I have studied this infection quite a bit over the last few weeks and I am going to include some files that weren't shown in your log, if there please let me know as we will have additional steps to remove.
You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into Safe Mode
- Restart your computer and start pressing the F8 key on your keyboard.
- Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\David\AppData\Local\Temp\efcCuSmj.dll,#1
O4 - HKCU\..\Run: [fdyvqvum] C:\ProgramData\fdyvqvum\sdolidmh.exe
O4 - HKCU\..\Run: [PfJnvj0FDZ] C:\ProgramData\gdsvyjyp\kzmfgder.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\David\AppData\Local\Temp\pmnoNdcb.dll,c
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUpldes-es.cab
Select
Fix Checked
Close Hijackthis
Show hidden files through windows explorer
- Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
- On the Tools menu in Windows Explorer, click Folder Options.
- Click the View tab.
- Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.
Use Windows Explorer to navigate to and delete the following folder:
Folder:
C:\
C:\Users\All Users\gdsvyjyp<-This folder
C:\
Users\All Users\fdyvqvum <-This folder
C:\
ProgramData\fdyvqvum<-This folder
C:\
ProgramData\gdsvyjyp<-This folder
Files:
C:\
Users\David\DesktopFWebdEditor.exe<-This file
C:\
Users\David\Desktopfwebd.exe<-This file
C:\
Users\David\Desktopfilemanagerclient.exe<-This file
C:\
Users\David\AppData\Local\Temp\pmnoNdcb.dll<-This file
C:\
Users\David\AppData\Local\Temp\efcCuSmj.dll<-This file
Also look for the following which weren't shown in your log, delete if there (also let me know if there):
C:\Documents and Settings\David\Desktopblackbird.jpg
C:\Documents and Settings\David\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\David\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\David\Desktopfilemanagerclient.exe
C:\Documents and Settings\David\Desktopfkwp1.5.exe
C:\Documents and Settings\David\Desktopfkwp2.0.exe
C:\Documents and Settings\David\Desktopfwebd.exe
C:\Documents and Settings\David\DesktopFWebdEditor.exe
C:\Documents and Settings\David\DesktopTrojan.Win32.BlackBird.exe
Restart your computer into
normal mode
Run a new scan with Hijackthis and attach the log