Sheur2.WYR

My laptop was infected with Sheur2.WYR. I ran Avast, AVG and Spybot, followed by Hijack and removed several thousand security threats.
However, I think I've still got Sheur somewhere in the system.
At random up pops an IE page for http://skfjkhcdcsh.com/?uid=2eOeOce26e95f6347bfc7c629cc2a77ac42b471b&os=521par=1c. (and asks me if I want to do a virus scan).

Closing this means it disappears for ten minutes and then reappears.
If I stop the popup running in IE7, it reinstates itself.
Spybot shows a BHO a068044d9f2d4316, which again reinstates itself if deleted.

Also in the system are lodivime.dll yijazowi.dll and wigovekapi.dll all of which are suspect, but presently cannot be deleted.
Any suggestions as to how to get rid of this problem?
Thanks in advance.

Simon Tomsett


Th

DO NOT use Hijack This on your own, doing so can leave your machine badly damaged.

Please post your Hijack This log here for me to see.

Hi,
I attach HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 13:20:29, on 13/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {a068044d-9f2d-4316-8650-fc9616205d6e} - C:\WINDOWS\system32\mebozihi.dll (file missing)
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [wigovekapi] Rundll32.exe "C:\WINDOWS\system32\wayebomi.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Startup.lnk.disabled
O4 - Startup: Microsoft Find Fast.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: karna.dat,C:\WINDOWS\system32\dayoyadu.dll c:\windows\system32\lodivime.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lodivime.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

Simon

Hello.
You have Hijack This version 1.99.1, this is old and outdated.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:18:59, on 13/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {a068044d-9f2d-4316-8650-fc9616205d6e} - C:\WINDOWS\system32\mebozihi.dll (file missing)
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [wigovekapi] Rundll32.exe "C:\WINDOWS\system32\wayebomi.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Office Startup.lnk.disabled (User 'SYSTEM')
O4 - S-1-5-18 Startup: Microsoft Find Fast.lnk.disabled (User 'SYSTEM')
O4 - .DEFAULT Startup: Office Startup.lnk.disabled (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Find Fast.lnk.disabled (User 'Default user')
O4 - Startup: Office Startup.lnk.disabled
O4 - Startup: Microsoft Find Fast.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat,C:\WINDOWS\system32\dayoyadu.dll c:\windows\system32\lodivime.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lodivime.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lodivime.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4895 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O2 - BHO: (no name) - {a068044d-9f2d-4316-8650-fc9616205d6e} - C:\WINDOWS\system32\mebozihi.dll (file missing)
  O4 - HKLM\..\Run: [wigovekapi] Rundll32.exe "C:\WINDOWS\system32\wayebomi.dll",s
  O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O20 - AppInit_DLLs: karna.dat,C:\WINDOWS\system32\dayoyadu.dll c:\windows\system32\lodivime.dll
  O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lodivime.dll (file missing)
  O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lodivime.dll (file missing)
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

I got an error in Hijack:
Modbackup_makebackup(sItem=06-HKCU\software\policies\microsoft\internet explorer\controlpanelpresent)
Error 53-File not found.
(I can't report it as the laptop is not on the net!)


Windows version :Windows NT 5.01.2600
MSIE Version: 7.0.5730.13

Malwarebytes log:
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

13/04/2009 19:02:01
mbam-log-2009-04-13 (19-02-01).txt

Scan type: Quick Scan
Objects scanned: 82036
Time elapsed: 14 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a068044d-9f2d-4316-8650-fc9616205d6e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a068044d-9f2d-4316-8650-fc9616205d6e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{60af7e75-d08e-fef7-4ae6-aab98e03212d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\oreans32 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\antispywarexp2009 (Rogue.AntispywareXP) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wigovekapi (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Dropper) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bolapuno.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pawehuhe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pegeseyi.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\oreans32.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Tg83gUP3.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\adaway.lic (Rogue.AdwareAway) -> Quarantined and deleted successfully.


S.T.

