Bootkit tdl4 found by combofix keeps coming back

Hi dellydell (cute name) :emotion-1:,

First, I would suggest trying to get the pictures backed up on a CD or USB stick,

Combofix is a powerful tool. If you ran it on your own, you really shouldn't have, until someone trained in its use was helping you.

I am reviewing your log. In the meantime, you can help me by addressing the following:

* Have you posted this issue on another forum? If so, please provide a link to the topic.

* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.  The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.    

* Have you at any time used Dell's Screen Share program to browse the Dell site?

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.

* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. *Please note also that not all of our tools work on 64-bit systems, so we may be limited in our procedures.

* The presence of windows error codes may indicate hardware problems and could limit the success of infection removal.

• Download ERUNT

• Install ERUNT by following the prompts

• Start ERUNT

• Choose a location for the backup

• Make sure that at least the first two check boxes are ticked
• Press OK
• Press YES to create the folder.

If there is a problem after making changes to the system, to restore your registry, go to the folder and start ERUNT.exe

Let me know after you have installed ERUNT.

No Reply within 3 days will result in this topic being closed, and I will remove it from my subscriptions. If you require more time, please let me know.

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.

Hi bugbatter and thank you so much for taking time to help me. I installed ERUNT using your directions. For your information:

-I have not posted on another forum and I am not taking instructions from anyone else.

-system restore is enabled

-Cracked software may be on this computer.  It was previously in use by a teenager who was into gaming and naughty internet stuff. I don't really know what he did so i can't answer this question definitely. I personally would never use such a program as I am the kind of person who pays for every mp3 file and I never download anything unless it is from a site I trust.

-When I first started working on this computer I removed some p2p programs and I think they are all gone. There is a lot on this computer!

-I don't know what Dell Screen Share is. I used the dell programs to check for drivers. There are lots of dell programs running on this computer and I don't know what they all are. I personally own a dell desktop that does not have some of these programs so I can't help there.

-Permissions - I can do whatever I want to this computer. This was my dad's computer. After he died my brother got hold of it and he killed it. Now my mom wants me to see if I can fix it for her. I think it has some sentimental value for her. She wants to get to the pictures off this computer and use it for small tasks if possible.

Before we go any further, I should clarify that I am not very familiar with this notebook. The damage was done by my careless family. So when you ask me if I have done such and such I probably won't be able to answer, since I don't know what the previous users were doing. I just know it was bad. I would hate to waste your time if you think cleaning up this computer is a lost cause. It might be hard trying to fix someone's mistake if you don't know what they did.  I'm doing this as a favor for my mother because my dad did lots of computer presentations and artwork using family pictures and such and I know she really wants to have this computer. I really appreciate your help and advice.

Let's see how far we can get with the information that we have access to. You may still decide to reformat and reinstall Windows later.

Please run the following:

We need to see some additional information about what is happening in your machine.

Please download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt

• Save both reports to your desktop.

-----------------------------------------------------

• Copy/paste both logs to your reply on the forum. Do not attach them.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.

Next, download CKScanner from here: http://downloads.malwareremoval.com/CKScanner.exe
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply along with the two logs from DDS.

Thanks!

Hi bugbatter. It looks like my husband forgot his AC power so he swiped the power cord this morning before I could wake up and say no. I don't want to continue until I have a good power source so I will post back tomorrow when I have followed your instructions. I guess the Dell AC adapters are wonderfully backwards compatible.

I promise I'll be back tomorrow. It took me a week to get this computer stable and I'm not ready to quit until it's completely clean. Thanks:emotion-2:

Thanks for letting me know.:emotion-15:

Hello again. I am back with the log files you requested.

DDS.txt

DDS (Ver_10-12-12.02) - NTFSx86 
Run by -------at  7:34:10.43 on Thu 02/17/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.502.215 [GMT -5:00]

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Bob\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-11 294608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-11 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-11 40384]
R2 ehMonitor;Media Center Monitor Service;c:\program files\media center diagnostic kit\tests\bin\ehMonitor.exe [2005-9-7 49336]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\bw2ndis5.sys --> c:\windows\system32\drivers\BW2NDIS5.sys [?]

