Solved Google redirect virus?

Status
Not open for further replies.
L

lozzapara

Posts: 8   +0
I'm wondering if anyone can help. Lately when using Google it has been redirecting to other sites and opening web pages that i have not searched for. I have followed the 8 steps to virus and malware removal and the logs are attached below:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5233

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

02/12/2010 17:13:38
mbam-log-2010-12-02 (17-13-38).txt

Scan type: Quick scan
Objects scanned: 129036
Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-02 17:17:59
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_MP0402H rev.YQ200-05
Running: kb0p733g.exe; Driver: C:\DOCUME~1\LAURA\LOCALS~1\Temp\uwncrfog.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 78242720 (+255): rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82F2A292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 82F2A292

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskSAMSUNG_MP0402H_________________________YQ200-05#30535733334a4c30353235373038202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----

DDS (Ver_10-11-27.01) - NTFSx86
Run by LAURA at 17:22:42.79 on 02/12/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.758.379 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Atheros\ACU.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\LAURA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [DriverUpdaterPro] c:\program files\ixi tools\driver updater pro\DriverUpdaterPro.exe -t
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\laura\startm~1\programs\startup\BBCIPL~1.LNK -
StartupFolder: c:\docume~1\laura\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: neashomeaccess.co.uk\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\laura\applic~1\mozilla\firefox\profiles\uz25bahy.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=uk&.partner=bt-1&.done=http%3a//bt.yahoo.com/%3f
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\laura\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla plugins\npitunes.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-8-21 40464]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-21 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-21 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-21 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-6 308136]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]

=============== Created Last 30 ================

2010-11-30 12:28:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-30 12:28:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-30 12:28:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-25 17:08:26 15256 ----a-w- c:\docume~1\laura\applic~1\microsoft\identitycrl\production\ppcrlconfig.dll
2010-11-19 12:30:06 -------- d-----w- c:\windows\system32\appmgmt
2010-11-16 14:36:08 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-16 14:36:08 -------- d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-09-18 11:01:50 18863384 ----a-w- c:\program files\LimeWireWin.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_MP0402H rev.YQ200-05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F2A446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f30504]; MOV EAX, [0x82f30580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EDE00] -> \Device\Harddisk0\DR0[0x82F6BAB8]
3 CLASSPNP[0xF757D05B] -> ntkrnlpa!IofCallDriver[0x804EDE00] -> \Device\00000070[0x82F839E8]
5 ACPI[0xF7413620] -> ntkrnlpa!IofCallDriver[0x804EDE00] -> [0x82F39940]
\Driver\atapi[0x82F6B1D0] -> IRP_MJ_CREATE -> 0x82F2A446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskSAMSUNG_MP0402H_________________________YQ200-05#30535733334a4c30353235373038202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F2A292
user != kernel MBR !!!
sectors 78242974 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 17:23:35.67 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-27.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 06/07/2010 16:31:46
System Uptime: 12/02/2010 17:02:29 (7032 hours ago)

Motherboard: Acer | | Garda-910
Processor: Intel(R) Celeron(R) M processor 1.50GHz | U1 | 1496/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 16 GiB total, 10.81 GiB free.
D: is FIXED (FAT32) - 18 GiB total, 11.656 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 802.11g Network Adapter
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_03121468&REV_02\4&AD1B67F&0&28F0
Manufacturer: Broadcom
Name: Broadcom 802.11g Network Adapter
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_03121468&REV_02\4&AD1B67F&0&28F0
Service: BCM43XX

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Client Installation Program
AVG 2011
AVG Free 9.0
BBC iPlayer Desktop
Bonjour
CTA Law and Ethics
DeepBurner v1.9.0.228
Facebook Plug-In
Foxit Reader
i-assess runtime utilities Version 3
Intel(R) Graphics Media Accelerator Driver for Mobile
iTunes
Java Auto Updater
Java(TM) 6 Update 14
Java(TM) 6 Update 20
LimeWire 5.5.7
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2000 Premium
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.12)
MSVCRT
Paragon Drive Backup™ 9.0 Express
QuickTime
Realtek AC'97 Audio
Security Update for Windows XP (KB923789)
Segoe UI
SoftV90 Data Fax Modem with SmartCP
Spybot - Search & Destroy
Spybot - Search & Destroy 1.3
WebFldrs XP
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Upload Tool