DDS (Ver_09-03-16.01) - FAT32x86
Run by joe at 20:05:57.37 on 13/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.254.103 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
AV: avast! antivirus 4.8.1296 [VPS 081127-0] *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {a068044d-9f2d-4316-8650-fc9616205d6e} - c:\windows\system32\mebozihi.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} -
TB: FB Toolbar: {a057a204-bacc-4d26-8988-34a187e2698b} - c:\progra~1\myfbto~1\MYFBTO~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mRun: [wigovekapi] Rundll32.exe "c:\windows\system32\wayebomi.dll",s
StartupFolder: c:\documents and settings\joe\start menu\programs\startup\Office Startup.lnk.disabled
StartupFolder: c:\documents and settings\joe\start menu\programs\startup\Microsoft Find Fast.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-explorer: NoActiveDesktop = 2 (0x2)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-system: Wallpaper =
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\dayoyadu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\dayoyadu.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-7 111184]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-8 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-8 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-8 108552]
R1 dmiproxy;dmiproxy;c:\windows\system32\drivers\Dmiproxy.sys [2002-12-7 36680]
R1 mmkmd;mmkmd;c:\windows\system32\drivers\mmkmd.sys [2002-12-7 2041]
R1 nbmkmd;nbmkmd;c:\windows\system32\drivers\NBMKMD.SYS [2002-12-7 4160]
R1 Start1Driver;Start1Driver;c:\windows\system32\drivers\Start1Driver.SYS [2009-4-9 5120]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-7 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-7 155160]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-8 298264]
R3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;c:\windows\system32\drivers\A310.sys [2003-1-29 32823]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-7 254040]
S1 Hotkey;Hotkey; [x]
S1 mailKmd;mailKmd; [x]
S1 Wbutton;Wbutton;c:\windows\system32\drivers\wbutton.sys --> c:\windows\system32\drivers\Wbutton.sys [?]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-7 352920]
S3 DCamUSBPremier;USB Video Camera;c:\windows\system32\drivers\MPIXVID.SYS [2005-7-31 81921]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys --> c:\windows\system32\drivers\glauiad.sys [?]
S3 NAVAP;NAVAP;\??\c:\windows\system32\drivers\navap.sys --> c:\windows\system32\drivers\NAVAP.SYS [?]
S3 USBCamera;DIGITAL CAMERA;c:\windows\system32\drivers\bulk533.sys --> c:\windows\system32\drivers\Bulk533.sys [?]

=============== Created Last 30 ================

2009-04-13 18:44 --d----- c:\docume~1\joe\applic~1\Malwarebytes
2009-04-13 18:44 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-13 18:44 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 18:44 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-13 18:44 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-13 15:17 --d----- c:\program files\Trend Micro
2009-04-10 20:56 1,374 a------- c:\windows\imsins.BAK
2009-04-10 17:50 36,128 -------- c:\windows\system32\dllcache\banshee.sys
2009-04-10 17:50 342,336 -------- c:\windows\system32\dllcache\banshee.dll
2009-04-10 17:50 96,640 -------- c:\windows\system32\dllcache\b57xp32.sys
2009-04-10 17:50 89,952 -------- c:\windows\system32\dllcache\b1cbase.sys
2009-04-10 17:50 36,992 -------- c:\windows\system32\dllcache\aztw2320.sys
2009-04-10 17:50 37,568 -------- c:\windows\system32\dllcache\avmwan.sys
2009-04-10 17:50 144,384 -------- c:\windows\system32\dllcache\avmenum.dll
2009-04-10 17:50 87,552 -------- c:\windows\system32\dllcache\avmcoxp.dll
2009-04-10 17:50 13,696 -------- c:\windows\system32\dllcache\avcstrm.sys
2009-04-10 17:50 36,096 -------- c:\windows\system32\dllcache\avcaudio.sys
2009-04-10 17:50 38,912 -------- c:\windows\system32\dllcache\avc.sys
2009-04-10 17:48 77,568 -------- c:\windows\system32\dllcache\ati.sys
2009-04-10 17:48 96,128 -------- c:\windows\system32\dllcache\ati.dll
2009-04-10 17:48 97,354 -------- c:\windows\system32\dllcache\aspndis3.sys
2009-04-10 17:48 22,400 -------- c:\windows\system32\dllcache\asc3350p.sys
2009-04-10 17:48 14,848 -------- c:\windows\system32\dllcache\asc3550.sys
2009-04-10 17:48 26,496 -------- c:\windows\system32\dllcache\asc.sys
2009-04-10 17:48 6,272 -------- c:\windows\system32\dllcache\apmbatt.sys
2009-04-10 17:48 36,224 -------- c:\windows\system32\dllcache\an983.sys
2009-04-10 17:48 12,032 -------- c:\windows\system32\dllcache\amsint.sys
2009-04-10 17:47 16,969 -------- c:\windows\system32\dllcache\amb8002.sys
2009-04-10 17:47 26,624 -------- c:\windows\system32\dllcache\alifir.sys
2009-04-10 17:47 5,248 -------- c:\windows\system32\dllcache\aliide.sys
2009-04-10 17:47 27,678 -------- c:\windows\system32\dllcache\ali5261.sys
2009-04-10 17:47 56,960 -------- c:\windows\system32\dllcache\aic78xx.sys
2009-04-10 17:47 55,168 -------- c:\windows\system32\dllcache\aic78u2.sys
2009-04-10 17:47 12,800 -------- c:\windows\system32\dllcache\aha154x.sys
2009-04-10 17:47 24,576 -------- c:\windows\system32\dllcache\agcgauge.ax
2009-04-10 17:43 66,048 -------- c:\windows\system32\dllcache\s3legacy.dll
2009-04-10 11:54 2,260,480 a------- c:\program files\TeaTimer.exe
2009-04-10 10:25 --dsh--- C:\FOUND.030
2009-04-09 21:50 --d----- c:\program files\McAfee
2009-04-09 21:34 --d----- c:\docume~1\joe\applic~1\MYFBTOOLBAR
2009-04-09 09:53 5,120 -------- c:\windows\system32\drivers\Start1Driver.SYS
2009-04-08 10:16 --d----- c:\program files\ACW
2009-04-08 09:13 --dsh--- C:\FOUND.029
2009-04-08 06:58 --d-h--- C:\$AVG8.VAULT$
2009-04-08 06:09 --dsh--- C:\FOUND.028
2009-04-08 05:33 10,520 -------- c:\windows\system32\avgrsstx.dll
2009-04-08 05:32 108,552 -------- c:\windows\system32\drivers\avgtdix.sys
2009-04-08 05:32 325,640 -------- c:\windows\system32\drivers\avgldx86.sys
2009-04-08 05:32 --d----- c:\windows\system32\drivers\Avg
2009-04-08 05:31 --d----- c:\program files\AVG
2009-04-08 05:31 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-08 03:49 --d----- c:\docume~1\joe\applic~1\GlarySoft
2009-04-08 03:19 --dsh--- C:\FOUND.027
2009-04-07 13:51 --d----- c:\program files\Thomson
2009-04-07 10:50 129 a------- C:\Shortcut to 3½ Floppy (A).lnk
2009-04-07 08:42 --d----- c:\program files\SpeedTouch
2009-04-07 06:59 --d----- c:\docume~1\joe\applic~1\Auslogics
2009-04-07 06:59 --d----- c:\program files\Auslogics
2009-04-07 06:41 --d----- c:\docume~1\joe\applic~1\IObit
2009-04-07 06:41 --d----- c:\program files\IObit
2009-04-07 06:04 1,507,328 a------- C:\ffastunT.ffl
2009-04-07 04:20 --d----- c:\program files\myfbtoolbar
2009-04-07 04:03 --dsh--- C:\FOUND.026
2009-04-02 17:30 30,720 -------- c:\windows\winkpst.exe
2009-04-02 16:42 --dsh--- C:\FOUND.025

