Redirect problem

dna · May 31, 2010

Hello

I've been infected with a redirect malware. IE searches are redirected to different sites. I've run mbam and removed several issues, but the redirect remains. I've also run Superantispyware. That removed a few things also. Another artifact is that the DHCP client service doesn't always start automatically. I have to reboot about three times, then start it manually.

Need help.

Thanks.

Maniac · May 31, 2010

Hello dna! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install or uninstall any software or hardware, while work on.

Please follow these instructions:

http://forums.malwarebytes.org/index.php?showtopic=9573

Post all logs if you can.

dna · June 1, 2010

ok. Here's the dds log. I had a blue screen crash after running GMER while trying to zip the attach.txt file and ark.txt.

DDS (Ver_10-03-17.01) - NTFSx86

Run by David Nakaki at 14:44:47.78 on Mon 05/31/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2414 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AskBarDis\bar\bin\AskService.exe

C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\nvraidservice.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe

C:\Program Files\Dell Video Chat\DellVideoChat.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe

C:\Documents and Settings\David Nakaki\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us

uDefault_Page_URL = hxxp://www.msn.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uWindow Title = Internet Explorer, optimized for Bing and MSN

mSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Download Manager Browser Helper Object: {19c8e43b-07b3-49cb-bffc-6777b593e6f8} - c:\progra~1\common~1\fluxdvd\downlo~1\XEBDLH~1.DLL

BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll

TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [NVIDIA nTune] c:\program files\nvidia corporation\ntune\nTuneCmd.exe resetprofile

uRun: [sightSpeed] "c:\program files\dell video chat\DellVideoChat.exe" -bootmode

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [CinemaNowMediaManagerApp]

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [bing Bar] "c:\program files\msn toolbar\platform\5.0.1449.0\mswinext.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

dRun: [bjgnmrsr] c:\documents and settings\networkservice\local settings\application data\aqeoglvip\ifmkcmytssd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: cinemanow.com

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-16 214664]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-3-8 464264]

R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-3-8 234888]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-5-24 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-16 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-16 144704]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-16 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-16 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-16 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-16 40552]

S2 gupdate1ca7f273eefbc52;Google Update Service (gupdate1ca7f273eefbc52);c:\program files\google\update\GoogleUpdate.exe [2009-12-17 133104]

S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-16 30192]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-16 34248]

=============== Created Last 30 ================

2010-05-31 21:35:19 0 ----a-w- c:\documents and settings\david nakaki\defogger_reenable

2010-05-29 07:10:53 0 d-----w- c:\docume~1\davidn~1\applic~1\SUPERAntiSpyware.com

2010-05-29 07:10:53 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-05-29 07:10:48 0 d-----w- c:\program files\SUPERAntiSpyware

2010-05-27 05:31:15 0 d-----w- c:\program files\CCleaner

2010-05-25 06:35:50 0 d-----w- c:\program files\Yahoo!

2010-05-25 04:47:34 0 d-----w- c:\program files\Support Tools

2010-05-24 01:16:12 5815 ----a-w- c:\windows\system32\nvnrm.nvu

2010-05-24 01:16:12 3636 ----a-w- c:\windows\system32\drivers\nvphy.bin

2010-05-24 01:16:12 356352 ----a-w- c:\windows\system32\nvunrm.exe

2010-05-24 01:04:46 0 d-----w- C:\NV37803716.TMP

2010-05-24 01:04:46 0 d-----w- C:\NV1100284.TMP

2010-05-24 00:51:44 0 d-----w- C:\NV33242512.TMP

2010-05-24 00:51:44 0 d-----w- C:\NV30361528.TMP

2010-05-24 00:34:12 0 d-----w- C:\NV6241616.TMP

2010-05-24 00:34:12 0 d-----w- C:\NV4363192.TMP

2010-05-23 23:42:56 0 d-----w- c:\windows\system32\vmm32

2010-05-23 16:43:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-23 16:43:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-23 16:43:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-23 14:44:13 0 d-----w- c:\windows\system32\wbem\Repository

2010-05-22 21:00:39 0 d-----w- c:\docume~1\davidn~1\applic~1\Malwarebytes

2010-05-22 21:00:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-22 14:28:25 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX

2010-05-21 07:24:50 0 d-sh--w- c:\documents and settings\david nakaki\IECompatCache