==== Event Viewer Messages From Past Week ========

30/11/2010 11:58:16, error: Service Control Manager [7001] - The AVG8 E-mail Scanner service depends on the AVG8 WatchDog service which failed to start because of the following error: The system cannot find the path specified.
30/11/2010 11:58:16, error: Service Control Manager [7000] - The AVG8 WatchDog service failed to start due to the following error: The system cannot find the path specified.
29/11/2010 13:23:37, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
26/11/2010 17:20:21, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
02/12/2010 17:00:17, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
02/12/2010 17:00:16, error: Service Control Manager [7034] - The Atheros Configuration Service service terminated unexpectedly. It has done this 1 time(s).
02/12/2010 17:00:16, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================
 
Okay, you have a Rootkit malware infection. Please start with this program:
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
=========================================
Please follow with Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I''ll check the current logs while you're running the other programs.
 
Thanks for your quick response. I ran both programmes and here is the log for the ESET scan:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=05a6e1e89323a841bc0727685c2de5ca
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-02 08:57:00
# local_time=2010-12-02 08:57:00 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 11843471 11843471 0 0
# compatibility_mode=1797 16775141 100 93 4193 27851353 2478 0
# compatibility_mode=8192 67108863 100 0 3903 3903 0 0
# scanned=38747
# found=0
# cleaned=0
# scan_time=1416
 
Good. the Eset scan is clean. Please give me the TDSSKiller log.

You have 2 versions of AVG running: AVG Free 9.0 & AVG 2011 You should remove the older version. And you will need to temporarily uninstall the version you're keeping in order to run this program:
Here is a tool to help: AVG Removal: Note: You may have to reinstall AVG to uninstall it fully.

It's best to save the Tool to your desktop, then go into Safe Mode to run it.

Download Combofix to your desktop from one of these locations:
Link 1
Link 2
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    Click to expand...
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Please take LimeWire off of Startup. Then either uninstall it (recommended) or disable it while I'm helping you.

P2P or 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall LimeWire for the following reasons:
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

Please remove these outdated versions of Java: Java(TM) 6 Update 14 & Java(TM) 6 Update 20 in Add/Remove Programs.
Update to current v6u22: Java Updates
 
i've been having problems uninstalling AVG 9 but it seems to have worked with the removal tool, thanks. I've also uninstalled limewire as i never use it anyway and the outdated java. Here's the combofix and the TDSSkiller log:

ComboFix 10-12-02.01 - LAURA 02/12/2010 23:08:13.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.758.546 [GMT 0:00]
Running from: c:\documents and settings\LAURA\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LAURA\Application Data\completescan
c:\documents and settings\LAURA\Application Data\install
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-11-02 to 2010-12-02 )))))))))))))))))))))))))))))))
.