==================== Find3M ====================

2009-04-10 00:15 301,814 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-04-04 05:20 49,152 ---sh--- c:\windows\system32\batiweja.dll
2009-04-04 05:19 79,872 ---sh--- c:\windows\system32\sikizela.dll
2009-03-22 04:12 59,392 -------- c:\windows\system32\userinit.exe
2009-02-09 03:19 1,846,272 -------- c:\windows\system32\win32k.sys
2009-02-09 03:19 1,846,272 -------- c:\windows\system32\dllcache\win32k.sys
2008-10-30 12:35 13,381 a------- c:\docume~1\alluse~1\applic~1\cyqiv.exe
2008-10-30 12:35 19,149 a------- c:\docume~1\alluse~1\applic~1\qifuzevaxu.exe
2008-10-30 12:35 17,918 a------- c:\docume~1\joe\applic~1\wacuvokax.dat
2006-08-06 11:55 46,680 a------- c:\docume~1\joe\applic~1\GDIPFONTCACHEV1.DAT
2009-01-04 05:20 49,152 ---sh--- c:\windows\system32\dayoyadu.dll

============= FINISH: 20:07:51.28 ===============

Hello.
Before we can use this next tool to remove the leftover vundo and fix the patched userinit, I need to see what's installed.

• Open HijackThis.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5
Advanced SystemCare 3
Agere Systems AC'97 Modem
AusLogics Registry Defrag
avast! Antivirus
AVG 8.5
Critical Update for Windows Media Player 11 (KB959772)
Dr SpeedTouch
FinePixViewer Ver.4.2
FUJIFILM USB Driver
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
IBM ViaVoice Command and Control Runtime 5.3 - UK English
ImageMixer VCD2 for FinePix
Intel(R) Extreme Graphics Driver Software
Ladbrokes Casino
Line of Sight - Vietnam
LiveUpdate 1.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
McAfee QuickClean
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Professional Edition
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Standard
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MicroStaff WINASPI
MP3 music player
MP3 Player Utilities 3.68
MT882
MyDSC2
Nokia Connectivity Cable Driver
Notebook Manager for Windows 2000/XP
PC Connectivity Solution
PC TWIN SHOCK
PKR
PowerDVD
RAW FILE CONVERTER LE
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SigmaTel MSCN Audio Player
Smart Menus (Windows Live Toolbar)
SpeedTouch USB Software
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Tabbed Browsing (Windows Live Toolbar)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2

Hello.

You are running two AV's, this is a bad idea as they can conflict and cause problems. I see Avast and AVG.
I would recommend that you remove Avast to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

• Adobe Reader 7.0.5
  
• avast! Antivirus
  
• LiveUpdate 1.6 (Symantec Corporation)
  
• McAfee QuickClean
  

Lets clean this mess up.

• Download combofix from here
  Link 1
  Link 2
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (AVG8)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

I posted the combofix log but your site says it's too big to send.
Can I send it as an attachment?
It's 21Kb.

Simon

Can you upload it to mediafire.com for me please?

Mediafire ref.:http://www.mediafire.com/?9nqllezuvqt
Is this OK?