2010-05-21 07:24:10 0 d-sh--w- c:\documents and settings\david nakaki\PrivacIE

2010-05-21 07:19:55 0 d-sh--w- c:\documents and settings\david nakaki\IETldCache

2010-05-21 07:17:29 0 dc-h--w- c:\windows\ie8

2010-05-21 07:17:05 0 d-----w- c:\program files\Microsoft

2010-05-21 07:17:03 0 d-----w- c:\program files\MSN Toolbar

2010-05-21 07:16:41 0 d-----w- c:\program files\Bing Bar Installer

2010-05-21 07:16:25 0 d--h--w- c:\windows\msdownld.tmp

2010-05-17 08:44:31 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-04 13:32:18 0 d-----w- c:\program files\iPod

2010-05-04 13:32:13 0 d-----w- c:\program files\iTunes

2010-05-04 13:29:05 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-31 01:58:04 133616 ------w- c:\windows\system32\PxAFS.DLL

2010-03-31 01:58:04 125424 ------w- c:\windows\system32\pxinsi64.exe

2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll

============= FINISH: 14:46:08.59 ===============

attach.zip

Maniac · June 1, 2010

Step 1

STEP 01

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location and post it back when you reply
Then look for the following Java folders and if found delete them.
C:\Program Files\Java
C:\Program Files\Common Files\Java
C:\Windows\Sun
C:\Documents and Settings\All Users\Application Data\Java
C:\Documents and Settings\All Users\Application Data\Sun\Java
C:\Documents and Settings\username\Application Data\Java
C:\Documents and Settings\username\Application Data\Sun\Java

Step 2

Launch Malwarebytes' Anti-Malware
Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s) in this sequence:

JavaRa log
MalwareBytes' Anti-Malware log

dna · June 1, 2010

Here are the log files

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Jun 01 06:59:24 2010

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610007

------------------------------------

Finished reporting.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4161

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/1/2010 7:12:39 AM

mbam-log-2010-06-01 (07-12-39).txt

Scan type: Quick scan

Objects scanned: 134854

Time elapsed: 5 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Maniac · June 1, 2010

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Open Tools -> Options -> Main tab
- Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

dna · June 1, 2010

I had a blue screen crash before ComboFix finished. Shall I retry running ComboFix?

Maniac · June 2, 2010

Did you see Combo-Fix.txt in your main drive C:\ ? Or Bug.txt maybe?

dna · June 2, 2010

No. Neither file is there.

Maniac · June 2, 2010

Please try again in Safe Mode.

http://www.microsoft.com/resources/documen...t_failsafe.mspx

dna · June 2, 2010

Here's the ComboFix log

ComboFix 10-06-01.01 - David Nakaki 06/02/2010 6:31.1.4 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2929 [GMT -7:00]

Running from: c:\documents and settings\David Nakaki\Desktop\Combo-Fix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))

.

2010-05-31 16:08 . 2008-04-14 12:00 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll

2010-05-31 16:08 . 2008-04-14 12:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll

2010-05-31 16:08 . 2008-04-14 12:00 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll

2010-05-31 16:08 . 2008-04-14 12:00 10752 ----a-w- c:\windows\system32\c_iscii.dll

2010-05-31 16:08 . 2008-04-14 12:00 5632 -c--a-w- c:\windows\system32\dllcache\kbdusa.dll

2010-05-31 16:08 . 2008-04-14 12:00 5632 ----a-w- c:\windows\system32\kbdusa.dll

2010-05-31 16:08 . 2008-04-14 12:00 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll

2010-05-31 16:08 . 2008-04-14 12:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll

2010-05-31 16:08 . 2008-04-14 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt0401.dll

2010-05-31 16:08 . 2008-04-14 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt040d.dll

2010-05-29 07:11 . 2010-05-31 15:52 63488 ----a-w- c:\documents and settings\David Nakaki\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-05-29 07:11 . 2010-05-29 07:11 52224 ----a-w- c:\documents and settings\David Nakaki\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-05-29 07:11 . 2010-05-31 15:51 117760 ----a-w- c:\documents and settings\David Nakaki\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-05-29 07:10 . 2010-05-29 07:10 -------- d-----w- c:\documents and settings\David Nakaki\Application Data\SUPERAntiSpyware.com

2010-05-29 07:10 . 2010-05-29 07:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-05-29 07:10 . 2010-05-29 07:10 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-05-29 06:53 . 2010-05-29 06:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-05-27 05:31 . 2010-05-27 05:31 -------- d-----w- c:\program files\CCleaner

2010-05-25 06:35 . 2010-05-25 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2010-05-25 06:35 . 2010-05-25 06:35 -------- d-----w- c:\documents and settings\David Nakaki\Application Data\Yahoo!

2010-05-25 06:35 . 2010-05-25 06:35 -------- d-----w- c:\program files\Yahoo!