2010-12-02 22:01 . 2010-12-02 22:01 -------- d-----w- c:\documents and settings\LAURA\Application Data\AVG10
2010-12-02 21:58 . 2010-12-02 21:58 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-12-02 21:56 . 2010-12-02 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-12-02 21:50 . 2010-12-02 21:50 4502408 ----a-w- c:\program files\avg_free_stb_all_2011_1170_cnet.exe
2010-12-02 21:29 . 2010-12-02 21:42 -------- d-----w- c:\program files\VS Revo Group
2010-11-30 12:28 . 2010-12-02 21:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-29 20:15 . 2010-11-29 20:15 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-11-26 20:46 . 2010-11-26 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-11-16 14:36 . 2010-11-16 14:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-16 14:29 . 2010-11-16 14:31 -------- d-s---w- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-24 01:10 . 2010-09-24 01:10 573736 ----a-w- c:\program files\iTunesPhotoProcessor.exe
2010-09-24 01:10 . 2010-09-24 01:10 294688 ----a-w- c:\program files\iTunesOutlookAddIn.dll
2010-09-24 01:10 . 2010-09-24 01:10 124200 ----a-w- c:\program files\iTunesMiniPlayer.dll
2010-09-24 01:10 . 2010-09-24 01:10 421160 ----a-w- c:\program files\iTunesHelper.exe
2010-09-24 01:10 . 2010-09-24 01:10 387368 ----a-w- c:\program files\iTunesAdmin.dll
2010-09-24 01:10 . 2010-09-24 01:10 173344 ----a-w- c:\program files\iTunesHelper.dll
2010-09-24 01:10 . 2010-09-24 01:10 9777448 ----a-w- c:\program files\iTunes.exe
2010-09-24 01:10 . 2010-09-24 01:10 726304 ----a-w- c:\program files\gnsdk_sdkmanager.dll
2010-09-24 01:10 . 2010-09-24 01:10 648992 ----a-w- c:\program files\iPodUpdaterExt.dll
2010-09-24 01:10 . 2010-09-24 01:10 259360 ----a-w- c:\program files\gnsdk_submit.dll
2010-09-24 01:10 . 2010-09-24 01:10 197920 ----a-w- c:\program files\gnsdk_musicid.dll
2010-09-24 01:10 . 2010-09-24 01:10 18710816 ----a-w- c:\program files\iTunes.dll
2010-09-24 01:10 . 2010-09-24 01:10 111912 ----a-w- c:\program files\ITDetector.ocx
2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-09-18 11:01 . 2009-09-18 11:01 18863384 ----a-w- c:\program files\LimeWireWin.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-07-21_09.53.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 23:02 . 2009-07-11 23:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-12-02 23:03 . 2010-12-02 23:03 16384 c:\windows\Temp\Perflib_Perfdata_5bc.dat
- 2001-08-23 14:00 . 2010-07-21 09:45 40394 c:\windows\system32\perfc009.dat
+ 2001-08-23 14:00 . 2010-11-26 18:34 40394 c:\windows\system32\perfc009.dat
+ 2010-10-04 15:45 . 2010-04-19 19:47 41984 c:\windows\system32\DRVSTORE\usbaapl_5BE1FFC476B2D9925B428CF102B47444B9A16508\usbaapl.sys
+ 2009-08-22 11:38 . 2010-04-19 19:47 41984 c:\windows\system32\drivers\usbaapl.sys
+ 2010-07-27 17:44 . 2010-07-27 17:44 91424 c:\windows\system32\dnssd.dll
- 2010-05-18 15:35 . 2010-05-18 15:35 91424 c:\windows\system32\dnssd.dll
