badly infected laptop

sorry i'm slow but i have to use my pc to send every thing. unable to use any malware programs even in safe mode, cant get on the internet, i have to copy everthing from my good pc to the infected laptop with a usb stick..thank you for your help,---Regards gunner.
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Owner at 8:44:58 on 2012-04-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2038.1760 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
mSearchAssistant =
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.13.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9B8BE286-835E-40BC-B99B-DC0CB3856F7A} : DhcpNameServer = 192.168.0.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-2-25 34880]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-2-18 29056]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
S2 BBSvc;Bing Bar Update Service;"c:\program files\microsoft\bingbar\bbsvc.exe" --> c:\program files\microsoft\bingbar\BBSvc.EXE [?]
S2 BBUpdate;BBUpdate;"c:\program files\microsoft\bingbar\seaport.exe" --> c:\program files\microsoft\bingbar\SeaPort.EXE [?]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2011-8-7 54760]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-19 135664]
S2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RaRegistry.exe [2010-11-5 185632]
S2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [2010-11-5 19072]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 1025352]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-19 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-4-7 40776]
S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [2006-9-28 247808]
.
=============== Created Last 30 ================
.
2012-04-08 17:53:02 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-08 11:09:39 -------- d-----w- C:\bd_logs
2012-04-08 08:37:51 -------- d-----w- C:\f24be86dc61dbd1a32d685
2012-04-08 08:12:22 -------- d-----w- C:\12648f5438e3f5f09cc1d7
2012-04-07 21:19:44 -------- d-----w- C:\effd30468a084c69a9da6bb844eeaef4
2012-04-07 21:02:49 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-07 19:17:25 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-04-07 19:17:25 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-07 17:56:22 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2012-04-07 17:55:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-07 17:55:51 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-04-05 13:46:34 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-05 13:46:34 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-05 11:24:46 0 --sha-w- c:\windows\system32\dds_log_ad13.cmd
.
==================== Find3M ====================
.
2012-04-08 11:52:40 53472 ----a-w- c:\windows\system32\wuauclt.exe.tmp
2012-04-05 11:18:47 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
.
============= FINISH: 8:45:08.78 ===============

Greetings gunner1 and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you!


===================================================


Ground Rules:

• First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
• Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
• Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
• Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  
• When you post your reply, do not use the button but use the button instead.
  
• In the upper right hand corner of the topic you will see the button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
• If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
• When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
• I would like to remind you to make no further changes to your computer unless I direct you to do so.
• Now let's get started

===================================================


Please allow me some time to review the information you have provided. I will post back as soon as possible.

Greetings gunner1,

I have not forgotten you . I will have steps for you to take as soon as possible. I appreciate your patience and understanding.

Greetings gunner1,


Thank you for allowing me some time to review the information you provided.


As we begin I must advise you of the following:


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections [ZeroAccess] is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


Panda USB Vaccine

--------------------

From a clean computer, please download and use Panda USB Vaccine.

Alternate download link 1
Alternate download link 2

• Double-click on USBVaccineSetup.exe to install the program to C:\Program Files\Panda USB Vaccine.
• Read and accept the license agreement, then click Next.
• When setup completes, make sure "Launch Panda USB Vaccine" is checked and click Finish to open the program.
• Click the Vaccinate computer button. It should now show a green checkmark and confirm Computer vaccinated.
• Hold down the Shift key and insert your USB flash drive.
• When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
• Exit the program when done

Note: Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.


===================================================


Running TDSSKiller with Changed Parameters

--------------------

• From a clean computer please download TDSSKiller and save it to your USB device
• Insert the USB device into your infected computer
• Locate and doubleclick on TDSSKiller.exe to run the application, then click on Change parameters
  
  
  
  
  
• Check Verify Driver Digital Signature and Detect TDLFS file system
  Click OK
  
  
  
  
  
• Click Start Scan and allow the scan process to run
  
  
  
  
  
• If threats are detected select Skip unless I instruct you otherwise
  Click Continue
  
  
  
  
  
• Click Reboot computer
• Please copy and paste the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)

===================================================


Things I would like to see in your next reply.

• TDSSKiller log

===================================================

72 Hour Bump

It has been more than 72 hours since my last post.

• Do you still need help with this?
• If after 48hrs you have not replied to this thread then it will have to be closed.

Hello Oh My,
hope i have done it as requested, thank you again i will try and copy paste the logs

I can work with what you provided. Please allow me a bit of time to review the information.

Excellent job!

Greetings gunner 1,


Fortunately your efforts paid off. The report you provided has given us a clue where to begin to try to get your computer up and running again.

I would like you to rerun TDSSKiller with the changed parameters like you did in the earlier post, however we are going to take a different step at the end. When you are presented with the Threats Detected results, I would like you to select Delete for the TDSS File System entry only. I would like you to post the new TDSS log in your reply.