2010-05-25 04:47 . 2010-05-25 04:47 -------- d-----w- c:\program files\Support Tools

2010-05-24 01:16 . 2008-01-15 03:20 3636 ----a-w- c:\windows\system32\drivers\nvphy.bin

2010-05-24 01:16 . 2008-01-15 03:20 356352 ----a-w- c:\windows\system32\nvunrm.exe

2010-05-24 01:04 . 2010-05-24 01:04 -------- d-----w- C:\NV37803716.TMP

2010-05-24 01:04 . 2010-05-24 01:04 -------- d-----w- C:\NV1100284.TMP

2010-05-24 00:51 . 2010-05-24 00:51 -------- d-----w- C:\NV33242512.TMP

2010-05-24 00:51 . 2010-05-24 00:51 -------- d-----w- C:\NV30361528.TMP

2010-05-24 00:34 . 2010-05-24 00:34 -------- d-----w- C:\NV6241616.TMP

2010-05-24 00:34 . 2010-05-24 00:34 -------- d-----w- C:\NV4363192.TMP

2010-05-23 23:42 . 2010-05-23 23:42 45056 ----a-r- c:\documents and settings\David Nakaki\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe

2010-05-23 23:42 . 2010-05-23 23:42 10134 ----a-r- c:\documents and settings\David Nakaki\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe

2010-05-23 23:42 . 2010-05-23 23:42 -------- d-----w- c:\windows\system32\vmm32

2010-05-23 16:43 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-23 16:43 . 2010-05-23 16:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-23 16:43 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-23 14:44 . 2010-05-23 14:44 -------- d-----w- c:\windows\system32\wbem\Repository

2010-05-22 21:00 . 2010-05-22 21:00 -------- d-----w- c:\documents and settings\David Nakaki\Application Data\Malwarebytes

2010-05-22 21:00 . 2010-05-22 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-22 14:31 . 2010-05-22 14:31 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-05-22 14:29 . 2010-05-22 14:29 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe

2010-05-22 14:29 . 2010-05-22 14:29 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe

2010-05-22 14:29 . 2010-05-22 14:29 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe

2010-05-22 14:29 . 2010-05-22 14:29 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe

2010-05-22 14:28 . 2010-05-22 14:28 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe

2010-05-22 14:28 . 2010-05-22 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-05-21 07:24 . 2010-05-21 07:24 -------- d-sh--w- c:\documents and settings\David Nakaki\IECompatCache

2010-05-21 07:24 . 2010-05-21 07:24 -------- d-sh--w- c:\documents and settings\David Nakaki\PrivacIE

2010-05-21 07:23 . 2010-05-21 07:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-05-21 07:19 . 2010-05-21 07:19 -------- d-sh--w- c:\documents and settings\David Nakaki\IETldCache

2010-05-21 07:17 . 2010-05-21 07:17 -------- dc-h--w- c:\windows\ie8

2010-05-21 07:17 . 2010-05-21 07:17 -------- d-----w- c:\program files\Microsoft

2010-05-21 07:17 . 2010-05-21 07:17 -------- d-----w- c:\program files\MSN Toolbar

2010-05-21 07:16 . 2010-05-21 07:17 -------- d-----w- c:\program files\Bing Bar Installer

2010-05-21 07:16 . 2010-05-21 07:18 -------- d--h--w- c:\windows\msdownld.tmp

2010-05-21 06:07 . 2010-05-21 06:07 -------- d-----w- c:\documents and settings\David Nakaki\Local Settings\Application Data\tfoscaifg

2010-05-19 08:17 . 2010-05-19 08:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\aqeoglvip

2010-05-17 08:44 . 2010-05-17 08:44 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-07 04:39 . 2010-05-07 04:39 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-04 13:32 . 2010-05-04 13:32 -------- d-----w- c:\program files\iPod

2010-05-04 13:32 . 2010-05-04 13:32 -------- d-----w- c:\program files\iTunes

2010-05-04 13:29 . 2010-05-04 13:29 -------- d-----w- c:\program files\Bonjour

2010-05-04 13:27 . 2010-05-04 13:27 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-31 21:38 . 2009-01-16 22:31 -------- d-----w- c:\program files\McAfee

2010-05-27 06:06 . 2009-03-08 16:40 -------- d-----w- c:\documents and settings\David Nakaki\Application Data\Azureus

2010-05-25 06:36 . 2009-01-16 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-05-23 23:42 . 2009-01-16 22:30 -------- d-----w- c:\program files\Dell

2010-05-22 14:31 . 2010-02-07 22:59 -------- d-----w- c:\documents and settings\David Nakaki\Application Data\DivX

