uq.bin
2010-08-31 05:00 . 2010-08-31 09:43 615 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_329d328sm.bin
2010-08-31 05:00 . 2010-08-31 09:43 44428 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_230d229sm.bin

 

[kramerd1506]

((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 12:08 . 2009-04-16 22:36 -------- d-----w- c:\program files\Steam
2010-09-28 12:08 . 2010-05-08 17:46 -------- d-----w- c:\documents and settings\Dan\Application Data\Skype
2010-09-28 12:07 . 2010-05-08 17:47 -------- d-----w- c:\documents and settings\Dan\Application Data\skypePM
2010-09-05 16:02 . 2009-04-18 23:48 -------- d-----w- c:\documents and settings\Dan\Application Data\dvdcss
2010-09-04 14:55 . 2009-05-24 23:19 -------- d-----w- c:\program files\Business Objects
2010-08-13 15:41 . 2009-04-11 22:40 -------- d-----w- c:\documents and settings\Dan\Application Data\Azureus
2010-08-06 08:10 . 2010-08-06 08:10 503808 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-107c3b00-n\msvcp71.dll
2010-08-06 08:10 . 2010-08-06 08:10 499712 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-107c3b00-n\jmc.dll
2010-08-06 08:10 . 2010-08-06 08:10 348160 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-107c3b00-n\msvcr71.dll
2010-08-06 08:10 . 2010-08-06 08:10 61440 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2e0ce201-n\decora-sse.dll
2010-08-06 08:10 . 2010-08-06 08:10 12800 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2e0ce201-n\decora-d3d.dll
2010-07-16 19:26 . 2010-07-16 19:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-16 16:05 . 2010-07-16 16:05 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-16 15:35 . 2009-04-12 01:06 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-16 15:35 . 2010-07-16 15:35 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 15:35 . 2009-04-12 01:06 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-04 23:04 . 2010-07-04 23:04 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-07-04 23:04 . 2010-07-04 23:04 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-04 23:03 . 2010-07-04 23:03 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-09-20_23.41.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-28 12:08 . 2010-09-28 12:08 16384 c:\windows\Temp\Perflib_Perfdata_400.dat
- 2001-08-18 12:00 . 2010-09-20 23:41 91714 c:\windows\system32\perfc009.dat
+ 2001-08-18 12:00 . 2010-09-28 12:12 91714 c:\windows\system32\perfc009.dat
+ 2001-08-18 12:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2001-08-18 12:00 . 2010-09-28 12:12 497668 c:\windows\system32\perfh009.dat
- 2001-08-18 12:00 . 2010-09-20 23:41 497668 c:\windows\system32\perfh009.dat
+ 2001-08-18 12:00 . 2008-04-13 18:44 153344 c:\windows\system32\dllcache\dmio.sys
+ 2010-09-28 11:47 . 2010-09-28 11:47 1094656 c:\windows\Installer\1487a62d.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2010-08-28 1242448]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-20 26192680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2007-04-14 1556480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
"Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2008-05-26 1423360]
"QFan Help"="c:\program files\ASUS\Ai Suite\QFan3\QFanHelp.exe" [2008-05-06 594432]
"Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-12-01 881152]
"FloatLED"="c:\program files\FloatLED\FloatLED.exe" [2009-02-15 58368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-06-16 864112]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 15:35 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Business Objects\\javasdk\\bin\\java.exe"=
"c:\\Program Files\\GameTap Web Player\\bin\\release\\GameTapPlayer.exe"=
"c:\\Documents and Settings\\Dan\\Application Data\\Juniper Networks\\Juniper Citrix Services Client\\dsCitrixProxy.exe"=
"c:\\Documents and Settings\\Dan\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVC.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\GameTap Web Player\\games\\150010250\\dawnofwardarkcrusade\\DarkCrusade.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\All Users\\Application Data\\GameTap Web Player\\games\\150010350\\callofduty2\\CoD2MP_s.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\GameTap Web Player\\games\\150009050\\cohgold\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"60666:TCP"= 60666:TCP:Vuze