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

AtJob::

Driver::
Hotkey
mailKmd
Wbutton
iadusb
dmiproxy
mmkmd
nbmkmd
Start1Driver

File::
c:\windows\system32\Tg83gUP3.exe
c:\documents and settings\All Users\Application Data\cyqiv.exe
c:\documents and settings\All Users\Application Data\qifuzevaxu.exe
c:\documents and settings\joe\Local Settings\Application Data\pewiwy.vbs
C:\sqmdata18.sqm
C:\sqmnoopt18.sqm
C:\sqmdata17.sqm
C:\sqmnoopt17.sqm
C:\sqmdata16.sqm
C:\sqmnoopt16.sqm
C:\sqmdata15.sqm
C:\sqmnoopt15.sqm
C:\sqmdata14.sqm
C:\sqmnoopt14.sqm
C:\sqmdata13.sqm
C:\sqmnoopt13.sqm
C:\sqmdata12.sqm
C:\sqmnoopt12.sqm
C:\sqmdata11.sqm
C:\sqmnoopt11.sqm
C:\sqmdata10.sqm
C:\sqmnoopt10.sqm
C:\sqmdata09.sqm
C:\sqmnoopt09.sqm
C:\sqmdata08.sqm
C:\sqmnoopt08.sqm
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
c:\windows\system32\lodivime.dll

Folder::
C:\FOUND.030
C:\FOUND.029
C:\FOUND.028
C:\FOUND.027
C:\FOUND.026
C:\FOUND.025
c:\program files\myfbtoolbar

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-8988-34A187E2698B}"=-
[-HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-8988-34a187e2698b}]
[-HKEY_CLASSES_ROOT\myfbtoolbar.MYFBTOOLBAR]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CPM2d3d3fd1"=-

FCOPY::
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe | C:\WINDOWS\system32\userinit.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Does the mediafire key give you the info you need?

Simon

That link didn't work, tells me there's nothing there.

Does this one work?

http://www.mediafire.com/?sharekey=508622257817b3f2111096d429abd3608561b5ef663284c35621d66e282a0ee8

ComboFix 09-04-13.A2 - joe 2009-04-14 21:46.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.87 [GMT -7:00]
Running from: c:\documents and settings\joe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\joe\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\documents and settings\All Users\Application Data\cyqiv.exe
c:\documents and settings\All Users\Application Data\qifuzevaxu.exe
c:\documents and settings\joe\Local Settings\Application Data\pewiwy.vbs
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmdata14.sqm
C:\sqmdata15.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\sqmnoopt14.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
c:\windows\system32\lodivime.dll
c:\windows\system32\Tg83gUP3.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\cyqiv.exe
c:\documents and settings\All Users\Application Data\qifuzevaxu.exe
c:\documents and settings\joe\Local Settings\Application Data\pewiwy.vbs
c:\program files\myfbtoolbar
c:\program files\myfbtoolbar\install.ico
c:\program files\myfbtoolbar\myfbtoolbar.dll
c:\program files\myfbtoolbar\toolbar.ini
c:\program files\myfbtoolbar\uninstall.exe
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmdata14.sqm
C:\sqmdata15.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\sqmnoopt14.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DMIPROXY
-------\Legacy_MMKMD
-------\Legacy_NBMKMD
-------\Legacy_START1DRIVER
-------\Service_dmiproxy
-------\Service_Hotkey
-------\Service_iadusb
-------\Service_mailKmd
-------\Service_mmkmd
-------\Service_nbmkmd
-------\Service_Start1Driver
-------\Service_Wbutton