=============== Created Last 30 ================

2011-02-15 19:43:50 388096 ----a-r- c:\docume~1\bob\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-02-11 18:35:31 -------- d-----w- c:\program files\ESET
2011-02-11 16:16:40 38848 ----a-w- c:\windows\avastSS.scr
2011-02-11 16:16:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2011-02-11 12:20:08 215920 ----a-w- c:\windows\system32\muweb.dll
2011-02-10 15:59:25 -------- d-----w- c:\docume~1\bob\applic~1\SUPERAntiSpyware.com
2011-02-10 15:59:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-10 15:59:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-10 15:52:57 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-02-10 15:36:24 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-02-10 14:35:47 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-02-10 14:35:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-02-10 14:31:39 -------- d-----w- c:\program files\CCleaner
2011-02-09 19:20:54 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-02-09 17:16:06 -------- d--h--w- c:\windows\PIF
2011-02-09 15:44:24 -------- d-----w- c:\docume~1\bob\locals~1\applic~1\PCHealth
2011-02-09 14:17:02 -------- d-----w- C:\65bf44ad04b307a54456d43b6328
2011-02-09 12:40:01 150200 ----a-w- c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
2011-02-08 22:26:44 -------- d-----w- c:\windows\system32\XPSViewer
2011-02-08 22:25:17 -------- d-----w- C:\601c41be92f319ec19
2011-02-08 20:35:54 -------- d-sha-r- C:\cmdcons
2011-02-08 16:07:55 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-02-08 16:07:24 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-02-08 16:06:02 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-02-08 16:06:01 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-02-08 16:05:06 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-02-08 16:02:40 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-02-08 15:23:00 -------- d-----w- c:\docume~1\bob\applic~1\AVG10
2011-02-08 15:17:56 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-02-08 15:14:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-02-08 15:13:41 -------- d-----w- c:\program files\AVG
2011-02-08 15:01:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-02-08 14:40:28 -------- d-----w- c:\docume~1\bob\applic~1\Malwarebytes
2011-02-08 14:40:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-08 14:40:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-08 14:40:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-08 14:40:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-21 14:44:37 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

==================== Find3M  ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08:45 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08:45 17408 ------w- c:\windows\system32\corpol.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH:  7:36:00.38 ===============

ATTACH.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\Harddisk0\DP(2)0x2738a00-0xc73364a00+2
Install Date: 7/13/2006 11:16:20 AM
System Uptime: 2/17/2011 7:25:36 AM (0 hours ago)

Motherboard: Dell Inc. |  | 0FF049
Processor: Genuine Intel(R) CPU           T1300  @ 1.66GHz | Microprocessor | 1664/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 50 GiB total, 9.821 GiB free.
D: is CDROM ()
E: is FIXED (FAT) - 0 GiB total, 0.031 GiB free.
F: is FIXED (FAT32) - 5 GiB total, 0.924 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1390 WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&360A6DE&0&00E1
Manufacturer: Broadcom
Name: Dell Wireless 1390 WLAN Mini-Card
PNP Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&360A6DE&0&00E1
Service: BCM43XX

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\2B6BF121474FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\2B6BF121474FC000
Service: NIC1394

==== System Restore Points ===================

RP10: 2/15/2011 12:00:20 PM - System Checkpoint
RP11: 2/15/2011 2:43:43 PM - Installed HiJackThis

==== Installed Programs ======================

AOLIcon
Apple Application Support
avast! Free Antivirus
Bonjour
CCleaner
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dassault Systemes Software Prerequisites x86
Dell Digital Jukebox Driver
Dell Network Assistant
Dell Support Center (Support Software)
Dell System Restore
Dell Wireless WLAN Card
DellConnect
DellSupport
Digital Line Detect
Documentation & Support Launcher
Driver Detective
ELIcon
ERUNT 1.1j
ESET Online Scanner v3
GTK+ 2.6.9 runtime environment
HiJackThis
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) Graphics Media Accelerator Driver
Internal Network Card Power Management
iTunes
Malwarebytes' Anti-Malware
Media Center Diagnostic Kit
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft XML Parser
Modem Helper
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Norton 360
PDFCreator
PowerLite S1+
PrintMaster Platinum 17
Rhapsody Player Engine
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Sonic Encoders
Sonic Update Manager
SUPERAntiSpyware
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Media Player 10 (KB910393)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Ventrilo Client
Warcraft III
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Media Center Edition 2005 KB973768
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