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/30/2009 3:15 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/11/2009 8:06 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/11/2009 8:06 PM 243024]
R1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [9/12/2009 2:14 PM 87064]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 10:35 AM 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1352832]
R2 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe [3/5/2009 11:57 PM 227352]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [4/17/2009 7:07 PM 22784]
S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [3/4/2009 6:03 PM 21016]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [8/15/2008 2:47 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [8/15/2008 2:47 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2010-09-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 14:51]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\fdqq0jha.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\fdqq0jha.default\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll
FF - plugin: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\fdqq0jha.default\extensions\GameTapPlayer@gametap.com\plugins\npGameTapWebPlayer.dll
FF - plugin: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\fdqq0jha.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-29 06:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\mysql\bin\mysqld\" --defaults-file=\"c:\mysql\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ôw*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3516)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2010-09-29 06:35:18
ComboFix-quarantined-files.txt 2010-09-29 11:35
ComboFix2.txt 2010-09-28 12:21
ComboFix3.txt 2010-09-24 12:14
ComboFix4.txt 2010-09-22 00:30
ComboFix5.txt 2010-09-29 11:28

Pre-Run: 32,506,286,080 bytes free
Post-Run: 32,505,843,712 bytes free

- - End Of File - - 271F702D38539B49C84EB33F3F13F596

/////////////////////End ComboFix Log\\\\\\\\\\\\\\\\\\

 

[Bobbye]

You should uninstall Vuze and close that port. I am consulting Broni about those 2 Registry keys to see if he has any suggestion. Will be back soon as I hear.

 

[Bobbye]

Broni to the rescue! I don't know how he found it as I've been trying to ID the entry for days!

The locked Registry entries are from the program Audition. Apparently, every time you startup, they are being recreated. Here's some info on it: http://forums.adobe.com/message/3138099?tstart=0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ôw*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

Let me know what you want to do. I think I would go for an uninstall of it- we don't know what the symbols are and can't keep the entries from starting>> unless possibly you have Audition on Startup and you take it off. What do you think about trying that> either uninstall (best) or take off Startup.

 

[kramerd1506]

I have uninstalled Vuze, but I'm having trouble closing the port. I have my router maintenance screen up and I see the rule allowing the open port but the entry is disabled (along with all the others). If I enter a new rule, I get an edit icon next to the new one where I can modify or delete it. But the ones I already have set up and have been there for a long time have no edit icons and I can't modify or delete them. I'm sure it's just the behavior of my particular router. I'll figure it out.

I'd like to keep Audition. But, when I look at the startup screen in msconfig, I do not see anything for Audition listed. Is there any reason to believe the registry entries are harmful? Why would Adobe put unreadable characters like that in the registry entries?

Thanks!

 

[Bobbye]

I can close the port for you with script. As for Audition, check the thread in the Adobe Forum. I can't tell you why the symbols are created- just that I am unable to open the entry and verify what's in it.

You might want to look into how AVG is updating and why all the updates are being listed separately in the Combofix log. It does need to update regularly and when I used AVG, the update screen usually popped up in the AM. Don't understand why each entry is broken out.

I'm going to write script to include the Vuze entries I see and the open port. I'll use a command that will remove all of the files for it.

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::
c:\windows\Temp\Perflib_Perfdata_400.dat
c:\windows\system32\perfc009.dat
Folder::
c:\documents and settings\Dan\Application Data\Azureus
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"60666:TCP"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=-
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
If the redirects and popups have been resolved, you can remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if you have anymore questions.