((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.025
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.024
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.021
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy (2) of FOUND.020
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy (2) of FOUND.016
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy (2) of FOUND.012
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy (2) of FOUND.009
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.020
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.016
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.012
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.009
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.023
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.019
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.015
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.011
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.007
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.004
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.003
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.000
2009-04-14 03:54 . 2004-08-04 15:56 146432 ----a-w c:\windows\system32\dllcache\regedit.exe
2009-04-14 03:54 . 2004-08-04 15:56 146432 ----a-w c:\windows\regedit.exe
2009-04-14 01:44 . 2009-04-14 01:44 -------- d-----w c:\documents and settings\joe\Application Data\Malwarebytes
2009-04-14 01:44 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 01:44 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 01:44 . 2009-04-14 01:44 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-11 03:56 . 2009-04-13 04:00 1374 ----a-w c:\windows\imsins.BAK
2009-04-11 00:50 . 2001-08-17 19:48 36128 ------w c:\windows\system32\dllcache\banshee.sys
2009-04-11 00:50 . 2001-08-17 21:56 342336 ------w c:\windows\system32\dllcache\banshee.dll
2009-04-11 00:50 . 2001-08-17 19:13 89952 ------w c:\windows\system32\dllcache\b1cbase.sys
2009-04-11 00:50 . 2001-08-17 19:11 96640 ------w c:\windows\system32\dllcache\b57xp32.sys
2009-04-11 00:50 . 2001-08-17 19:19 36992 ------w c:\windows\system32\dllcache\aztw2320.sys
2009-04-11 00:50 . 2001-08-17 19:13 37568 ------w c:\windows\system32\dllcache\avmwan.sys
2009-04-11 00:50 . 2001-08-18 05:36 144384 ------w c:\windows\system32\dllcache\avmenum.dll
2009-04-11 00:50 . 2001-08-18 05:36 87552 ------w c:\windows\system32\dllcache\avmcoxp.dll
2009-04-11 00:50 . 2004-08-04 06:10 13696 ------w c:\windows\system32\dllcache\avcstrm.sys
2009-04-11 00:50 . 2001-08-17 21:01 36096 ------w c:\windows\system32\dllcache\avcaudio.sys
2009-04-11 00:50 . 2004-08-04 06:10 38912 ------w c:\windows\system32\dllcache\avc.sys
2009-04-11 00:48 . 2001-08-17 20:57 77568 ------w c:\windows\system32\dllcache\ati.sys
2009-04-11 00:48 . 2001-08-17 21:55 96128 ------w c:\windows\system32\dllcache\ati.dll
2009-04-11 00:48 . 2001-08-17 19:12 97354 ------w c:\windows\system32\dllcache\aspndis3.sys
2009-04-11 00:48 . 2001-08-17 20:52 22400 ------w c:\windows\system32\dllcache\asc3350p.sys
2009-04-11 00:48 . 2001-08-17 20:51 14848 ------w c:\windows\system32\dllcache\asc3550.sys
2009-04-11 00:48 . 2001-08-17 20:52 26496 ------w c:\windows\system32\dllcache\asc.sys
2009-04-11 00:48 . 2001-08-17 20:47 6272 ------w c:\windows\system32\dllcache\apmbatt.sys
2009-04-11 00:48 . 2004-08-04 05:31 36224 ------w c:\windows\system32\dllcache\an983.sys
2009-04-11 00:48 . 2001-08-17 20:52 12032 ------w c:\windows\system32\dllcache\amsint.sys
2009-04-11 00:47 . 2001-08-17 19:11 16969 ------w c:\windows\system32\dllcache\amb8002.sys
2009-04-11 00:47 . 2001-08-17 20:51 5248 ------w c:\windows\system32\dllcache\aliide.sys
2009-04-11 00:47 . 2001-08-17 20:49 26624 ------w c:\windows\system32\dllcache\alifir.sys
2009-04-11 00:47 . 2001-08-17 19:11 27678 ------w c:\windows\system32\dllcache\ali5261.sys
2009-04-11 00:47 . 2001-08-17 21:07 56960 ------w c:\windows\system32\dllcache\aic78xx.sys
2009-04-11 00:47 . 2001-08-17 21:07 55168 ------w c:\windows\system32\dllcache\aic78u2.sys
2009-04-11 00:47 . 2001-08-17 20:52 12800 ------w c:\windows\system32\dllcache\aha154x.sys
2009-04-11 00:47 . 2001-08-18 05:37 24576 ------w c:\windows\system32\dllcache\agcgauge.ax
2009-04-11 00:43 . 2001-08-17 21:56 66048 ------w c:\windows\system32\dllcache\s3legacy.dll
2009-04-10 05:05 . 2009-04-10 05:05 335 ------w c:\windows\nsreg.dat
2009-04-10 04:34 . 2009-04-10 04:34 -------- d-----w c:\documents and settings\joe\Application Data\MYFBTOOLBAR
2009-04-09 16:53 . 2009-03-14 13:48 5120 ------w c:\windows\system32\drivers\Start1Driver.SYS
2009-04-08 13:58 . 2009-04-08 13:58 -------- d--h--w C:\$AVG8.VAULT$
2009-04-08 12:33 . 2009-04-08 12:33 10520 ------w c:\windows\system32\avgrsstx.dll
2009-04-08 12:32 . 2009-04-08 12:33 108552 ------w c:\windows\system32\drivers\avgtdix.sys
2009-04-08 12:32 . 2009-04-08 12:32 325640 ------w c:\windows\system32\drivers\avgldx86.sys
2009-04-08 12:32 . 2009-04-08 12:32 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-08 12:31 . 2009-04-08 12:31 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-08 10:49 . 2009-04-08 10:49 -------- d-----w c:\documents and settings\joe\Application Data\GlarySoft
2009-04-07 17:50 . 2009-04-07 17:50 129 ----a-w C:\Shortcut to 3½ Floppy (A).lnk
2009-04-07 13:59 . 2009-04-07 13:59 -------- d-----w c:\documents and settings\joe\Application Data\Auslogics
2009-04-07 13:41 . 2009-04-07 13:41 -------- d-----w c:\documents and settings\joe\Application Data\IObit
2009-04-07 13:04 . 2009-04-07 13:04 1507328 ----a-w C:\ffastunT.ffl
2009-04-07 12:58 . 2009-04-07 12:58 -------- d-----w c:\documents and settings\NetworkService\Application Data\MYFBTOOLBAR
2009-04-07 11:44 . 2009-04-07 11:44 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\MYFBTOOLBAR
2009-04-03 00:30 . 2009-04-03 00:30 30720 ------w c:\windows\winkpst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 04:11 . 2009-04-15 04:11 1024 ---ha-w C:\ntuser.dat.LOG
2009-04-14 01:44 . 2009-04-14 01:44 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 22:17 . 2009-04-13 22:17 -------- d-----w c:\program files\Trend Micro
2009-04-10 04:50 . 2009-04-10 04:50 -------- d-----w c:\program files\McAfee
2009-04-08 17:16 . 2009-04-08 17:16 -------- d-----w c:\program files\ACW
2009-04-08 12:31 . 2009-04-08 12:31 -------- d-----w c:\program files\AVG
2009-04-07 20:51 . 2009-04-07 20:51 -------- d-----w c:\program files\Thomson
2009-04-07 16:06 . 2009-04-07 16:06 -------- d-----w c:\program files\Alwil Software
2009-04-07 15:42 . 2009-04-07 15:42 -------- d-----w c:\pro

