Computer Hope

Software => Computer viruses and spyware => Topic started by: njnets214 on May 26, 2010, 03:44:25 PM

Title: Windows Security Alert Help
Post by: njnets214 on May 26, 2010, 03:44:25 PM

Hello guys,
I have a weird problem. I had this problem where I couldn't open any .exe because it always said it was infected or something. Windows Security Center alert kept popping up and tried to make me download this anti-virus software. I am pretty sure it was a malware. So anyway, I got some advice and got as far as Rkill and exehelp. It seems to have gone away, but Im not 100% sure. Anyway to find out? all help is appreciated!

Title: Re: Windows Security Alert Help
Post by: SuperDave on May 27, 2010, 10:00:53 AM

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS) (http://www.superantispyware.com/download.html)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
=============================

(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here (http://www.malwarebytes.org/mbam/program/mbam-setup.exe).

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
================================

Please download: HiJackThis (http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe) to your Desktop.

Double Click the HijackThis icon, located on your Desktop.
By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
Accept the license agreement.
Click the Open the Misc Tools section button.
Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
Please post the log in your next reply.

Title: Re: Windows Security Alert Help
Post by: njnets214 on May 27, 2010, 06:39:04 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/27/2010 at 07:04 PM

Application Version : 4.38.1004

Core Rules Database Version : 4992
Trace Rules Database Version: 2804

Scan type : Complete Scan
Total Scan Time : 04:05:01

Memory items scanned : 437
Memory threats detected : 0
Registry items scanned : 8174
Registry threats detected : 0
File items scanned : 172137
File threats detected : 37

Adware.Tracking Cookie
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@247realmedia[1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@doubleclick[1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@atdmt[2].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@invitemedia[1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@ad-indicator[1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@interclick[1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@invitemedia[1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@kanoodle[2].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@pointroll[1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\Low\paul@viuclick[1].txt
   D:\Documents and Settings\Paul Cho\Cookies\paul cho@accounts[2].txt
   D:\Documents and Settings\Paul Cho\Cookies\paul cho@atdmt[1].txt
   D:\Documents and Settings\Paul Cho\Cookies\paul [email protected][1].txt

Adware.Flash Tracking Cookie
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\ESPN360.CHANNELFINDER.NET
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\BC.YOUPORN.COM
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\WWW.PORNRABBIT.COM
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\WWWSTATIC.MEGAPORN.COM
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\CONVOAD.TECHNORATIMEDIA.COM
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\IA.MEDIA-IMDB.COM
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\MEDIA01.KYTE.TV
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\MEDIA1.BREAK.COM
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\MEDIAFORGEWS.COM
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\OBJECTS.TREMORMEDIA.COM
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\WWW.SEXFORUMS.COM
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\UDN.SPECIFICCLICK.NET
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\CRACKLE.COM
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\WWW.CRACKLE.COM
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\NAIADSYSTEMS.COM
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\WWW.NAIADSYSTEMS.COM
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\S0.2MDN.NET
   C:\Users\Paul\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3G6M5BG9\SECURE-US.IMRWORLDWIDE.COM

Trojan.Agent/Gen-System
   D:\WINDOWS\SYSTEM32\HNCUPDATE.EXE

Title: Re: Windows Security Alert Help
Post by: njnets214 on May 27, 2010, 06:39:27 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4146

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/27/2010 8:18:40 PM
mbam-log-2010-05-27 (20-18-40).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 297452
Time elapsed: 1 hour(s), 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Title: Re: Windows Security Alert Help
Post by: njnets214 on May 27, 2010, 06:39:51 PM

Title: Re: Windows Security Alert Help
Post by: SuperDave on May 28, 2010, 08:35:27 AM

The HJT log looks incomplete. Are you sure that you copied all of it?