 

[kramerd1506]

ComboFix log pasted below:

/////////////Begin ComboFix Log\\\\\\\\\\\\\\\\\

ComboFix 10-10-06.02 - Dan 10/06/2010 18:24:47.6.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2604 [GMT -5:00]
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dan\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"c:\windows\system32\perfc009.dat"
"c:\windows\Temp\Perflib_Perfdata_400.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Dan\LOCALS~1\Temp\123C.tmp
c:\documents and settings\Dan\Application Data\Azureus
c:\documents and settings\Dan\Application Data\Azureus\.certs
c:\documents and settings\Dan\Application Data\Azureus\.keystore
c:\documents and settings\Dan\Application Data\Azureus\.lock
c:\documents and settings\Dan\Application Data\Azureus\active\95CFA2E12F3BA0DFD506EA6010F1F7F5912EA23C.dat
c:\documents and settings\Dan\Application Data\Azureus\active\95CFA2E12F3BA0DFD506EA6010F1F7F5912EA23C.dat.bak
c:\documents and settings\Dan\Application Data\Azureus\active\cache.dat
c:\documents and settings\Dan\Application Data\Azureus\azureus.config
c:\documents and settings\Dan\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Dan\Application Data\Azureus\azureus.statistics
c:\documents and settings\Dan\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Dan\Application Data\Azureus\banips.config
c:\documents and settings\Dan\Application Data\Azureus\cache\1191085919.ico
c:\documents and settings\Dan\Application Data\Azureus\cache\381727708.ico
c:\documents and settings\Dan\Application Data\Azureus\cnetworks.config
c:\documents and settings\Dan\Application Data\Azureus\devices.config
c:\documents and settings\Dan\Application Data\Azureus\devices.config.bak
c:\documents and settings\Dan\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Dan\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Dan\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Dan\Application Data\Azureus\dht\general.dat
c:\documents and settings\Dan\Application Data\Azureus\dht\version.dat
c:\documents and settings\Dan\Application Data\Azureus\downloads.config
c:\documents and settings\Dan\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Dan\Application Data\Azureus\filters.config
c:\documents and settings\Dan\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Dan\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Dan\Application Data\Azureus\logs\MetaSearch_Engine_3.txt
c:\documents and settings\Dan\Application Data\Azureus\logs\MetaSearch_Engine_4.txt
c:\documents and settings\Dan\Application Data\Azureus\logs\MetaSearch_Engine_5.txt
c:\documents and settings\Dan\Application Data\Azureus\metasearch.config
c:\documents and settings\Dan\Application Data\Azureus\net\pm_19262.dat
c:\documents and settings\Dan\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Dan\Application Data\Azureus\plugins\azupnpav\cd.dat
c:\documents and settings\Dan\Application Data\Azureus\rcm.config
c:\documents and settings\Dan\Application Data\Azureus\rcm.config.bak
c:\documents and settings\Dan\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Dan\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Dan\Application Data\Azureus\subs\047969C2F30A401262F9.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\07ABDD32A54D704B48FE.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\0893AA6A4299F20F3DDF.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\0AA95EBF8997D027250A.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\0F193C9F601B15C4EFFE.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\12E433396A25DDA51A9A.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\16570E18BD2B5479BE66.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\183619180C4C83DFBCC5.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\18B4DF9B9B35C033945B.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\21B6F154E1FA75E4DF0A.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\222B42ECFC877D1EB6D3.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\23C07FC046663EDB38E5.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\24B8E9AC78200A71D3DA.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\271E92AFDBD73D248E67.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\31CE97CA0B70252AFD45.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\3ADD758FE71BB2208A77.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\3CE1DE1CE7E9DE480F06.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\3D2AD3DEF31B315DF2EA.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\41B5BA8E964DADE2D58B.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\4D646C68520A421C7DAD.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\4E8485C5DD6EA6FADE1E.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\51A2E99917A2ED165FA9.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\53C2AEED1BD7202F9BCF.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\561060E15D5F31D5F891.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\581765478D3517627C73.