- 2009-08-21 14:11 . 2010-07-06 15:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-08-21 14:11 . 2010-11-24 11:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-08-21 14:11 . 2010-11-24 11:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-08-21 14:11 . 2010-07-06 15:33 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-08-10 21:34 . 2010-08-10 21:34 21504 c:\windows\Installer\27d6d22.msi
+ 2010-08-10 21:34 . 2010-08-10 21:34 28160 c:\windows\Installer\27d6d1c.msi
+ 2009-07-11 23:02 . 2009-07-11 23:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2010-03-26 10:56 . 2010-11-16 14:37 274928 c:\windows\system32\Restore\rstrlog.dat
+ 2001-08-23 14:00 . 2010-11-26 18:34 312172 c:\windows\system32\perfh009.dat
- 2001-08-23 14:00 . 2010-07-21 09:45 312172 c:\windows\system32\perfh009.dat
+ 2010-11-17 09:57 . 2010-11-17 09:57 233936 c:\windows\system32\Macromed\Flash\FlashUtil10l_Plugin.exe
- 2010-04-18 10:32 . 2010-04-12 16:29 153376 c:\windows\system32\javaws.exe
+ 2010-10-04 09:58 . 2010-04-12 16:29 153376 c:\windows\system32\javaws.exe
+ 2010-10-04 09:58 . 2010-04-12 16:29 145184 c:\windows\system32\javaw.exe
- 2010-04-18 10:32 . 2010-04-12 16:29 145184 c:\windows\system32\javaw.exe
+ 2010-10-04 09:58 . 2010-04-12 16:29 145184 c:\windows\system32\java.exe
- 2010-04-18 10:32 . 2010-04-12 16:29 145184 c:\windows\system32\java.exe
+ 2010-07-27 17:44 . 2010-07-27 17:44 107808 c:\windows\system32\dns-sd.exe
- 2010-05-18 15:35 . 2010-05-18 15:35 107808 c:\windows\system32\dns-sd.exe
+ 2010-10-28 10:14 . 2010-10-28 10:14 219648 c:\windows\Installer\92b074e.msi
+ 2010-10-04 09:58 . 2010-10-04 09:58 537088 c:\windows\Installer\3a34d.msi
+ 2010-10-04 15:44 . 2010-10-04 15:44 807936 c:\windows\Installer\13edc7e.msi
+ 2010-10-04 15:52 . 2010-10-04 15:52 380928 c:\windows\Installer\{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}\iTunesIco.exe
+ 2009-07-11 23:02 . 2009-07-11 23:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2009-08-22 11:38 . 2010-04-19 19:47 3062048 c:\windows\system32\usbaaplrc.dll
+ 2009-07-18 03:21 . 2010-11-17 09:57 5971408 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2010-10-04 15:45 . 2010-04-19 19:47 3062048 c:\windows\system32\DRVSTORE\usbaapl_5BE1FFC476B2D9925B428CF102B47444B9A16508\usbaaplrc.dll
+ 2010-12-02 21:58 . 2010-12-02 21:58 3065856 c:\windows\Installer\2b2e2.msi
+ 2010-12-02 21:56 . 2010-12-02 21:56 1548288 c:\windows\Installer\2b2de.msi
+ 2010-10-04 15:52 . 2010-10-04 15:52 6333440 c:\windows\Installer\13ee7a9.msi
+ 2010-10-04 15:47 . 2010-10-04 15:47 9472000 c:\windows\Installer\13ee018.msi
+ 2010-10-04 15:45 . 2010-10-04 15:45 3084800 c:\windows\Installer\13edd2e.msi
+ 2010-10-04 15:45 . 2010-10-04 15:45 1984000 c:\windows\Installer\13edca7.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverUpdaterPro"="c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe" [BU]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACU"="c:\program files\Atheros\ACU.exe" [2005-01-31 253952]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes.exe"=