2010-05-22 14:29 . 2009-12-17 14:43 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-05-22 14:28 . 2010-05-22 14:30 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-05-22 14:28 . 2010-05-22 14:30 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-05-19 05:24 . 2009-03-08 19:28 -------- d-----w- c:\documents and settings\David Nakaki\Application Data\Apple Computer

2010-05-12 13:30 . 2009-01-16 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-04 13:32 . 2009-03-08 19:27 -------- d-----w- c:\program files\Common Files\Apple

2010-04-14 20:19 . 2010-04-14 20:19 8851392 ----a-w- c:\documents and settings\David Nakaki\Application Data\Azureus\tmp\AZU7602.tmp\Vuze_4.4.0.0a_win32.exe

2010-04-13 21:19 . 2010-04-13 21:19 8851392 ----a-w- c:\documents and settings\David Nakaki\Application Data\Azureus\tmp\AZU7599.tmp\Vuze_4.4.0.0a_win32.exe

2010-04-12 22:19 . 2010-04-12 22:19 8851392 ----a-w- c:\documents and settings\David Nakaki\Application Data\Azureus\tmp\AZU7595.tmp\Vuze_4.4.0.0a_win32.exe

2010-04-11 23:19 . 2010-04-11 23:19 8851392 ----a-w- c:\documents and settings\David Nakaki\Application Data\Azureus\tmp\AZU7592.tmp\Vuze_4.4.0.0a_win32.exe

2010-04-11 00:19 . 2010-04-11 00:19 8851392 ----a-w- c:\documents and settings\David Nakaki\Application Data\Azureus\tmp\AZU7589.tmp\Vuze_4.4.0.0a_win32.exe

2010-04-10 01:20 . 2010-04-10 01:20 8851392 ----a-w- c:\documents and settings\David Nakaki\Application Data\Azureus\tmp\AZU7586.tmp\Vuze_4.4.0.0a_win32.exe

2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-06 05:16 . 2010-02-02 14:27 -------- d-----w- c:\program files\QuickTime

2010-04-06 04:38 . 2010-04-06 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-03-31 01:58 . 2007-12-11 01:37 133616 ------w- c:\windows\system32\PxAFS.DLL

2010-03-31 01:58 . 2007-11-14 20:08 125424 ------w- c:\windows\system32\pxinsi64.exe

2010-03-31 01:58 . 2007-11-14 09:00 44944 ------w- c:\windows\system32\drivers\pxhelp20.sys

2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2008-12-10 01:40 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-10 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-10 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-15 106496]

"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-08-15 4812664]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-16 39408]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2397424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-15 16855552]

"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-19 203296]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-27 30192]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2008-11-03 1745648]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-01-16 22:34 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]

S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [3/8/2009 9:40 AM 464264]

S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [3/8/2009 9:40 AM 234888]

S2 gupdate1ca7f273eefbc52;Google Update Service (gupdate1ca7f273eefbc52);c:\program files\Google\Update\GoogleUpdate.exe [12/17/2009 7:43 AM 133104]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [5/24/2010 11:36 PM 93320]

S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/16/2009 3:30 PM 30192]

.

Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-17 14:43]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-17 14:43]

2010-05-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-16 19:22]

2010-05-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-16 19:22]

2010-05-29 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

Trusted Zone: cinemanow.com

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-CinemaNowMediaManagerApp - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-02 06:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(224)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

.

Completion time: 2010-06-02 06:36:50

ComboFix-quarantined-files.txt 2010-06-02 13:36

Pre-Run: 432,028,839,936 bytes free

Post-Run: 432,165,928,960 bytes free

- - End Of File - - 2321E56FA277B4E71524AC445982CBF7

Maniac · June 2, 2010

Open Notepad and copy and paste the text in the code box below into it:

DirLook::
c:\documents and settings\David Nakaki\Local Settings\Application Data\tfoscaifg
c:\documents and settings\NetworkService\Local Settings\Application Data\aqeoglvip

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

dna · June 2, 2010

When I dragged the CFScript.txt file on top of the Combofix icon, Combofix disappeared from the desktop. Something flashed in the McAfee window, but I didn't see what it was.

Maniac · June 2, 2010

Please disable your antivirus and try again.

dna · June 2, 2010

I had a blue screen crash while running ComboFix. Should I retry in Safe Mode?

Maniac · June 2, 2010

Yes, please.

dna · June 2, 2010

Here's the latest ComboFix log.

ComboFix 10-06-01.03 - David Nakaki 06/02/2010 7:45.2.4 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.3036 [GMT -7:00]

Running from: c:\documents and settings\David Nakaki\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\David Nakaki\Desktop\CFScript.txt