Malware Doctor + Microsoft Security Essentials hijacker

Firstly, apologies for the multiple thread, but i can't seem to reply in this thread here:
http://www.GeekPolice.net/virus-spyware-malware-removal-f11/double-whammy-malware-doctor-microsoft-security-essentials-hijacker-t23661.htm

For some assistance, and also to guide anyone else that has this issue I did the following:
1. Reboot to safe mode as i couldn't kill the processes.
2. Follow the delete instructions here: http://www.spywarevoid.com/remove-fake-microsoft-security-essentials-alert.html#manual_removal
3. Run Combofix
4. This is where i'm up to now - i had to put in some missing internet settings in my TCP/IP properties to get the internet working again.

Q1: I've attached the Combofix log per instructions in the link above. What's the next step? Do i need to scan further? delete more files?

Q2: I did get two error messages upon reboot, do i need to do anything here?

Any help would be hugely appreciated. With any luck, this may help someone else too.

Cheers,
Sir G.

Hello.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   Code:

   
KILLALL::

File::
c:\windows\Rxokofumutokarat.dat
c:\windows\Tsonokogikewejog.bin
c:\windows\Khotub.exe
c:\windows\Kjupoa.exe
c:\windows\Khotua.exe
c:\windows\system32\infosoft2.dll
c:\windows\system32\imagehlph.dll
c:\windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

Wow thankyou so much for getting back to me so quickly! I have done as instructed, the log is attached. "Khotub.exe" was caught by AVG upon startup too. The log:


ComboFix 10-09-30.03 - Alexander 01/10/2010 16:48:16.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.538 [GMT 10:00]
Running from: c:\documents and settings\Alexander\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alexander\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\Khotua.exe"
"c:\windows\Khotub.exe"
"c:\windows\Kjupoa.exe"
"c:\windows\Rxokofumutokarat.dat"
"c:\windows\system32\imagehlph.dll"
"c:\windows\system32\infosoft2.dll"
"c:\windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job"
"c:\windows\Tsonokogikewejog.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Khotua.exe
c:\windows\Kjupoa.exe
c:\windows\Rxokofumutokarat.dat
c:\windows\system32\imagehlph.dll
c:\windows\system32\infosoft2.dll
c:\windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
c:\windows\Tsonokogikewejog.bin

.
((((((((((((((((((((((((( Files Created from 2010-09-01 to 2010-10-01 )))))))))))))))))))))))))))))))
.