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [21/08/2009 16:31 40464]
.
Contents of the 'Scheduled Tasks' folder

2010-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-12-02 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-03-26 22:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: neashomeaccess.co.uk\www
FF - ProfilePath - c:\documents and settings\LAURA\Application Data\Mozilla\Firefox\Profiles\uz25bahy.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=uk&.partner=bt-1&.done=http%3a//bt.yahoo.com/%3f
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\LAURA\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Plugins\npitunes.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
Notify-avgrsstarter - avgrsstx.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-02 23:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-12-02 23:13:39
ComboFix-quarantined-files.txt 2010-12-02 23:13

Pre-Run: 11,229,405,184 bytes free
Post-Run: 11,392,487,424 bytes free

- - End Of File - - 8535CDECACC7080F17287171AAAE7627

2010/12/02 20:20:45.0281 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01
2010/12/02 20:20:45.0281 ================================================================================
2010/12/02 20:20:45.0281 SystemInfo:
2010/12/02 20:20:45.0281
2010/12/02 20:20:45.0281 OS Version: 5.1.2600 ServicePack: 2.0
2010/12/02 20:20:45.0281 Product type: Workstation
2010/12/02 20:20:45.0281 ComputerName: LAURA-A46C1CB7E
2010/12/02 20:20:45.0281 UserName: LAURA
2010/12/02 20:20:45.0281 Windows directory: C:\WINDOWS
2010/12/02 20:20:45.0281 System windows directory: C:\WINDOWS
2010/12/02 20:20:45.0281 Processor architecture: Intel x86
2010/12/02 20:20:45.0281 Number of processors: 1
2010/12/02 20:20:45.0281 Page size: 0x1000
2010/12/02 20:20:45.0281 Boot type: Normal boot
2010/12/02 20:20:45.0281 ================================================================================
2010/12/02 20:20:45.0609 Initialize success
2010/12/02 20:20:55.0812 ================================================================================
2010/12/02 20:20:55.0812 Scan started
2010/12/02 20:20:55.0812 Mode: Manual;
2010/12/02 20:20:55.0812 ================================================================================
2010/12/02 20:20:57.0125 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/02 20:20:57.0250 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/12/02 20:20:57.0421 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/12/02 20:20:57.0562 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/12/02 20:20:57.0671 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2010/12/02 20:20:58.0015 ALCXWDM (95aa37bec6c72c277c2caeaee736dd2d) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/12/02 20:20:58.0437 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/02 20:20:58.0531 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/02 20:20:58.0578 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/02 20:20:58.0687 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/02 20:20:58.0968 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/12/02 20:20:59.0093 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/12/02 20:20:59.0234 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/12/02 20:20:59.0421 BCM43XX (38ca1443660d0f5f06887c6a2e692aeb) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/12/02 20:20:59.0562 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/02 20:20:59.0781 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/02 20:20:59.0890 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/02 20:20:59.0968 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/02 20:21:00.0046 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/02 20:21:00.0156 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/12/02 20:21:00.0250 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/12/02 20:21:00.0437 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/02 20:21:00.0562 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/02 20:21:00.0718 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
2010/12/02 20:21:00.0781 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/02 20:21:00.0875 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/02 20:21:00.0984 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/02 20:21:01.0109 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/02 20:21:01.0218 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2010/12/02 20:21:01.0312 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/02 20:21:01.0421 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/02 20:21:01.0500 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/02 20:21:01.0562 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/02 20:21:01.0640 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/02 20:21:01.0718 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/12/02 20:21:01.0781 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/02 20:21:01.0875 hotcore3 (3eca343d21e8639ce448c0af4e119d17) C:\WINDOWS\system32\DRIVERS\hotcore3.sys
2010/12/02 20:21:01.0984 HSFHWICH (a4877a17e87d6e6ab959b36b9ef3de8a) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
2010/12/02 20:21:02.0093 HSF_DP (dfa8f86c0dbca7db948043aa3be6793b) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/12/02 20:21:02.0281 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/02 20:21:02.0421 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/02 20:21:02.0562 ialm (afa7c99d211a2aff21a287bc4264cde6) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/12/02 20:21:02.0687 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/02 20:21:02.0812 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/02 20:21:02.0875 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/02 20:21:02.0968 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/02 20:21:03.0031 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/02 20:21:03.0109 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/02 20:21:03.0171 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/02 20:21:03.0281 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/02 20:21:03.0343 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/02 20:21:03.0453 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/02 20:21:03.0546 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/02 20:21:03.0640 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/02 20:21:03.0671 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/02 20:21:03.0781 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/02 20:21:03.0890 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/02 20:21:03.0968 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/02 20:21:04.0015 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/02 20:21:04.0078 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/02 20:21:04.0171 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/02 20:21:04.0265 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/02 20:21:04.0421 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/02 20:21:04.0546 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/02 20:21:04.0625 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/02 20:21:04.0703 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/02 20:21:04.0796 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/02 20:21:04.0843 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/02 20:21:04.0937 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/02 20:21:05.0015 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/02 20:21:05.0109 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/02 20:21:05.0187 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/02 20:21:05.0250 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/02 20:21:05.0312 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/02 20:21:05.0359 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/02 20:21:05.0484 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/02 20:21:05.0593 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/02 20:21:05.0718 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/02 20:21:05.0796 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/02 20:21:05.0843 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/02 20:21:05.0921 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2010/12/02 20:21:05.0968 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/02 20:21:06.0046 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/02 20:21:06.0125 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/02 20:21:06.0218 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/02 20:21:06.0250 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/12/02 20:21:06.0531 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/02 20:21:06.0578 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/02 20:21:06.0671 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/02 20:21:06.0890 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/02 20:21:06.0968 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/02 20:21:07.0046 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/02 20:21:07.0078 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/02 20:21:07.0156 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/02 20:21:07.0250 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/02 20:21:07.0328 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/02 20:21:07.0421 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/02 20:21:07.0515 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/02 20:21:07.0640 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/12/02 20:21:07.0750 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/02 20:21:07.0859 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2010/12/02 20:21:07.0968 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/02 20:21:08.0093 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/02 20:21:08.0187 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/02 20:21:08.0296 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/02 20:21:08.0515 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/12/02 20:21:08.0640 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/02 20:21:08.0718 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/02 20:21:08.0906 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/02 20:21:09.0000 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/02 20:21:09.0093 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/02 20:21:09.0171 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/02 20:21:09.0234 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/02 20:21:09.0343 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/02 20:21:09.0468 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/02 20:21:09.0578 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/02 20:21:09.0687 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/02 20:21:09.0765 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/02 20:21:09.0843 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/02 20:21:09.0921 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/02 20:21:10.0000 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/02 20:21:10.0046 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/12/02 20:21:10.0156 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/02 20:21:10.0234 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/02 20:21:10.0343 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/02 20:21:10.0453 winachsf (473ee64c368ce2eed110376c11960259) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/12/02 20:21:10.0671 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/12/02 20:21:10.0796 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/02 20:21:10.0812 ================================================================================
2010/12/02 20:21:10.0812 Scan finished
2010/12/02 20:21:10.0812 ================================================================================
2010/12/02 20:21:10.0828 Detected object count: 1
2010/12/02 20:21:29.0281 \HardDisk0 - will be cured after reboot
2010/12/02 20:21:29.0281 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/02 20:22:18.0765 Deinitialize success
 