Please attempt to reboot your computer into Normal Mode. Let me know if you can access the internet.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment.

• Were you able to delete the entries successfully?
• Were you able to boot into Normal Mode with internet access?
• TDSS log information
• How is your computer behaving now?

Hello Oh My,
Ideleted some files from the desk top ok.. couldnt access the internet..computer seems just the same. soeey for sending the attachments i couldnt fathom out how to copy and paste them i could get the copy part but then it wouldnt highlight the paste button sorry

Greetings gunner 1,


Good start. We are going to run a couple programs to clean up some other stuff and also provide some additional information regarding your internet connection issue.

Please click this link for information about how to copy and paste text. If you are unable to make it work simply attach the files.

Please perform the following for me.


===================================================


Run Combofix

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

• Please download ComboFix to your USB device from one of these locations:
  
  

  BleepingComputer

  ForoSpyware

• Insert the USB device into the infected computer
• Copy and paste Combofix.exe to the desktop of your infected computer <-- Important!!!
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Combofix.exe and follow the prompts.
  

  Please Note: ComboFix may warn you that a Recover Console is not installed. Since this step requires internet access please check No

• Do not mouseclick while the program is running or it may stall.
  
  Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If ComboFix has stopped running please stop and advise me.
  
  
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
  Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue
  
• When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.

===================================================


Farbar's Service Scanner

--------------------

Please download Farbar Service Scanner, save it to your desktop, and run it.

• Make sure the following options are checked:
  
  
  • Internet Services
  • Windows Firewall
  • Security Center/Action Center
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment.

• ComboFix.txt
• FSS.txt
• How is your computer running?

Hello Oh My,
the laptop has connected to the internet thanks to you. i havnt any virus protection on the machine as yet. the logs are here i hComboFix 12-04-17.01 - Owner 18/04/2012 21:19:55.1.2 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB42631$
c:\windows\$NtUninstallKB42631$\1406208681\@
c:\windows\$NtUninstallKB42631$\1406208681\L\nsewoldn
c:\windows\$NtUninstallKB42631$\2340626313
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\system32\
c:\windows\system32\dds_log_ad13.cmd
c:\windows\system32\dds_log_trash.cmd
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\wuauclt.exe.tmp
.
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\system32\dllcache\afd.sys
.
c:\windows\system32\drivers\intelppm.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\intelppm.sys
.
c:\windows\system32\drivers\ipsec.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\ipsec.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-03-18 to 2012-04-18 )))))))))))))))))))))))))))))))
.
.
2012-04-18 20:30 . 2012-04-18 20:30 -------- d-----w- c:\program files\GUM5.tmp
2012-04-18 20:30 . 2012-04-18 20:30 3993600 ----a-w- c:\program files\GUT6.tmp
2012-04-18 20:26 . 2008-04-14 00:49 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-04-18 20:26 . 2008-04-14 00:49 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-04-18 20:26 . 2008-04-14 00:01 36352 -c--a-w- c:\windows\system32\dllcache\intelppm.sys
2012-04-18 20:26 . 2008-04-14 00:01 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2012-04-18 20:26 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-04-18 20:26 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-16 19:14 . 2012-04-16 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2012-04-16 19:14 . 2012-04-16 19:24 -------- d-----w- c:\program files\Panda USB Vaccine
2012-04-08 17:53 . 2012-04-08 17:53 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-08 13:19 . 2012-04-08 13:19 -------- d-----w- c:\documents and settings\Administrator
2012-04-08 11:09 . 2012-04-08 12:49 -------- d-----w- C:\bd_logs
2012-04-08 08:37 . 2012-04-08 08:37 -------- d-----w- C:\f24be86dc61dbd1a32d685
2012-04-08 08:12 . 2012-04-08 08:12 -------- d-----w- C:\12648f5438e3f5f09cc1d7
2012-04-07 21:19 . 2012-04-07 21:19 -------- d-----w- C:\effd30468a084c69a9da6bb844eeaef4
2012-04-07 19:17 . 2012-04-07 19:17 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-07 17:56 . 2012-04-07 17:56 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2012-04-07 17:55 . 2012-04-07 17:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-07 17:55 . 2012-04-07 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-04-05 13:46 . 2012-04-05 13:46 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-05 13:46 . 2012-04-05 13:46 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-19 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT&inst=NzctNDkwNzk0MDU3LUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLVZJUDEwKzEtRjEwTTEwQysyLUxJQys3LUZMMTArMS1TUDErMS1TVVArNC1UVUcrMy1TUDFTNCsxLUREVCszMTEwOC1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyRE4rMS1UQisxLVUxMCsx&prod=55&ver=10.0.1411" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
PandaUSBVaccine.lnk - c:\program files\Panda USB Vaccine\USBVaccine.exe [2012-4-16 1287176]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe [2010-11-5 1560576]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 17:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-15 12:46 159744 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-15 12:46 135168 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-15 12:46 131072 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-09-12 15:58 16264192 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 17:04 2879488 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2010-11-04 23:43 634880 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
.
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [25/02/2006 17:00 34880]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [18/02/2006 18:01 29056]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [05/11/2010 22:48 19072]
S2 BBSvc;Bing Bar Update Service;"c:\program files\Microsoft\BingBar\BBSvc.EXE" --> c:\program files\Microsoft\BingBar\BBSvc.EXE [?]
S2 BBUpdate;BBUpdate;"c:\program files\Microsoft\BingBar\SeaPort.EXE" --> c:\program files\Microsoft\BingBar\SeaPort.EXE [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19/11/2010 10:48 135664]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 12:58 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [19/11/2010 10:48 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [28/09/2006 23:41 247808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 04:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 13:46]
.
2010-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 11:50]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-19 11:52]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-19 11:52]
.
2012-04-18 c:\windows\Tasks\User_Feed_Synchronization-{D9E9CCF7-3F16-4325-A725-18F320DC74A5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-14689194.sys
SafeBoot-65439664.sys
AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
AddRemove-{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\Google Toolbar\Component\GoogleToolbarManager_C2F5B49B54B6AC4A.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-18 21:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(476)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Ralink\Common\RaRegistry.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
c:\progra~1\COMMON~1\MICROS~1\DW\DW20.EXE
c:\program files\Google\Update\Install\{2923FCFF-5B5D-4915-A74B-6F1CE5B7A869}\GoogleToolbarInstaller_updater_signed.exe
.
**************************************************************************
.
Completion time: 2012-04-18 21:36:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-18 20:36
.
Pre-Run: 81,584,144,384 bytes free
Post-Run: 83,401,859,072 bytes free
.
Farbar Service Scanner Version: 16-04-2012
Ran by Admin (administrator) on 18-04-2012 at 21:42:41
Running from "C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\X75WNTU7"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000800000009000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****- - End Of File - - 73DBA3C359600F24FD7714248FA62675
ope