Title: Re: Windows Security Alert Help
Post by: njnets214 on May 28, 2010, 01:31:04 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:00 PM, on 5/27/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MotioninJoy\ds3\DS3_Tool.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (filesize 75200 bytes, MD5 DC1E56092CC57FB4605B088D3DCCBF7A)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\4.2.0.12\coIEPlg.dll (filesize 394608 bytes, MD5 9C75D4A47BABA32707110C6242E9761C)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\4.2.0.12\IPSBHO.DLL (filesize 79224 bytes, MD5 E60F55692DE0DF4F393A2A18C7FB9662)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (filesize 2217848 bytes, MD5 A6B5A41C0ED007AB6C43CAD899E533D8)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (filesize 41760 bytes, MD5 C9EDE29F223A27873E187D9FB6045EA6)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\4.2.0.12\coIEPlg.dll (filesize 394608 bytes, MD5 9C75D4A47BABA32707110C6242E9761C)
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE /UNINSTALL (filesize 26400 bytes, MD5 B605EE4DDCCD8015102646F71FC30E47)
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" (filesize 31072 bytes, MD5 644795F6985C740F5E36E9336B837D0B)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (filesize 149280 bytes, MD5 3A0647BDED81DBE0BCBB51D70B22C9E0)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (filesize 417792 bytes, MD5 55D7A219AD8D0DB8980528944152A6FD)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (filesize 141600 bytes, MD5 68A553BDFA855C4F1074696682FCDEB6)
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" (filesize 647216 bytes, MD5 73BFDC88C6EF9715CDF57134A438837A)
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash (filesize 472112 bytes, MD5 45D2E47073134976D2F1DD4BF8582B14)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (filesize 35760 bytes, MD5 466CE40EAA865752F4930A472563E4E1)
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" (filesize 948672 bytes, MD5 73BB442A717B9BB0097C243374C14A3E)
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin (filesize 611712 bytes, MD5 E43A851F7B12DE589424D6C656155CFC)
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXEC:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript (filesize 1090952 bytes, MD5 D594EA4AC1C0E4675EF2F0063950ABEF)
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (filesize 1173504 bytes, MD5 EA6EADF6314E43783BA8EEE79F93F73C)
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DS3 Tool] C:\Program Files\MotioninJoy\ds3\DS3_Tool.exe -mini (filesize 73728 bytes, MD5 398E9A4A3F819F0BC24DA0845071CC1B)
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (filesize 503808 bytes, MD5 2B7F2DC5741BB18F7F5EC7558DA68197)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll (filesize 603040 bytes, MD5 79F7DB36E67B9E8365FA824AD96DF400)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll (filesize 603040 bytes, MD5 79F7DB36E67B9E8365FA824AD96DF400)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL (filesize 39464 bytes, MD5 AEF204E782BFA2C8448CB43A58960744)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (filesize 178040 bytes, MD5 68747446F9D982938DB6B110F2908271)
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exeC:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\4.2.0.12\ccSvcHst.exeC:\Program Files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exeC:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

--
End of file - 7916 bytes

Title: Re: Windows Security Alert Help
Post by: SuperDave on May 28, 2010, 06:35:34 PM

P2P - I see you have P2P software installed on your machine. (LimeWire) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

===============================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript (filesize 1090952 bytes, MD5 D594EA4AC1C0E4675EF2F0063950ABEF)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

=================================

Download ComboFix by sUBs from one of the below links.

Important! You MUST save ComboFix to your desktop

link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link # 2 (http://subs.geekstogo.com/ComboFix.exe)

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

Title: Re: Windows Security Alert Help
Post by: njnets214 on May 29, 2010, 03:54:41 PM

ComboFix 10-05-29.03 - Paul 05/29/2010 17:45:55.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3327.2480 [GMT -4:00]
Running from: c:\users\Paul\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\7Loader.TAG

.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-29 )))))))))))))))))))))))))))))))
.