Part 2

2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.025
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.024
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.021
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy (2) of FOUND.020
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy (2) of FOUND.016
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy (2) of FOUND.012
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy (2) of FOUND.009
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.020
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.016
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.012
2009-04-14 05:07 . 2009-04-14 05:07 -------- d-sh--w C:\Copy of FOUND.009
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.023
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.019
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.015
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.011
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.007
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.004
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.003
2009-04-14 05:06 . 2009-04-14 05:06 -------- d-sh--w C:\Copy of FOUND.000
2009-04-14 03:54 . 2004-08-04 15:56 146432 ----a-w c:\windows\system32\dllcache\regedit.exe
2009-04-14 03:54 . 2004-08-04 15:56 146432 ----a-w c:\windows\regedit.exe
2009-04-14 01:44 . 2009-04-14 01:44 -------- d-----w c:\documents and settings\joe\Application Data\Malwarebytes
2009-04-14 01:44 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 01:44 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 01:44 . 2009-04-14 01:44 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-11 03:56 . 2009-04-13 04:00 1374 ----a-w c:\windows\imsins.BAK
2009-04-11 00:50 . 2001-08-17 19:48 36128 ------w c:\windows\system32\dllcache\banshee.sys
2009-04-11 00:50 . 2001-08-17 21:56 342336 ------w c:\windows\system32\dllcache\banshee.dll
2009-04-11 00:50 . 2001-08-17 19:13 89952 ------w c:\windows\system32\dllcache\b1cbase.sys
2009-04-11 00:50 . 2001-08-17 19:11 96640 ------w c:\windows\system32\dllcache\b57xp32.sys
2009-04-11 00:50 . 2001-08-17 19:19 36992 ------w c:\windows\system32\dllcache\aztw2320.sys
2009-04-11 00:50 . 2001-08-17 19:13 37568 ------w c:\windows\system32\dllcache\avmwan.sys
2009-04-11 00:50 . 2001-08-18 05:36 144384 ------w c:\windows\system32\dllcache\avmenum.dll
2009-04-11 00:50 . 2001-08-18 05:36 87552 ------w c:\windows\system32\dllcache\avmcoxp.dll
2009-04-11 00:50 . 2004-08-04 06:10 13696 ------w c:\windows\system32\dllcache\avcstrm.sys
2009-04-11 00:50 . 2001-08-17 21:01 36096 ------w c:\windows\system32\dllcache\avcaudio.sys
2009-04-11 00:50 . 2004-08-04 06:10 38912 ------w c:\windows\system32\dllcache\avc.sys
2009-04-11 00:48 . 2001-08-17 20:57 77568 ------w c:\windows\system32\dllcache\ati.sys
2009-04-11 00:48 . 2001-08-17 21:55 96128 ------w c:\windows\system32\dllcache\ati.dll
2009-04-11 00:48 . 2001-08-17 19:12 97354 ------w c:\windows\system32\dllcache\aspndis3.sys
2009-04-11 00:48 . 2001-08-17 20:52 22400 ------w c:\windows\system32\dllcache\asc3350p.sys
2009-04-11 00:48 . 2001-08-17 20:51 14848 ------w c:\windows\system32\dllcache\asc3550.sys
2009-04-11 00:48 . 2001-08-17 20:52 26496 ------w c:\windows\system32\dllcache\asc.sys
2009-04-11 00:48 . 2001-08-17 20:47 6272 ------w c:\windows\system32\dllcache\apmbatt.sys
2009-04-11 00:48 . 2004-08-04 05:31 36224 ------w c:\windows\system32\dllcache\an983.sys
2009-04-11 00:48 . 2001-08-17 20:52 12032 ------w c:\windows\system32\dllcache\amsint.sys
2009-04-11 00:47 . 2001-08-17 19:11 16969 ------w c:\windows\system32\dllcache\amb8002.sys
2009-04-11 00:47 . 2001-08-17 20:51 5248 ------w c:\windows\system32\dllcache\aliide.sys
2009-04-11 00:47 . 2001-08-17 20:49 26624 ------w c:\windows\system32\dllcache\alifir.sys
2009-04-11 00:47 . 2001-08-17 19:11 27678 ------w c:\windows\system32\dllcache\ali5261.sys
2009-04-11 00:47 . 2001-08-17 21:07 56960 ------w c:\windows\system32\dllcache\aic78xx.sys
2009-04-11 00:47 . 2001-08-17 21:07 55168 ------w c:\windows\system32\dllcache\aic78u2.sys
2009-04-11 00:47 . 2001-08-17 20:52 12800 ------w c:\windows\system32\dllcache\aha154x.sys
2009-04-11 00:47 . 2001-08-18 05:37 24576 ------w c:\windows\system32\dllcache\agcgauge.ax
2009-04-11 00:43 . 2001-08-17 21:56 66048 ------w c:\windows\system32\dllcache\s3legacy.dll
2009-04-10 05:05 . 2009-04-10 05:05 335 ------w c:\windows\nsreg.dat
2009-04-10 04:34 . 2009-04-10 04:34 -------- d-----w c:\documents and settings\joe\Application Data\MYFBTOOLBAR
2009-04-09 16:53 . 2009-03-14 13:48 5120 ------w c:\windows\system32\drivers\Start1Driver.SYS
2009-04-08 13:58 . 2009-04-08 13:58 -------- d--h--w C:\$AVG8.VAULT$
2009-04-08 12:33 . 2009-04-08 12:33 10520 ------w c:\windows\system32\avgrsstx.dll