2/15/2011 11:46:26 AM, error: Service Control Manager [7034]  - The SupportSoft Sprocket Service (dellsupportcenter) service terminated unexpectedly.  It has done this 1 time(s).
2/15/2011 11:46:26 AM, error: Service Control Manager [7034]  - The Media Center Monitor Service service terminated unexpectedly.  It has done this 1 time(s).
2/11/2011 7:19:36 AM, error: Dhcp [1002]  - The IP address lease 10.0.0.2 for the Network Card with network address 001422F6304C has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
2/11/2011 7:18:37 AM, error: Service Control Manager [7034]  - The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).
2/10/2011 8:33:29 AM, error: Service Control Manager [7034]  - The Advanced Networking Service service terminated unexpectedly.  It has done this 1 time(s).
2/10/2011 4:17:22 PM, error: Service Control Manager [7034]  - The Dell Wireless WLAN Tray Service service terminated unexpectedly.  It has done this 1 time(s).
2/10/2011 4:11:49 PM, error: sr [1]  - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'DESKTOP.INI' on the volume 'DP(1)0x7e00-0x2730c00+1'.  It has stopped monitoring the volume.
2/10/2011 3:30:51 PM, error: Service Control Manager [7034]  - The LexBce Server service terminated unexpectedly.  It has done this 1 time(s).
2/10/2011 3:04:45 PM, error: sr [1]  - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'desktop.ini' on the volume 'DP(1)0x7e00-0x2730c00+1'.  It has stopped monitoring the volume.
2/10/2011 3:00:57 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/10/2011 2:58:26 PM, error: Service Control Manager [7023]  - The System Restore Service service terminated with the following error:  The system cannot find the file specified.
2/10/2011 2:58:25 PM, error: SRService [104]  - The System Restore initialization process failed.
2/10/2011 2:54:56 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2/10/2011 2:54:20 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
2/10/2011 2:53:07 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
2/10/2011 11:56:29 AM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD APPDRV Aspi32 Fips intelppm IPSec kl2 KLIF MRxSmb NetBIOS NetBT ohci1394 RasAcd Rdbss SASDIFSV SASKUTIL Tcpip WS2IFSL
2/10/2011 11:56:29 AM, error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:  A device attached to the system is not functioning.
2/10/2011 11:56:29 AM, error: Service Control Manager [7001]  - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:  A device attached to the system is not functioning.
2/10/2011 11:56:29 AM, error: Service Control Manager [7001]  - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
2/10/2011 11:56:29 AM, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:  A device attached to the system is not functioning.
2/10/2011 10:36:11 AM, error: W32Time [17]  - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================

CKFILES.txt

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
 ----- EOF -----

I don't see it in there. Let's see if it's hiding.

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

• If an infected file is detected, the default action will be Cure Make sure that is selected. Click on Continue.

• If a suspicious file is detected, the default action will be Skip, click on Continue.

• It may ask you to reboot the computer to complete the process. Click on Reboot Now.

• If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.___log.txt".
•  Please copy and paste the contents of that file here.  Please post your most recent log from ComboFix as well.

TDSSkiller did not find anything. Here is the log:

2011/02/17 12:53:41.0890 2276 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
2011/02/17 12:53:41.0906 2276 ================================================================================
2011/02/17 12:53:41.0906 2276 SystemInfo:
2011/02/17 12:53:41.0906 2276 
2011/02/17 12:53:41.0906 2276 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/17 12:53:41.0906 2276 Product type: Workstation
2011/02/17 12:53:41.0906 2276 ComputerName: DGPQRX91
2011/02/17 12:53:41.0906 2276 UserName: ------
2011/02/17 12:53:41.0906 2276 Windows directory: C:\WINDOWS
2011/02/17 12:53:41.0906 2276 System windows directory: C:\WINDOWS
2011/02/17 12:53:41.0906 2276 Processor architecture: Intel x86
2011/02/17 12:53:41.0906 2276 Number of processors: 1
2011/02/17 12:53:41.0906 2276 Page size: 0x1000
2011/02/17 12:53:41.0906 2276 Boot type: Normal boot
2011/02/17 12:53:41.0906 2276 ================================================================================
2011/02/17 12:53:42.0187 2276 Initialize success
2011/02/17 12:53:45.0718 2224 ================================================================================
2011/02/17 12:53:45.0718 2224 Scan started
2011/02/17 12:53:45.0718 2224 Mode: Manual;
2011/02/17 12:53:45.0718 2224 ================================================================================
2011/02/17 12:53:49.0671 2224 ================================================================================
2011/02/17 12:53:49.0671 2224 Scan finished
2011/02/17 12:53:49.0671 2224 ================================================================================

This is the last log from ComboFix. I checked the quarntined files log and it had catchme.log and tcpip.reg. I don't have the log anymore though. I do have the general combofix log and here it is:

ComboFix 11-02-14.02 - Bob 02/15/2011  11:15:37.10.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.502.221 [GMT -5:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
(((((((((((((((((((((((((   Files Created from 2011-01-15 to 2011-02-15  )))))))))))))))))))))))))))))))
.

