spybot SD, userinit and twex.exe

Your logs are clean, however you need to use add/remove programs and uninstall:
Java 2 Runtime Environment, SE v1.4.2_03

Then reboot and download and install:
Java Runtime 6.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   • Delete the C:\combofix folder from combofix (if it exists)
   
   
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
7. If you are running Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
8. After doing the above, you should work thru the below link:
   
   • How to Protect yourself from malware!
   
   

 

Yes, you are re-infected.

Please Disable Spybot's TeaTimer

* Run Spybot and click Mode
* Select Advanced Mode.
* Then click Tools and select Resident.
* Now in the right window pane, uncheck TeaTimer.
* Also while this is open, in the left column now select IE Tweaks
* and then in the right pane make sure all the Miscellaneous locks are unchecked.
* Now quit Spybot!

Now use add/remove programs to uninstall:
Java 2 Runtime Environment, SE v1.4.2_03

Please go to start / run / type msconfig and set it to normal startup!

Now let's use ComboFix to remove a bunch of malware files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
c:\windows\system32\uactmp.db
c:\windows\system32\UACbpsbkeex.db
c:\windows\system32\stus.exe 

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

NOw download and install:
Java Runtime 6.

Now download the latest version of MGTools and let it overwrite your existing file. Then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.And the COmbo log.

 

Use task manager to stop it. Then use windows explorer to find and delete those files. The try running Combo again.

 

You need to disable the guest account:
c:\documents and settings\Guest\Application Data\twex.exe --> and remove this!

Now lets do this: Using Google Redirects.

 

I am just not seeing any obvious problem. But do this:

Use windows explorer to find and rename :
C:\dirref.ini
C:\WINDOWS\system32\B934D7D2FA.sys

Just add a .old to them.

Tell me what happens with IE ( and you have both versions 7 and 8...I am assuming it is version 8)

Now run the C:\MGtools\GetLogs.bat[/b] file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* C:\MGlogs.zip

 

It must be something in your IE program....Run both CCleaner and then run ATF Cleaner by Atribune.

Now do this:
Using BitDefender Online Scan

Using BitDefender Online Scan.

 

You need to run the below as Tim requested a number of messages ago. It does not matter which browser you are using. Run the below procedure.

Using Google Redirects


Note to TimW: You should check out the below I saw in one of the ComboFix logs:

R1 v_gvmi;v_gvmi;c:\program files\Common Files\System\v_gvmi32.dll [2009-03-20 30720]

 

Bitdefender only had detections of things that were already removed with ComboFix and a fals detection of SmitFraudFix.


Let's get current scans from SUPERAntiSpyware and Malware bytes since your last scans used out of date versions of the programs.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this new log.

Now run Malwarebytes and click the Update tab. Then click the Check for Updates button so you update to the current version of the program and database. Then run a new scan with it too. Attach the new log.


Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\temp
C:\Documents and Settings\Joseph\Local Settings\temp

Now run Ccleaner to clean out only temp files and nothing else!

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below logs:

• the new SUPERAntiSpyware log
• the new Malwarebytes log
• C:\MGlogs.zip

Make sure you tell me how things are working now!


Also tell me if the below fix exists?
c:\program files\Common Files\System\v_gvmi32.dll

 

Now we need to use ComboFix again.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now download this FindOVL.zip file to your C:\MGtools folder. Then extract the FindOVL.bat file from this ZIP into that same C:\MGtools folder. You must extract the file from the ZIP. DO NOT try to run the batch file from inside of the ZIP file. Now double click on the FindOVL.bat file to run this batch file script. This will search your hard disk for copies a file named overlay.xul. It will create a report.txt log and automatically add it to the C:\MGlogs.zip file. Is could take quite awhile to scan your whole hard disk or it could be fast if you don't have too many files and folders).

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!


Download this FindOVL.zip file to your C:\MGtools folder. Then extract the FindOVL.bat file from this ZIP into that same C:\MGtools folder. You must extract the file from the ZIP. DO NOT try to run the batch file from inside of the ZIP file. Now double click on the FindOVL.bat file to run this batch file script. This will search your hard disk for copies a file named overlay.xul. It will create a report.txt log and automatically add it to the C:\MGlogs.zip file. Is could take quite awhile to scan your whole hard disk or it could be fast if you don't have too many files and folders).

 

You're welcome.

If it is fixed now then the driver and file removed with the last ComboFix procedure resolved it. I had my suspicions about this which was why I mentioned it in the note to Tim back in msg # 16.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
7. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!