2009-04-08 12:32 . 2009-04-08 12:33 108552 ------w c:\windows\system32\drivers\avgtdix.sys
2009-04-08 12:32 . 2009-04-08 12:32 325640 ------w c:\windows\system32\drivers\avgldx86.sys
2009-04-08 12:32 . 2009-04-08 12:32 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-08 12:31 . 2009-04-08 12:31 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-08 10:49 . 2009-04-08 10:49 -------- d-----w c:\documents and settings\joe\Application Data\GlarySoft
2009-04-07 17:50 . 2009-04-07 17:50 129 ----a-w C:\Shortcut to 3½ Floppy (A).lnk
2009-04-07 13:59 . 2009-04-07 13:59 -------- d-----w c:\documents and settings\joe\Application Data\Auslogics
2009-04-07 13:41 . 2009-04-07 13:41 -------- d-----w c:\documents and settings\joe\Application Data\IObit
2009-04-07 13:04 . 2009-04-07 13:04 1507328 ----a-w C:\ffastunT.ffl
2009-04-07 12:58 . 2009-04-07 12:58 -------- d-----w c:\documents and settings\NetworkService\Application Data\MYFBTOOLBAR
2009-04-07 11:44 . 2009-04-07 11:44 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\MYFBTOOLBAR
2009-04-03 00:30 . 2009-04-03 00:30 30720 ------w c:\windows\winkpst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 04:11 . 2009-04-15 04:11 1024 ---ha-w C:\ntuser.dat.LOG
2009-04-14 01:44 . 2009-04-14 01:44 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 22:17 . 2009-04-13 22:17 -------- d-----w c:\program files\Trend Micro
2009-04-10 04:50 . 2009-04-10 04:50 -------- d-----w c:\program files\McAfee
2009-04-08 17:16 . 2009-04-08 17:16 -------- d-----w c:\program files\ACW
2009-04-08 12:31 . 2009-04-08 12:31 -------- d-----w c:\program files\AVG
2009-04-07 20:51 . 2009-04-07 20:51 -------- d-----w c:\program files\Thomson
2009-04-07 16:06 . 2009-04-07 16:06 -------- d-----w c:\program files\Alwil Software
2009-04-07 15:42 . 2009-04-07 15:42 -------- d-----w c:\program files\SpeedTouch
2009-04-07 13:59 . 2009-04-07 13:59 -------- d-----w c:\program files\Auslogics
2009-04-07 13:41 . 2009-04-07 13:41 -------- d-----w c:\program files\IObit
2009-04-04 21:51 . 2007-02-25 00:18 4790 ---ha-w C:\ffastun.ffa
2009-04-04 21:51 . 2007-02-25 00:18 569344 ---ha-w C:\ffastun.ffo
2009-04-04 21:51 . 2007-02-25 00:18 1622016 ---ha-w C:\ffastun0.ffx
2009-04-04 21:51 . 2007-02-25 00:16 1507328 ---ha-w C:\ffastun.ffl
2009-04-04 14:28 . 2007-02-06 15:19 268 ---ha-w C:\sqmdata19.sqm
2009-04-04 14:28 . 2007-02-06 15:19 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-05 15:07 . 2009-04-10 18:54 2260480 ----a-w c:\program files\TeaTimer.exe
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 1980-01-01 07:00 1846272 ------w c:\windows\system32\win32k.sys
2008-10-30 19:35 . 2008-10-30 19:35 17918 ----a-w c:\documents and settings\joe\Application Data\wacuvokax.dat
2007-10-11 00:55 . 2004-11-16 19:17 74736 ----a-w c:\documents and settings\joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-01-26 02:43 . 2007-02-12 08:23 47456 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-08-06 18:55 . 2003-10-31 02:11 46680 ----a-w c:\documents and settings\joe\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-13_21.15.09.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 1980-01-01 07:00 . 2004-08-04 15:56 24576 c:\windows\system32\userinit.exe
+ 1980-01-01 07:00 . 2004-08-04 15:56 24576 c:\windows\system32\dllcache\userinit.exe
- 2009-04-14 04:02 . 2005-10-21 03:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-15 04:50 . 2005-10-21 03:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-15 04:45 . 2005-10-21 03:02 163328 c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2009-04-14 03:56 . 2005-10-21 03:02 163328 c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\joe\Start Menu\Programs\Startup\
Office Startup.lnk.disabled [2007-02-24 644]
Microsoft Find Fast.lnk.disabled [2007-02-24 669]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk.disabled [2007-04-22 1638]
Adobe Reader Speed Launch.lnk.disabled [2008-01-09 1665]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-08 05:33 10520 c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" /startup
"AdwareAlert"=c:\program files\AdwareAlert\AdwareAlert.exe -boot
"McAfee.InstantUpdate.Monitor"="c:\program files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"STManager"="c:\program files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LtMoh"=c:\program files\ltmoh\Ltmoh.exe
"LaunchApp"=LaunApp
"IgfxTray"=c:\windows\System32\igfxtray.exe
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"AGRSMMSG"=AGRSMMSG.exe
"REGSHAVE"=c:\program files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"SynTPLpr"=c:\program files\Synaptics\SynTP\SynTPLpr.exe
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe
"Imonitor"="c:\program files\McAfee\QuickClean\Plguni.exe" /START