2010-05-29 21:51 . 2010-05-29 21:51   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-05-26 23:07 . 2010-05-26 23:07   --------   d-----r-   c:\program files\Norton Support
2010-05-26 21:34 . 2010-05-26 21:34   --------   d-----w-   c:\program files\Trend Micro
2010-05-26 21:31 . 2010-05-26 21:31   --------   d-----w-   c:\users\Paul\AppData\Roaming\Malwarebytes
2010-05-26 21:31 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 21:31 . 2010-05-26 21:48   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-26 21:31 . 2010-05-26 21:31   --------   d-----w-   c:\programdata\Malwarebytes
2010-05-26 21:31 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-05-26 21:28 . 2010-05-26 21:28   63488   ----a-w-   c:\users\Paul\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-26 21:28 . 2010-05-26 21:28   52224   ----a-w-   c:\users\Paul\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-26 21:28 . 2010-05-26 21:28   117760   ----a-w-   c:\users\Paul\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-26 21:28 . 2010-05-26 21:28   --------   d-----w-   c:\users\Paul\AppData\Roaming\SUPERAntiSpyware.com
2010-05-26 21:28 . 2010-05-26 21:28   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-05-26 21:28 . 2010-05-26 21:48   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-05-26 21:23 . 2010-04-23 07:13   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-05-26 21:14 . 2010-05-26 21:14   --------   d-----w-   c:\users\Paul\AppData\Local\Symantec
2010-05-26 20:11 . 2010-05-26 21:13   --------   d-----w-   c:\users\Paul\AppData\Local\iqjuybady
2010-05-11 19:28 . 2010-03-04 07:33   740864   ----a-w-   c:\windows\system32\inetcomm.dll
2010-05-11 19:20 . 2009-12-04 14:53   281600   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\hpcpp094.dll
2010-05-06 03:20 . 2010-05-06 03:20   --------   d-----w-   c:\windows\system32\Wat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 21:34 . 2010-03-15 22:38   --------   d-----w-   c:\program files\Common Files\Akamai
2010-05-27 23:09 . 2010-01-15 02:47   --------   d-----w-   c:\users\Paul\AppData\Roaming\LimeWire
2010-05-26 23:14 . 2010-01-05 03:56   --------   d-----w-   c:\programdata\Norton
2010-05-26 23:11 . 2010-01-05 03:57   805   ----a-w-   c:\windows\system32\drivers\SYMEVENT.INF
2010-05-26 23:11 . 2010-01-05 03:57   7443   ----a-w-   c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-26 23:11 . 2010-01-05 03:57   124976   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-26 23:11 . 2010-01-05 03:57   --------   d-----w-   c:\program files\Symantec
2010-05-26 21:48 . 2010-01-18 04:03   --------   d-----w-   c:\program files\PeerGuardian2
2010-05-26 21:48 . 2010-01-15 02:46   --------   d-----w-   c:\program files\LimeWire
2010-05-26 21:48 . 2010-01-15 00:02   --------   d-----w-   c:\program files\iTunes
2010-05-26 21:48 . 2010-01-13 23:23   --------   d-----w-   c:\program files\BitTorrent
2010-05-26 21:48 . 2010-01-10 15:28   --------   d-----w-   c:\program files\Apple Software Update
2010-05-26 21:48 . 2010-02-04 00:52   --------   d-----w-   c:\program files\WinSCP
2010-05-26 21:13 . 2010-01-10 15:28   --------   d-----w-   c:\program files\Bonjour
2010-05-12 03:14 . 2009-07-14 02:37   --------   d-----w-   c:\program files\Windows Mail
2010-05-12 03:14 . 2010-01-05 15:41   --------   d-----w-   c:\programdata\Microsoft Help
2010-04-28 19:40 . 2010-04-26 22:33   --------   d-----w-   c:\program files\Citrix
2010-04-28 02:04 . 2010-01-13 23:23   --------   d-----w-   c:\users\Paul\AppData\Roaming\BitTorrent
2010-04-26 22:38 . 2010-04-26 22:33   --------   d-----w-   c:\users\Paul\AppData\Roaming\ICAClient
2010-04-26 22:32 . 2010-04-26 22:32   --------   d-----w-   c:\users\Paul\AppData\Roaming\Download Manager
2010-04-26 20:11 . 2010-04-26 19:35   75   ----a-w-   c:\users\Paul\jagex_runescape_preferences2.dat
2010-04-26 20:06 . 2010-04-26 19:34   41   ----a-w-   c:\users\Paul\jagex_runescape_preferences.dat
2010-04-26 19:35 . 2010-04-26 19:35   0   ----a-w-   c:\users\Paul\jagex__preferences3.dat
2010-04-08 02:11 . 2010-04-08 02:11   --------   d-----w-   c:\users\Paul\AppData\Roaming\Juce VST Host