2010-09-23 07:40 . 2010-09-23 07:40 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 07:40 . 2010-09-23 07:40 4093792 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-09-23 07:40 . 2010-09-23 07:40 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-23 07:40 . 2010-09-23 07:40 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 07:40 . 2010-09-23 07:40 1377632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 07:40 . 2010-09-23 07:40 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 07:40 . 2010-09-23 07:40 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 07:40 . 2010-09-23 07:40 4371296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-09-23 07:40 . 2010-09-23 07:40 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 07:38 . 2010-09-23 07:38 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-01 06:31 . 2009-12-01 23:03 0 ----a-w- c:\documents and settings\Alexander\Local Settings\Application Data\prvlcl.dat
2010-09-30 10:21 . 2009-04-01 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-30 10:20 . 2009-04-01 23:10 -------- d-----w- c:\program files\foobar2000 (OLD)
2010-09-28 11:00 . 2009-04-01 22:16 -------- d-----w- c:\program files\PeerGuardian2
2010-09-28 10:58 . 2009-04-01 22:16 -------- d-----w- c:\documents and settings\Alexander\Application Data\uTorrent
2010-09-24 10:09 . 2009-11-17 05:46 -------- d-----w- c:\documents and settings\Alexander\Application Data\vlc
2010-09-24 10:03 . 2009-04-15 01:32 -------- d-----w- c:\documents and settings\Alexander\Application Data\FileZilla
2010-09-23 09:54 . 2009-04-01 23:10 -------- d-----w- c:\documents and settings\Alexander\Application Data\Vso
2010-09-21 11:49 . 2010-07-16 09:40 -------- d-----w- c:\program files\TrackMania Nations ESWC
2010-08-31 09:46 . 2009-04-01 23:07 -------- d-----w- c:\documents and settings\Alexander\Application Data\Canon
2010-08-31 09:10 . 2010-08-31 09:10 724992 ----a-w- c:\windows\iun6002.exe
2010-08-29 08:50 . 2009-04-01 21:30 -------- d-----w- c:\program files\Acdsee
2010-08-29 05:44 . 2010-08-29 05:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-29 05:42 . 2009-04-01 21:52 -------- d-----w- c:\program files\Lavasoft
2010-08-22 05:19 . 2009-04-01 21:09 44640 ----a-w- c:\documents and settings\Alexander\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-18 15:10 . 2010-08-18 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2010-08-18 13:03 . 2009-04-01 23:10 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-08-18 13:03 . 2009-04-01 23:10 47360 ----a-w- c:\documents and settings\Alexander\Application Data\pcouffin.sys
2010-08-18 13:03 . 2009-04-01 23:10 47360 ----a-w- c:\documents and settings\Alexander\Application Data\pcouffin.sys
2010-08-18 13:03 . 2010-08-18 13:03 -------- d-----w- c:\program files\VSO
2010-08-17 13:17 . 2001-08-23 11:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-12 12:16 . 2010-08-29 05:44 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-12 12:15 . 2010-08-29 08:50 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-12 12:15 . 2009-04-01 21:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-12 07:39 . 2010-08-12 07:39 488532 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-08-01 10:01 . 2010-08-01 10:01 255 ----a-w- c:\windows\PowerReg.dat
2010-07-22 15:49 . 2001-08-23 11:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-14 22:06 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-16 23:49 . 2009-04-09 01:26 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-16 23:49 . 2010-07-16 23:49 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 23:48 . 2009-04-09 01:26 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-06 11:07 . 2010-07-06 11:07 4608 ----a-w- c:\windows\system32\w95inf32.dll
2010-07-06 11:07 . 2010-07-06 11:07 2272 ----a-w- c:\windows\system32\w95inf16.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Core Temp"="c:\program files\CoreTemp\Core Temp.exe" [2008-08-22 277008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRTCLK"="c:\windows\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 24576]
"PathNvidiaTV"="c:\program files\Gigabyte\Nvidia\patchnvidiaTVout.exe" [2005-01-27 20480]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-12-22 5517312]
"nwiz"="nwiz.exe" [2004-12-22 1490944]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-12-22 86016]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 23:49 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Alexander^Start Menu^Programs^Startup^Core Temp.lnk]
path=c:\documents and settings\Alexander\Start Menu\Programs\Startup\Core Temp.lnk
backup=c:\windows\pss\Core Temp.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Alexander^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Alexander\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GN-WPKG Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GN-WPKG Utility.lnk
backup=c:\windows\pss\GN-WPKG Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-13 15:12 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-08-12 12:15 864624 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2009-08-08 01:37 4608 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
2004-01-14 01:10 409600 ----a-w- c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-25 15:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 19:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 05:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 00:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 11:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 09:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2008-07-02 06:16 393216 ----a-w- c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-12-22 09:09 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-16 04:03 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/04/2009 7:55 AM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/04/2009 11:26 AM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/04/2009 11:26 AM 243024]
R1 LUMDriver;LUMDriver;c:\windows\system32\drivers\LUMDriver.sys [11/07/2003 11:22 PM 14912]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [17/07/2010 9:48 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/07/2010 9:49 AM 308136]
R2 BBDemon;Backbone Service;c:\program files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe [6/09/2005 10:11 PM 35840]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\ALEXAN~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\ALEXAN~1\LOCALS~1\Temp\ALSysIO.sys [?]
S2 CUSTOM MSC;CUSTOM MSC;c:\msc2000\Flexlm\LMGRD.EXE --> c:\msc2000\Flexlm\LMGRD.EXE [?]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [1/04/2009 10:27 PM 42752]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 10:15 PM 1355416]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/08/2010 10:15 PM 15008]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [29/04/2009 12:57 PM 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [29/04/2009 12:57 PM 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [29/04/2009 12:57 PM 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [29/04/2009 12:57 PM 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [29/04/2009 12:57 PM 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [29/04/2009 12:57 PM 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [29/04/2009 12:57 PM 109736]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/08/2009 11:00 AM 716272]
.
Contents of the 'Scheduled Tasks' folder