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\5E1A6C0B214F13EF288E.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\632A20E73961F1C133F2.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\6332C699CA9E7FFEC63B.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\7076DB20A5F225DDB82C.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\73F5AE886EA6C398840E.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\7472680B49ACBCFA19D9.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\7954809C54F6F679965B.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\7AAF95CB03E63CB403E7.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\7B233EB69DA09902E3BA.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\83E942CD74E5F15FE40A.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\87E23B1872099785E348.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\8C05618C85E2C09710CA.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\977929D9D70EA24C9FF7.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\9C1435294F1E912E82FD.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\9F85A6EE63DB200A2562.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\A3CBD165FFD17EC012A1.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\A42285FB7DF03C5583C2.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\AA18A55630A89D766D85.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\BBA708018991E48BD0CC.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\BC330A5B5B760F1BAE11.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\BD293EA13C5D3A8EA4BC.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\BDD07BE77377FD3C4A01.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\C1181DBAB72DD16EB649.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\C2739154203A8B98F6A0.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\C327BC15818C0E56C45D.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\C9EBC80E3E1D103634DB.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\CABF684FEA5999FCEEAD.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\CE22771EC242C845C71A.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\CEA06BACAA04C3DAA925.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\D3745008F782C9CB4883.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\D44784B7433BB66BE6CB.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\E67D8443DF3B6D5C02B4.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\EA7C16520E10B526971B.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\EADAA70B76055F813349.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\EC1EA4CD184D3EC77C1F.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\F2F733158445FA5EE38D.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\F72AABF888E7E7C08620.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\FA6A5CC4E12EC182B552.vuze
c:\documents and settings\Dan\Application Data\Azureus\subs\FDA6C9DF3B7E1F2FABB6.vuze
c:\documents and settings\Dan\Application Data\Azureus\subscriptions.config
c:\documents and settings\Dan\Application Data\Azureus\subscriptions.config.bak
c:\documents and settings\Dan\Application Data\Azureus\tables.config
c:\documents and settings\Dan\Application Data\Azureus\tables.config.bak
c:\documents and settings\Dan\Application Data\Azureus\tmp\AZU4022335345481912466.tmp
c:\documents and settings\Dan\Application Data\Azureus\tmp\AZU4770244907788225984.tmp
c:\documents and settings\Dan\Application Data\Azureus\tmp\AZU4899153437875551837.tmp
c:\documents and settings\Dan\Application Data\Azureus\tmp\AZU5892445516153307543.tmp
c:\documents and settings\Dan\Application Data\Azureus\tmp\AZU8910948286531595799.tmp
c:\documents and settings\Dan\Application Data\Azureus\torrents\[isoHunt] Ebooks.For.Dummies.Collection.torrent
c:\documents and settings\Dan\Application Data\Azureus\torrents\AZU2391328603626990504.tmp
c:\documents and settings\Dan\Application Data\Azureus\torrents\AZU3077080042124148617.tmp
c:\documents and settings\Dan\Application Data\Azureus\torrents\AZU4299209845943150974.tmp
c:\documents and settings\Dan\Application Data\Azureus\torrents\AZU4879885594021180797.tmp
c:\documents and settings\Dan\Application Data\Azureus\torrents\AZU4984927260040372657.tmp
c:\documents and settings\Dan\Application Data\Azureus\torrents\AZU5014403394540906826.tmp
c:\documents and settings\Dan\Application Data\Azureus\torrents\Drag.Me.To.Hell.2009.DvDRip-FxM.5099338.TPB.torrent
c:\documents and settings\Dan\Application Data\Azureus\torrents\Land_Of_The_Lost[2009]DvDrip-LW-[Bit-Byte].5000543.TPB.torrent
c:\documents and settings\Dan\Application Data\Azureus\torrents\Norton_Ghost_V14.0___SP2_-_EDGE_Keygen___Serial.4489698.TPB.torrent
c:\documents and settings\Dan\Application Data\Azureus\torrents\Paranormal_Activity_DVDSCR_XVID-IMAGiNE.5131788.TPB.torrent
c:\documents and settings\Dan\Application Data\Azureus\update.properties
c:\documents and settings\Dan\Application Data\Azureus\VuzeActivities.config
C:\Documents and Settings\Dan\Local Settings\temp\123C.tmp