I have not ever been able to understand why anyone would use a file sharing site to get a security program! (c:\program files\avg_free_stb_all_2011_1170_cnet.exe)
This is a torrent download! If you decide to reinstall AVG, I recommend you do it from the home site: Avira Free
===========================================
Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines[./b]
Code: 
KillAll::
File::
c:\program files\LimeWireWin.exe
c:\program files\avg_free_stb_all_2011_1170_cnet.exe
Folder::
c:\documents and settings\LAURA\Application Data\AVG10
c:\documents and settings\All Users\Application Data\Common Files
c:\documents and settings\All Users\Application Data\AVG10

DDS::
StartupFolder: c:\docume~1\laura\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe

Extra::
File::
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
Firefox::
Firefox-: - Profile - c:\docume~1\laura\applic~1\mozilla\firefox\profiles\uz25bahy.default\

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
No restore points in system? When the system is clean, you will need to make sure this isn't turned off.
======================
Let's make sure the MBR is clean:
Download bootkitremover.rar and save it to your desktop.
  • Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
  • Double-click on the remover.exe file to run the program.
  • Paste the output in your next reply.
 
ComboFix 10-12-03.01 - LAURA 04/12/2010 10:53:16.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.758.547 [GMT 0:00]
Running from: c:\documents and settings\LAURA\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\LAURA\Desktop\CFScript.txt

FILE ::
"c:\program files\avg_free_stb_all_2011_1170_cnet.exe"
"c:\program files\LimeWireWin.exe"
"c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}"
"c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\AVG10
c:\documents and settings\All Users\Application Data\AVG10\Cfg\admin.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\changecfgreg.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\csl.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\emssrv.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\erd.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\idp.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\krnl.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\mail.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\mailsrv.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\mailsrvvsapi.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\malrep.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\scan.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\sched.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\setup.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\spsrv.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\update.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\updatecomps.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\user.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\changecfgreg.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\falsealarm.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\krnlall.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\pctuneupall.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\updateall.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\userall.cfg
c:\documents and settings\All Users\Application Data\AVG10\Chjw\7e1457dc1457964d\avgcchff.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\7e1457dc1457964d\avgcchfi.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\7e1457dc1457964d\avgcchmf.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\7e1457dc1457964d\avgcchmi.dat
c:\documents and settings\All Users\Application Data\AVG10\log\avgcfg.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcfg.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjwsrv.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjwsrv.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgcsl.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcsl.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgemc.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgemc.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgexc.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgexc.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgldr.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgldr.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avglng.log
c:\documents and settings\All Users\Application Data\AVG10\log\avglng.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgns.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgns.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgpostinst.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgpostinst.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgrkt.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgrkt.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgscan.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgscan.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgsched.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgsched.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrm.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrm.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgtdi.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgtdi.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgual.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgual.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgupd.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgupd.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgwdsvc.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgwdsvc.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\commonpriv.log
c:\documents and settings\All Users\Application Data\AVG10\log\commonpriv.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\fixcfg.log
c:\documents and settings\All Users\Application Data\AVG10\log\fixcfg.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\history.xml
c:\documents and settings\All Users\Application Data\AVG10\log\vault.log
c:\documents and settings\All Users\Application Data\AVG10\log\vault.log.lock
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000005.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000006.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000007.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000008.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\srm.idx
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\AntiRkx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Antivirx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Avgx86.msi
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\AVIsx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\basex.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\COREx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\COREx86.msi
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Emailsx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\GUIx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\idatx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\IDPx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\lng_usx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\OnlnScx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\ResShldx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\SrchSrfx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\SSHttpBx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\TDIDrvx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\TuneUpx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Update2x.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Updatex.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\xplx.cab
c:\documents and settings\All Users\Application Data\Common Files
c:\documents and settings\All Users\Application Data\Common Files\FC7458D0-C084-52D0-2F2E-77B3E11420F4.dat
c:\documents and settings\LAURA\Application Data\AVG10
c:\documents and settings\LAURA\Application Data\AVG10\cfgall\usergui.cfg
c:\program files\avg_free_stb_all_2011_1170_cnet.exe
c:\program files\LimeWireWin.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))
.