2009-12-01 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 19:56]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1<mpl=default<mplcache=2
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {066A7A70-CAE7-4D2B-81E9-31551CBFA7D1} = 10.1.1.1
TCP: {7CA847BD-797A-40A6-8B7F-8403B6C5243B} = 203.0.178.191,203.215.29.191
FF - ProfilePath - c:\documents and settings\Alexander\Application Data\Mozilla\Firefox\Profiles\zif0yei8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Alexander\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-01 16:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
PathNvidiaTV = c:\program files\Gigabyte\Nvidia\patchnvidiaTVout.exe??????|???|???|?????????@???@???B=??@?????|?????????@???????E?|@??|???|YF?|?U?|yE?|????????????????????????????
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,20,fc,5a,d2,82,50,40,ac,e0,52,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,20,fc,5a,d2,82,50,40,ac,e0,52,\

[HKEY_USERS\S-1-5-21-220523388-484763869-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{47ED291B-B53F-ADD1-E9BF-1F0B29650AB1}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1984)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-10-01 17:05:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-01 07:05
ComboFix2.txt 2010-09-30 11:16

Pre-Run: 16,607,428,608 bytes free
Post-Run: 16,620,019,712 bytes free

- - End Of File - - 227991FDA01AFFE07758A9F439F9AAE2

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

• Check (tick) this box: YES, I accept the Terms of Use.
  
• Click on the Start button next to it.
  
• When prompted to run ActiveX. click Yes.
  
• You will be asked to install an ActiveX. Click Install.
  
• Once installed, the scanner will be initialized.
  
• After the scanner is initialized, click Start.
  
• Check (tick) Remove found threats box.
  
• Check (tick) Scan unwanted applications.
  
• Click on Scan.
  
• It will start scanning. Please be patient.
  
• Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.
  

Done! It found two objects, i'm not sure they are an issue, but i had them deleted anyway:

C:\Program Files\Unlocker\eBay_shortcuts_1016.exe Win32/Adware.ADON application deleted - quarantined
F:\Installs\_Data Recover and Delete\Unlocker v.1.8.7.exe Win32/Adware.ADON application deleted - quarantined


There was no long file in "C:\Program Files\ESET\ESET Online Scanner", only:
OnlineScanner.ocx
OnlineScannerUninstaller.exe

I think my problem is resolved?

Many thanks for your help if it's over!!

How is the machine running now?

Seems to be fine, sometimes it slows down heaps with firefox open, a lot of HD noise, but I might just be noticing something that's always been there. I ran Spybot and it found no hits. I might be paranoid, but will run AdAware and AVG too.

I think thus far it's fixed. Very much appreciative of your help!

I think i jumped the gun, this came up while viewing a webpage i know has nothing bad on it... Don't know if it's coincidence or not.

Hello.

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  
• After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  
• It will show a Black screen with some data on it.
  
• Right click on the screen and click Select All.
  
• Press CTRL C
  
• Open a Notepad and press CTRL V
  
• Post the output back here.
  

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

It also came up with the above error...

And another one picked up by AVG:

Is this log important?

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Log is attached. It came up with 4 items - i'm not sure the 4th is malware - it looks like a notification thing, but i can't be sure.

I also ran the full scan after, it didn't find anything else.

Am i free to empty the quarantine?

Cheers,
Sir G.

Hello.
Are you from Australia by any chance?

PM sent!

Still having problems?

Nothing to report, i the the computer she is cured! Thankyou very much!