.
((((((((((((((((((((((((( Files Created from 2010-09-07 to 2010-10-07 )))))))))))))))))))))))))))))))
.

2010-10-04 14:30:46 . 2010-10-04 14:30:46 4394336 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-10-04 14:30:46 . 2010-10-04 14:30:46 4100960 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-10-04 14:30:46 . 2010-10-04 14:30:46 2065760 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-09-28 11:47:31 . 2010-09-28 11:47:31 388096 ----a-r- C:\Documents and Settings\Dan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-28 11:47:31 . 2010-09-28 11:47:31 -------- d-----w- C:\Program Files\Trend Micro
2010-09-24 12:20:06 . 2010-09-24 12:20:06 -------- d-----w- C:\Program Files\ESET
2010-09-23 14:29:45 . 2010-09-23 14:29:45 620896 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 14:29:45 . 2010-09-23 14:29:45 3586912 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-23 14:29:44 . 2010-09-23 14:29:44 1619296 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 14:29:44 . 2010-09-23 14:29:44 1377632 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 14:29:43 . 2010-09-23 14:29:43 942432 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 14:29:43 . 2010-09-23 14:29:43 598368 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 14:29:42 . 2010-09-23 14:29:42 300896 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 14:29:14 . 2010-09-23 14:29:14 1690952 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-09-18 22:01:15 . 2010-09-18 22:01:23 -------- d-----w- C:\Program Files\Paint.NET
2010-09-18 22:01:09 . 2010-09-18 22:06:42 -------- d-----w- C:\Documents and Settings\Dan\Local Settings\Application Data\Paint.NET

.

 

[kramerd1506]