2010-04-08 02:11 . 2010-04-08 02:11   --------   d-----w-   c:\users\Paul\AppData\Roaming\Hardcore
2010-04-07 22:52 . 2010-04-07 22:49   --------   d-----w-   c:\program files\Image-Line
2010-04-07 22:52 . 2010-04-07 22:51   --------   d-----w-   c:\program files\VstPlugins
2010-04-07 22:51 . 2010-04-07 22:51   --------   d-----w-   c:\program files\Outsim
2010-04-06 22:27 . 2010-04-06 22:27   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-04-06 22:27 . 2010-04-06 22:27   --------   d-----w-   c:\program files\LucasArts
2010-04-06 22:25 . 2010-04-06 22:25   --------   d-----w-   c:\program files\Common Files\InstallShield
2010-04-06 20:54 . 2010-04-06 20:54   --------   d-----w-   c:\program files\7-Zip
2010-04-06 20:37 . 2010-04-06 20:37   --------   d-----w-   c:\program files\SystemRequirementsLab
2010-04-06 20:37 . 2010-04-06 20:37   85504   ----a-w-   c:\users\Paul\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2010-04-06 20:37 . 2010-04-06 20:37   --------   d-----w-   c:\users\Paul\AppData\Roaming\SystemRequirementsLab
2010-04-05 16:45 . 2010-04-05 16:45   --------   d-----w-   c:\program files\PowerISO
2010-04-01 11:53 . 2010-04-01 11:53   348160   ----a-w-   c:\windows\system32\msvcr71.dll
2010-04-01 11:53 . 2010-04-01 11:53   499712   ----a-w-   c:\windows\system32\msvcp71.dll
2010-03-15 23:26 . 2010-01-05 03:43   116624   ----a-w-   c:\users\Paul\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-08 21:33 . 2010-04-14 19:21   427520   ----a-w-   c:\windows\system32\vbscript.dll
2010-03-04 01:09 . 2010-03-04 01:09   45056   ----a-r-   c:\users\Paul\AppData\Roaming\Microsoft\Installer\{C19AB6C4-BBD0-49EF-927D-9C7CB80BC0B0}\MapleStory.exe1_C19AB6C4BBD049EF927D9C7CB80BC0B0.exe
2010-03-04 01:09 . 2010-03-04 01:09   45056   ----a-r-   c:\users\Paul\AppData\Roaming\Microsoft\Installer\{C19AB6C4-BBD0-49EF-927D-9C7CB80BC0B0}\MapleStory.exe_C19AB6C4BBD049EF927D9C7CB80BC0B0.exe
2010-03-04 01:09 . 2010-03-04 01:09   10134   ----a-r-   c:\users\Paul\AppData\Roaming\Microsoft\Installer\{C19AB6C4-BBD0-49EF-927D-9C7CB80BC0B0}\ARPPRODUCTICON.exe
2010-03-01 20:25 . 2010-01-24 16:36   3605256   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2009-06-10 21:26 . 2009-07-14 02:04   9633792   --sha-r-   c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42   396800   --sha-w-   c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"DS3 Tool"="c:\program files\MotioninJoy\ds3\DS3_Tool.exe" [2009-12-10 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Korean IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE" [2006-10-26 26400]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-09 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceRunOnStartMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2009-12-10 46592]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-06 1343400]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\SYMDS.SYS [2010-02-04 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100520.001\IDSvix86.sys [2009-10-28 343088]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0402000.00C\SYMTDIV.SYS [2010-05-06 339504]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe [2010-02-26 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28u.sys [2009-05-25 734208]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Microsoft Excel? ????(&X) - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\l1rm0gg5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2436531&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - iPhone OS 3 Customized Web Search
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2436531&q=
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\l1rm0gg5.default\extensions\{74714d77-1695-4e73-a98e-25cb374f46b4}\components\FFExternalAlert.dll
FF - component: c:\users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\l1rm0gg5.default\extensions\{74714d77-1695-4e73-a98e-25cb374f46b4}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0d,03,e7,a6,64,97,d4,45,82,41,81,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0d,03,e7,a6,64,97,d4,45,82,41,81,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-05-29 17:54:10
ComboFix-quarantined-files.txt 2010-05-29 21:54