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\FINDFAST.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R3 DCamUSBPremier;USB Video Camera;c:\windows\system32\Drivers\mpixvid.sys [2004-07-01 81921]
R3 USBCamera;DIGITAL CAMERA; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-08 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-08 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-08 298264]
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;c:\windows\system32\drivers\A310.sys [2002-09-16 32823]

.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 21:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1411836344-1228227115-425876749-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2424)
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\program files\AVG\AVG8\AVGNSX.EXE
.
**************************************************************************
.
Completion time: 2009-04-14 21:57 - machine was rebooted [joe]
ComboFix-quarantined-files.txt 2009-04-15 04:57
ComboFix2.txt 2009-04-14 04:17

Pre-Run: 2,367,684,608 bytes free
Post-Run: 2,363,400,192 bytes free

356

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Hi,
Combofix has uninstalled.
Machine is running O.K. (much improved response times) but I still get a pop-up on IE7. However it's not to http://skfjk etc, but to google, which is the default search engine.
I'll let you know if I have any more problems.

Many thanks for your help, I'll make a donation.

Hello.
A few more things need to go then.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  C:\Copy of FOUND.*
  C:\Copy (2) of FOUND.*
  C:\sqmdata*.sqm
  C:\sqmnoopt*.sqm
  c:\documents and settings\NetworkService\Application Data\MYFBTOOLBAR
  c:\windows\system32\config\systemprofile\Application Data\MYFBTOOLBAR
  
  :reg
  [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
  "AdwareAlert"=-
  [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  "UpdatesDisableNotify"=-
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

========== FILES ==========
C:\Copy of FOUND.020 moved successfully.
C:\Copy of FOUND.004 moved successfully.
C:\Copy of FOUND.007 moved successfully.
C:\Copy of FOUND.011 moved successfully.
C:\Copy of FOUND.015 moved successfully.
C:\Copy of FOUND.019 moved successfully.
C:\Copy of FOUND.023 moved successfully.
C:\Copy of FOUND.000 moved successfully.
C:\Copy of FOUND.003 moved successfully.
C:\Copy of FOUND.009 moved successfully.
C:\Copy of FOUND.012 moved successfully.
C:\Copy of FOUND.016 moved successfully.
C:\Copy of FOUND.021 moved successfully.
C:\Copy of FOUND.024 moved successfully.
C:\Copy of FOUND.025 moved successfully.
C:\Copy (2) of FOUND.009 moved successfully.
C:\Copy (2) of FOUND.012 moved successfully.
C:\Copy (2) of FOUND.016 moved successfully.
C:\Copy (2) of FOUND.020 moved successfully.
C:\sqmdata19.sqm moved successfully.
C:\sqmnoopt19.sqm moved successfully.
c:\documents and settings\NetworkService\Application Data\MYFBTOOLBAR\NewCfg moved successfully.
c:\documents and settings\NetworkService\Application Data\MYFBTOOLBAR moved successfully.
c:\windows\system32\config\systemprofile\Application Data\MYFBTOOLBAR\NewCfg moved successfully.
c:\windows\system32\config\systemprofile\Application Data\MYFBTOOLBAR moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-\\AdwareAlert deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\security center\\UpdatesDisableNotify deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04162009_125835

Still having problems now?

I ran Spybot and no pop ups appeared so I guess it's OK.
Regards, and thanks,
Simon.