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 00:19:36 . 2010-05-08 17:46:01 -------- d-----w- C:\Documents and Settings\Dan\Application Data\Skype
2010-10-07 00:19:22 . 2010-05-08 17:47:13 -------- d-----w- C:\Documents and Settings\Dan\Application Data\skypePM
2010-10-07 00:19:02 . 2009-04-16 22:36:04 -------- d-----w- C:\Program Files\Steam
2010-10-03 23:33:35 . 2009-06-03 06:47:05 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-10-01 12:51:42 . 2009-04-11 22:40:02 -------- d-----w- C:\Program Files\Vuze
2010-09-05 16:02:15 . 2009-04-18 23:48:50 -------- d-----w- C:\Documents and Settings\Dan\Application Data\dvdcss
2010-09-04 16:39:44 . 2010-09-04 14:56:19 -------- d-----w- C:\Documents and Settings\Dan\Application Data\Xcelsius
2010-09-04 14:56:20 . 2010-09-04 14:56:20 -------- d-----w- C:\Documents and Settings\Dan\Application Data\XcelsiuscustomThemesAutoInfo
2010-09-04 14:56:20 . 2010-09-04 14:56:20 -------- d-----w- C:\Documents and Settings\Dan\Application Data\XcelsiuscustomThemes
2010-09-04 14:55:21 . 2009-05-24 23:19:51 -------- d-----w- C:\Program Files\Business Objects
2010-08-06 08:10:34 . 2010-08-06 08:10:34 503808 ----a-w- C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-107c3b00-n\msvcp71.dll
2010-08-06 08:10:34 . 2010-08-06 08:10:34 499712 ----a-w- C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-107c3b00-n\jmc.dll
2010-08-06 08:10:34 . 2010-08-06 08:10:34 348160 ----a-w- C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-107c3b00-n\msvcr71.dll
2010-08-06 08:10:33 . 2010-08-06 08:10:33 61440 ----a-w- C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2e0ce201-n\decora-sse.dll
2010-08-06 08:10:33 . 2010-08-06 08:10:33 12800 ----a-w- C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2e0ce201-n\decora-d3d.dll
2010-07-16 19:26:02 . 2010-07-16 19:26:02 664 ----a-w- C:\WINDOWS\system32\d3d9caps.dat
2010-07-16 16:05:20 . 2010-07-16 16:05:16 2568656 ----a-w- C:\Documents and Settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-16 15:35:59 . 2009-04-12 01:06:55 243024 ----a-w- C:\WINDOWS\system32\drivers\avgtdix.sys
2010-07-16 15:35:58 . 2010-07-16 15:35:58 12536 ----a-w- C:\WINDOWS\system32\avgrsstx.dll
2010-07-16 15:35:53 . 2009-04-12 01:06:51 216400 ----a-w- C:\WINDOWS\system32\drivers\avgldx86.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-09-20_23.41.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-07 00:19:18 . 2010-10-07 00:19:18 16384 C:\WINDOWS\temp\Perflib_Perfdata_bf4.dat
+ 2010-10-06 23:30:53 . 2010-10-06 23:30:53 16384 C:\WINDOWS\temp\Perflib_Perfdata_5e4.dat
+ 2001-08-18 12:00:00 . 2010-10-07 00:20:01 91714 C:\WINDOWS\system32\perfc009.dat
- 2001-08-18 12:00:00 . 2010-09-20 23:41:55 91714 C:\WINDOWS\system32\perfc009.dat
+ 2001-08-18 12:00:00 . 2008-04-13 18:40:30 96512 C:\WINDOWS\system32\dllcache\atapi.sys
+ 2001-08-18 12:00:00 . 2010-10-07 00:20:01 497668 C:\WINDOWS\system32\perfh009.dat
- 2001-08-18 12:00:00 . 2010-09-20 23:41:56 497668 C:\WINDOWS\system32\perfh009.dat
+ 2001-08-18 12:00:00 . 2008-04-13 18:44:46 153344 C:\WINDOWS\system32\dllcache\dmio.sys
+ 2010-09-28 11:47:31 . 2010-09-28 11:47:31 1094656 C:\WINDOWS\Installer\1487a62d.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="C:\Program Files\Steam\Steam.exe" [2010-08-28 21:30:35 1242448]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2010-04-20 18:14:54 26192680]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12:16 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2007-04-14 20:50:30 1556480]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 11:03:26 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 11:03:04 81920]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 16:49:04 49152]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 08:08:50 17676288]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 19:56:31 1406024]
"DeathAdder"="C:\Program Files\Razer\DeathAdder\razerhid.exe" [2007-09-07 20:54:54 159744]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2008-05-26 23:34:48 1423360]
"QFan Help"="C:\Program Files\ASUS\Ai Suite\QFan3\QFanHelp.exe" [2008-05-06 07:01:24 594432]
"Cpu Level Up help"="C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-12-01 01:03:28 881152]
"FloatLED"="C:\Program Files\FloatLED\FloatLED.exe" [2009-02-15 02:56:00 58368]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 22:10:28 35696]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-06-16 14:51:30 864112]
"AVG9_TRAY"="C:\PROGRA~1\AVG\AVG9\avgtray.exe" [2010-10-04 14:30:41 2067808]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 17:43:18 248040]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2009-09-28 00:19:46 13918208]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2009-09-28 00:19:46 86016]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 06:47:42 31016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 15:35:58 12536 ----a-w- C:\WINDOWS\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"C:\\Program Files\\Business Objects\\javasdk\\bin\\java.exe"=
"C:\\Program Files\\GameTap Web Player\\bin\\release\\GameTapPlayer.exe"=
"C:\\Documents and Settings\\Dan\\Application Data\\Juniper Networks\\Juniper Citrix Services Client\\dsCitrixProxy.exe"=
"C:\\Documents and Settings\\Dan\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVC.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\GameTap Web Player\\games\\150010250\\dawnofwardarkcrusade\\DarkCrusade.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Documents and Settings\\All Users\\Application Data\\GameTap Web Player\\games\\150010350\\callofduty2\\CoD2MP_s.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\GameTap Web Player\\games\\150009050\\cohgold\\RelicDownloader\\RelicDownloader.exe"=
"C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"60666:TCP"= 60666:TCP:Vuze