Pre-Run: 485,937,745,920 bytes free
Post-Run: 485,865,857,024 bytes free

- - End Of File - - B0E9A3BAF9356A70B47E38F2E2EAC172

Title: Re: Windows Security Alert Help
Post by: SuperDave on May 29, 2010, 05:06:12 PM

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

DirLook::
c:\windows\system32\Wat
Save this as CFScript.txt, in the same location as ComboFix.exe

(http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

==================================

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Title: Re: Windows Security Alert Help
Post by: njnets214 on May 30, 2010, 08:21:57 PM

ComboFix 10-05-30.04 - Paul 05/30/2010 22:08:31.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3327.2452 [GMT -4:00]
Running from: c:\users\Paul\Desktop\ComboFix.exe
Command switches used :: c:\users\Paul\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-31 )))))))))))))))))))))))))))))))
.

2010-05-31 02:14 . 2010-05-31 02:14   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-05-31 02:14 . 2010-05-31 02:14   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-05-31 02:14 . 2010-05-31 02:14   --------   d-----w-   c:\users\Administrator\AppData\Local\temp
2010-05-31 02:06 . 2010-05-31 02:06   --------   d-----w-   C:\32788R22FWJFW
2010-05-26 23:07 . 2010-05-26 23:07   --------   d-----r-   c:\program files\Norton Support
2010-05-26 21:34 . 2010-05-26 21:34   --------   d-----w-   c:\program files\Trend Micro
2010-05-26 21:31 . 2010-05-26 21:31   --------   d-----w-   c:\users\Paul\AppData\Roaming\Malwarebytes
2010-05-26 21:31 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 21:31 . 2010-05-26 21:48   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-26 21:31 . 2010-05-26 21:31   --------   d-----w-   c:\programdata\Malwarebytes
2010-05-26 21:31 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-05-26 21:28 . 2010-05-26 21:28   63488   ----a-w-   c:\users\Paul\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-26 21:28 . 2010-05-26 21:28   52224   ----a-w-   c:\users\Paul\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-26 21:28 . 2010-05-26 21:28   117760   ----a-w-   c:\users\Paul\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-26 21:28 . 2010-05-26 21:28   --------   d-----w-   c:\users\Paul\AppData\Roaming\SUPERAntiSpyware.com
2010-05-26 21:28 . 2010-05-26 21:28   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-05-26 21:28 . 2010-05-26 21:48   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-05-26 21:23 . 2010-04-23 07:13   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-05-26 21:14 . 2010-05-26 21:14   --------   d-----w-   c:\users\Paul\AppData\Local\Symantec
2010-05-26 20:11 . 2010-05-26 21:13   --------   d-----w-   c:\users\Paul\AppData\Local\iqjuybady
2010-05-11 19:28 . 2010-03-04 07:33   740864   ----a-w-   c:\windows\system32\inetcomm.dll
2010-05-11 19:20 . 2009-12-04 14:53   281600   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\hpcpp094.dll
2010-05-06 03:20 . 2010-05-06 03:20   --------   d-----w-   c:\windows\system32\Wat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-31 02:16 . 2010-01-15 02:47   --------   d-----w-   c:\users\Paul\AppData\Roaming\LimeWire
2010-05-31 02:16 . 2010-03-15 22:38   --------   d-----w-   c:\program files\Common Files\Akamai
2010-05-26 23:14 . 2010-01-05 03:56   --------   d-----w-   c:\programdata\Norton
2010-05-26 23:11 . 2010-01-05 03:57   805   ----a-w-   c:\windows\system32\drivers\SYMEVENT.INF
2010-05-26 23:11 . 2010-01-05 03:57   7443   ----a-w-   c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-26 23:11 . 2010-01-05 03:57   124976   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-26 23:11 . 2010-01-05 03:57   --------   d-----w-   c:\program files\Symantec
2010-05-26 21:48 . 2010-01-18 04:03   --------   d-----w-   c:\program files\PeerGuardian2