2010-12-02 21:29 . 2010-12-02 21:42 -------- d-----w- c:\program files\VS Revo Group
2010-11-30 12:28 . 2010-12-02 21:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-29 20:15 . 2010-11-29 20:15 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-11-26 20:46 . 2010-11-26 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-11-16 14:36 . 2010-11-16 14:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-16 14:29 . 2010-11-16 14:31 -------- d-s---w- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-24 01:10 . 2010-09-24 01:10 573736 ----a-w- c:\program files\iTunesPhotoProcessor.exe
2010-09-24 01:10 . 2010-09-24 01:10 294688 ----a-w- c:\program files\iTunesOutlookAddIn.dll
2010-09-24 01:10 . 2010-09-24 01:10 124200 ----a-w- c:\program files\iTunesMiniPlayer.dll
2010-09-24 01:10 . 2010-09-24 01:10 421160 ----a-w- c:\program files\iTunesHelper.exe
2010-09-24 01:10 . 2010-09-24 01:10 387368 ----a-w- c:\program files\iTunesAdmin.dll
2010-09-24 01:10 . 2010-09-24 01:10 173344 ----a-w- c:\program files\iTunesHelper.dll
2010-09-24 01:10 . 2010-09-24 01:10 9777448 ----a-w- c:\program files\iTunes.exe
2010-09-24 01:10 . 2010-09-24 01:10 726304 ----a-w- c:\program files\gnsdk_sdkmanager.dll
2010-09-24 01:10 . 2010-09-24 01:10 648992 ----a-w- c:\program files\iPodUpdaterExt.dll
2010-09-24 01:10 . 2010-09-24 01:10 259360 ----a-w- c:\program files\gnsdk_submit.dll
2010-09-24 01:10 . 2010-09-24 01:10 197920 ----a-w- c:\program files\gnsdk_musicid.dll
2010-09-24 01:10 . 2010-09-24 01:10 18710816 ----a-w- c:\program files\iTunes.dll
2010-09-24 01:10 . 2010-09-24 01:10 111912 ----a-w- c:\program files\ITDetector.ocx
2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((( SnapShot_2010-12-02_23.11.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-02 23:38 . 2010-12-02 23:38 3065856 c:\windows\Installer\c70e9.msi
+ 2010-12-02 23:35 . 2010-12-02 23:35 1548288 c:\windows\Installer\c70e5.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverUpdaterPro"="c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe" [BU]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACU"="c:\program files\Atheros\ACU.exe" [2005-01-31 253952]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
[BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes.exe"=

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [21/08/2009 16:31 40464]
.
Contents of the 'Scheduled Tasks' folder

2010-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-12-04 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-03-26 22:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: neashomeaccess.co.uk\www
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\LAURA\Application Data\Mozilla\Firefox\Profiles\uz25bahy.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=uk&.partner=bt-1&.done=http%3a//bt.yahoo.com/%3f
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\LAURA\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Plugins\npitunes.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-04 10:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-04 11:00:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-04 11:00
ComboFix2.txt 2010-12-02 23:13

Pre-Run: 11,344,338,944 bytes free
Post-Run: 11,307,397,120 bytes free

- - End Of File - - AA411D2F79F8CB71CD5857A8C820C148


Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`c8073000
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...
 
The logs look good. If the redirect has been resolved, you can now Remove all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin

Let me know if you have any more questions.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
794
uber_beetle
uber_beetle
S
  • Locked
Inactive Am I infected?
Replies
8
Views
3K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni

Latest posts

Back