R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [5/30/2009 3:15:36 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\drivers\avgldx86.sys [4/11/2009 8:06:51 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\drivers\avgtdix.sys [4/11/2009 8:06:55 PM 243024]
R1 SWIPsec;SonicWALL IPsec Driver;C:\WINDOWS\system32\drivers\SWIPsec.sys [9/12/2009 2:14:30 PM 87064]
R2 avg9wd;AVG Free WatchDog;C:\Program Files\AVG\AVG9\avgwdsvc.exe [7/16/2010 10:35:57 AM 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52:57 AM 1352832]
R2 SWGVCSvc;SonicWALL Global VPN Client Service;C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe [3/5/2009 11:57:56 PM 227352]
R3 DAdderFltr;DeathAdder Mouse;C:\WINDOWS\system32\drivers\dadder.sys [4/17/2009 7:07:56 PM 22784]
S3 SWVNIC;SonicWALL Virtual Miniport;C:\WINDOWS\system32\drivers\SWVNIC.sys [3/4/2009 6:03:32 PM 21016]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [8/15/2008 2:47:34 PM 47128]
S4 RsFx0102;RsFx0102 Driver;C:\WINDOWS\system32\drivers\RsFx0102.sys [7/10/2008 2:49:14 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [8/15/2008 2:47:34 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2010-10-06 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:52:58 . 2010-06-16 14:51:30]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\fdqq0jha.default\
FF - component: C:\Program Files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\fdqq0jha.default\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll
FF - plugin: C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\fdqq0jha.default\extensions\GameTapPlayer@gametap.com\plugins\npGameTapWebPlayer.dll
FF - plugin: C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\fdqq0jha.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll

---- FIREFOX POLICIES ----
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
//////////////////////End ComboFix log\\\\\\\\\\\\\\\\\\\

 

[kramerd1506]

If you don't see any other problems, I will proceed with ComboFix removal and the creation of a new restore point. Thanks again.

-Dan

 

[kramerd1506]

By the way, it looks like the port is closed. I don't see any mention of it in my router maintenance screen.

 

[Bobbye]

I set up script to close the port. It still shows in the latest Combofixx log. And the Vuze programs is still installed. If you removed it, use Windows explorer> My Computer> Double click on Local Drive> Programs> find the Vuze and/or Azureus program folder> right click> Delete.

Let me know if you have any more questions.

 

[kramerd1506]

The Vuze folder was still listed. I deleted it.

Well I guess that's it. It's nice to know the system is healthy. THANK YOU for your help. I very much appreciate it. If I were going to make a donation, where would I do that?

 

[Bobbye]

You're welcome for my help. Thank you for the offer, but I don't accept donations. I enjoy doing this. TechSpot, the site, doesn't either although some members do- but I appreciate the offer.

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

=
Empty the Recycle Bin
=======================================
Now that we got the system clean, here are dome tips to keep it that way:Note: some of these programs may not work on windows 7 or 64bit systems>
Tips for added security and safer browsing:

1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
   This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
   
2. Have layered Security:
   • Antivirus Software(only one):Both of the following programs are free and known to be good:
     [o]Avira Free
     [o]Avast Home
   • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
     [o]Comodo
     [o]Zone Alarm
   • Antispyware: I recommend all of the following:
     [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
   [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
   For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
   IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
   Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
   [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
   [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
   
3. Stay current on updates:
   [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
   [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
   [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
   
4. Reset Cookies to prevent Tracking Cookies:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   
5. Do regular Maintenance
   Remove Temporary Internet Files regularly:
   [o]ATF Cleaner by Atribune
   OR
   [o]TFC
   Disable and Enable System Restore:
   [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
   
6. Practice Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.