2010-05-26 21:48 . 2010-01-15 02:46   --------   d-----w-   c:\program files\LimeWire
2010-05-26 21:48 . 2010-01-15 00:02   --------   d-----w-   c:\program files\iTunes
2010-05-26 21:48 . 2010-01-13 23:23   --------   d-----w-   c:\program files\BitTorrent
2010-05-26 21:48 . 2010-01-10 15:28   --------   d-----w-   c:\program files\Apple Software Update
2010-05-26 21:48 . 2010-02-04 00:52   --------   d-----w-   c:\program files\WinSCP
2010-05-26 21:13 . 2010-01-10 15:28   --------   d-----w-   c:\program files\Bonjour
2010-05-12 03:14 . 2009-07-14 02:37   --------   d-----w-   c:\program files\Windows Mail
2010-05-12 03:14 . 2010-01-05 15:41   --------   d-----w-   c:\programdata\Microsoft Help
2010-04-28 19:40 . 2010-04-26 22:33   --------   d-----w-   c:\program files\Citrix
2010-04-28 02:04 . 2010-01-13 23:23   --------   d-----w-   c:\users\Paul\AppData\Roaming\BitTorrent
2010-04-26 22:38 . 2010-04-26 22:33   --------   d-----w-   c:\users\Paul\AppData\Roaming\ICAClient
2010-04-26 22:32 . 2010-04-26 22:32   --------   d-----w-   c:\users\Paul\AppData\Roaming\Download Manager
2010-04-26 20:11 . 2010-04-26 19:35   75   ----a-w-   c:\users\Paul\jagex_runescape_preferences2.dat
2010-04-26 20:06 . 2010-04-26 19:34   41   ----a-w-   c:\users\Paul\jagex_runescape_preferences.dat
2010-04-26 19:35 . 2010-04-26 19:35   0   ----a-w-   c:\users\Paul\jagex__preferences3.dat
2010-04-08 02:11 . 2010-04-08 02:11   --------   d-----w-   c:\users\Paul\AppData\Roaming\Juce VST Host
2010-04-08 02:11 . 2010-04-08 02:11   --------   d-----w-   c:\users\Paul\AppData\Roaming\Hardcore
2010-04-07 22:52 . 2010-04-07 22:49   --------   d-----w-   c:\program files\Image-Line
2010-04-07 22:52 . 2010-04-07 22:51   --------   d-----w-   c:\program files\VstPlugins
2010-04-07 22:51 . 2010-04-07 22:51   --------   d-----w-   c:\program files\Outsim
2010-04-06 22:27 . 2010-04-06 22:27   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-04-06 22:27 . 2010-04-06 22:27   --------   d-----w-   c:\program files\LucasArts
2010-04-06 22:25 . 2010-04-06 22:25   --------   d-----w-   c:\program files\Common Files\InstallShield
2010-04-06 20:54 . 2010-04-06 20:54   --------   d-----w-   c:\program files\7-Zip
2010-04-06 20:37 . 2010-04-06 20:37   --------   d-----w-   c:\program files\SystemRequirementsLab
2010-04-06 20:37 . 2010-04-06 20:37   85504   ----a-w-   c:\users\Paul\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2010-04-06 20:37 . 2010-04-06 20:37   --------   d-----w-   c:\users\Paul\AppData\Roaming\SystemRequirementsLab
2010-04-05 16:45 . 2010-04-05 16:45   --------   d-----w-   c:\program files\PowerISO
2010-04-01 11:53 . 2010-04-01 11:53   348160   ----a-w-   c:\windows\system32\msvcr71.dll
2010-04-01 11:53 . 2010-04-01 11:53   499712   ----a-w-   c:\windows\system32\msvcp71.dll
2010-03-15 23:26 . 2010-01-05 03:43   116624   ----a-w-   c:\users\Paul\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-08 21:33 . 2010-04-14 19:21   427520   ----a-w-   c:\windows\system32\vbscript.dll
2010-03-04 01:09 . 2010-03-04 01:09   45056   ----a-r-   c:\users\Paul\AppData\Roaming\Microsoft\Installer\{C19AB6C4-BBD0-49EF-927D-9C7CB80BC0B0}\MapleStory.exe1_C19AB6C4BBD049EF927D9C7CB80BC0B0.exe
2010-03-04 01:09 . 2010-03-04 01:09   45056   ----a-r-   c:\users\Paul\AppData\Roaming\Microsoft\Installer\{C19AB6C4-BBD0-49EF-927D-9C7CB80BC0B0}\MapleStory.exe_C19AB6C4BBD049EF927D9C7CB80BC0B0.exe
2010-03-04 01:09 . 2010-03-04 01:09   10134   ----a-r-   c:\users\Paul\AppData\Roaming\Microsoft\Installer\{C19AB6C4-BBD0-49EF-927D-9C7CB80BC0B0}\ARPPRODUCTICON.exe
2009-06-10 21:26 . 2009-07-14 02:04   9633792   --sha-r-   c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42   396800   --sha-w-   c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\Wat ----