Hello Oh My,
Sorry I forgot to say Thank you for your help, I really appreciate it.

Regards gunnr

Greetings gunner 1,

That looks good! You can thank me but it is the brilliant people who create these programs we run, like ComboFix, who deserve the credit.

I would like to have you run a couple of scans to look for signs of leftover malware, then have you upgrade to AVG 2012.

Please perform the following for me.

P.S. Nice job on the copy and paste.


===================================================


Malwarebytes

--------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  For instructions with screenshots, please refer to this Guide.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
• If an update is found, the program will automatically update itself. Press the OK button and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
• Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
• Click on the Scan button.
• When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked and then click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
• Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on this link to open ESET OnlineScan in a new window.
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  
  
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

  

• Check "YES, I accept the Terms of Use."
• Click the Start button.
• Accept any security warnings from your browser.
• Under scan settings, check "Scan Archives" and "Remove found threats"
• Click Advanced settings and select the following:
  
  
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List Threats
• Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.

===================================================


Upgrading AVG Antivirus

--------------------

• Please download AVG Anti-Virus Free 2012
• At the bottom of the AVG Free Edition column click Download
• Click Save File
• Select Desktop on the left hand side of the window which will open, the click Save
  
• Double click the icon on your desktop
  
• Select Run
• Click Next
• Click Accept
• Select Basic Protection the click Next
• Uncheck the 2 items under Express Install then click Next
• Uncheck the box underneath Thank you for installing AVG 2012, then click Finish
• The AVG screen will appear and the program will update itself
• When the screen shows You are protected., close the window, AVG was successfully installed.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment.

• Malwarebytes log
• ESET log
• Were you able to upgrade AVG 2012?
• How is your computer running. Do you notice any problems?

Hello Oh My,
I couldnt log the laptop onto windows again after logging in last night, the connection is good, i tried copying malware from usb stick, after i got it on i opened it and it went to out of date update, which i tried but got a error massage, then malware opened so i did quick scan which lasted 3 minutes and found no viruses, this was run not connected to the internet. if that makes sense, strange since i got on to the internet last night. I only stayed on for 2 minutes then switched it straight, off until 15 minutes ago, i hope this makes sence to you.

Regards gunner

Greetings gunner 1,


I am going to have you run a couple of programs to take a look at the state of your internet connection settings. Please perform the following for me.


===================================================


Farbar's MiniToolBox

--------------------

• On your clean computer please download MiniToolBox to your USB device
• Insert the USB device to your infected computer
• Please close any Firefox browsers you may have open
  
• Double click the icon to launch the program
  
• Make sure the following options are checked:
  
  
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Devices
  • List Users, Partitions and Memory size
• Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
• Please copy and paste the contents in your reply

===================================================


Please re-run Farbar's Service Scanner in the same manner as you did in Post #10


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment.

• Result.txt
• FSS.txt