2010-05-06 03:20 . 2010-05-06 03:20   249768   ----a-w-   c:\windows\system32\Wat\WatUX.exe
2010-05-06 03:20 . 2010-05-06 03:20   128424   ----a-w-   c:\windows\system32\Wat\WatWeb.dll
2010-05-06 03:20 . 2010-05-06 03:20   114600   ----a-w-   c:\windows\system32\Wat\npWatWeb.dll
2010-05-06 03:20 . 2010-05-06 03:20   1343400   ----a-w-   c:\windows\system32\Wat\WatAdminSvc.exe

((((((((((((((((((((((((((((( SnapShot@2010-05-29_21.51.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:55 . 2010-05-31 02:17   43628 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-01-05 03:29 . 2010-05-31 02:16   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-05 03:29 . 2010-05-27 23:10   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-05 03:29 . 2010-05-31 02:16   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-05 03:29 . 2010-05-27 23:10   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-05 03:29 . 2010-05-27 23:10   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-05 03:29 . 2010-05-31 02:16   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-05 03:29 . 2010-05-31 02:16   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-05 03:29 . 2010-05-27 23:10   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-05 05:11 . 2010-05-31 02:04   32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-05 05:11 . 2010-05-29 21:37   32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-05 05:11 . 2010-05-31 02:04   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2010-01-05 05:11 . 2010-05-29 21:37   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2010-01-05 05:11 . 2010-05-31 02:04   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2010-01-05 05:11 . 2010-05-29 21:37   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2010-01-05 03:29 . 2010-05-29 21:37   32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-05 03:29 . 2010-05-31 02:16   32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-05 03:29 . 2010-05-27 23:10   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-05 03:29 . 2010-05-31 02:16   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-05-27 23:08 . 2010-05-27 23:08   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-05-27 23:08 . 2010-05-31 02:15   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-05-27 23:08 . 2010-05-27 23:08   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-05-27 23:08 . 2010-05-31 02:15   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-05 12:14 . 2010-05-31 02:01   300420 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
- 2009-07-14 02:03 . 2010-05-29 21:47   7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:03 . 2010-05-31 02:14   7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"DS3 Tool"="c:\program files\MotioninJoy\ds3\DS3_Tool.exe" [2009-12-10 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Korean IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE" [2006-10-26 26400]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-09 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceRunOnStartMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2009-12-10 46592]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-06 1343400]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\SYMDS.SYS [2010-02-04 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100520.001\IDSvix86.sys [2009-10-28 343088]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0402000.00C\SYMTDIV.SYS [2010-05-06 339504]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe [2010-02-26 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28u.sys [2009-05-25 734208]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Microsoft Excel? ????(&X) - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\l1rm0gg5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2436531&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - iPhone OS 3 Customized Web Search
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2436531&q=
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\l1rm0gg5.default\extensions\{74714d77-1695-4e73-a98e-25cb374f46b4}\components\FFExternalAlert.dll
FF - component: c:\users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\l1rm0gg5.default\extensions\{74714d77-1695-4e73-a98e-25cb374f46b4}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0d,03,e7,a6,64,97,d4,45,82,41,81,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0d,03,e7,a6,64,97,d4,45,82,41,81,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4628)
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\System32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2010-05-30 22:20:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-31 02:20
ComboFix2.txt 2010-05-29 21:54

Pre-Run: 485,580,550,144 bytes free
Post-Run: 485,877,628,928 bytes free

- - End Of File - - BA6F9FF735723E4D1C3E8D9631511CFC

Title: Re: Windows Security Alert Help
Post by: njnets214 on May 30, 2010, 08:22:22 PM

Results of screen317's Security Check version 0.99.4
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Norton 360
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 17
Java(TM) SE Development Kit 6 Update 17
JavaFX(TM) 1.2 SDK
Java DB 10.4.2.1
Out of date Java installed!
Adobe Flash Player 10.0.45.2
Adobe Reader 9.3
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Title: Re: Windows Security Alert Help
Post by: SuperDave on May 31, 2010, 01:30:53 PM

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version (http://www.java.com/en/download/installed.jsp)

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html).

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa (http://raproducts.org/click/click.php?id=1) and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) (http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

==============================

Download CCleaner Slim (http://www.ccleaner.com/download/builds/downloading-slim) and save it to your Desktop - Alternate download link (http://www.majorgeeks.com/CCleaner_Slim_No_Toolbar_d4191.html)

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes.[/I] Exit CCleaner after it has completed it's process.

===============================
I'd like us to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.

•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Title: Re: Windows Security Alert Help
Post by: njnets214 on June 02, 2010, 07:36:37 PM

C:\Users\Paul\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\7adbb65d-4c9ad265   a variant of Java/TrojanDownloader.Agent.NAN trojan   deleted - quarantined
C:\Users\Paul\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\7278e12c-793a31df   probably a variant of Win32/Agent trojan   deleted - quarantined
D:\AC24-PC\Backup Set 2010-01-14 214910\Backup Files 2010-01-17 230132\Backup files 6.zip   multiple threats   deleted - quarantined
D:\AC24-PC\Backup Set 2010-01-14 214910\Backup Files 2010-01-17 230132\Backup files 8.zip   probably a variant of Win32/PSW.OnLineGames trojan   deleted - quarantined
D:\? ????\Hp_documents\download\DBGO_simfile.exe   multiple threats   deleted - quarantined

Title: Re: Windows Security Alert Help
Post by: SuperDave on June 02, 2010, 07:46:10 PM

That looks good. If there are no other issues, it's time for some clean-up.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

===========================

Download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe) and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

=============================

Clean out your temporary internet files and temp files.

Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

==============================

Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.

----------

I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)

Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Title: Re: Windows Security Alert Help
Post by: njnets214 on June 03, 2010, 01:27:55 PM

Ok, Thank you so much for your help! You've been a great help.