2011-02-11 18:35 . 2011-02-11 18:35 -------- d-----w- c:\program files\ESET
2011-02-11 16:17 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-11 16:17 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-11 16:17 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-11 16:17 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-11 16:17 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-11 16:17 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-11 16:17 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-11 16:16 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-02-11 16:16 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-11 16:16 . 2011-02-11 16:16 -------- d-----w- c:\program files\Alwil Software
2011-02-11 16:16 . 2011-02-11 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-02-11 12:20 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-02-10 15:59 . 2011-02-10 15:59 -------- d-----w- c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com
2011-02-10 15:59 . 2011-02-10 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-10 15:59 . 2011-02-15 13:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-10 15:52 . 2011-02-10 15:52 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-02-10 15:36 . 2011-02-15 14:44 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-02-10 14:35 . 2011-02-10 14:35 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-02-10 14:35 . 2011-02-10 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-02-10 14:31 . 2011-02-10 14:31 -------- d-----w- c:\program files\CCleaner
2011-02-09 19:20 . 2011-02-09 19:20 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-02-09 17:16 . 2011-02-09 17:16 -------- d--h--w- c:\windows\PIF
2011-02-09 16:10 . 2011-02-09 16:10 388096 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-09 15:44 . 2011-02-09 15:44 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\PCHealth
2011-02-09 14:17 . 2011-02-09 14:27 -------- d-----w- C:\65bf44ad04b307a54456d43b6328
2011-02-09 12:40 . 2010-10-06 01:27 150200 ----a-w- c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
2011-02-08 22:26 . 2011-02-08 22:26 -------- d-----w- c:\windows\system32\XPSViewer
2011-02-08 22:26 . 2011-02-08 22:26 -------- d-----w- c:\program files\MSBuild
2011-02-08 22:25 . 2011-02-08 22:26 -------- d-----w- C:\601c41be92f319ec19
2011-02-08 18:03 . 2011-02-08 18:03 -------- d-----w- c:\documents and settings\Bob\Application Data\InstallShield
2011-02-08 16:07 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-02-08 16:07 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-02-08 16:06 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-02-08 16:06 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-02-08 16:05 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-02-08 16:02 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-02-08 15:23 . 2011-02-08 15:23 -------- d-----w- c:\documents and settings\Bob\Application Data\AVG10
2011-02-08 15:17 . 2011-02-08 15:17 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-02-08 15:14 . 2011-02-08 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-02-08 15:13 . 2011-02-08 15:13 -------- d-----w- c:\program files\AVG
2011-02-08 15:01 . 2011-02-08 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-02-08 14:40 . 2011-02-08 14:40 -------- d-----w- c:\documents and settings\Bob\Application Data\Malwarebytes
2011-02-08 14:40 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-08 14:40 . 2011-02-08 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-08 14:40 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-08 14:40 . 2011-02-08 14:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-08 13:38 . 2011-02-08 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7
2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2005-08-16 09:18 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2005-08-16 09:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2005-08-16 09:18 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-08-16 09:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08 . 2005-08-16 09:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2005-08-16 09:18 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2005-08-16 09:18 17408 ------w- c:\windows\system32\corpol.dll
2010-12-20 17:26 . 2005-08-16 09:18 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2005-08-16 09:18 389120 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2005-08-16 09:18 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2005-08-16 09:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2005-08-16 09:18 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 03:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-18 18:12 . 2005-08-16 09:40 81920 ----a-w- c:\windows\system32\isign32.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    stera

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/11/2011 11:17 AM 294608]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/11/2011 11:17 AM 17744]
R2 ehMonitor;Media Center Monitor Service;c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [9/7/2005 5:18 PM 49336]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-127277287-1306173454-2756325771-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\D* x* *]
"NamÈy÷"="pxplay.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-02-15  11:26:50
ComboFix-quarantined-files.txt  2011-02-15 16:26
ComboFix2.txt  2011-02-15 14:08

Pre-Run: 10,544,537,600 bytes free
Post-Run: 10,529,914,880 bytes free

- - End Of File - - A6C35C7F99930EBDCD3631AC0251F32A

Thanks again for all your work! I probably won't post here again after 5pm eastern time but I will be back again tomorrow morning. FYI:emotion-1:

Disconnect from the internet....pull the plug!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray.

Otherwise, they may interfere with running ComboFix.

Open Notepad and copy/paste the following text between the lines below.

Do not copy the dotted lines.

** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces.

It will copy correctly to Notepad if you highlight and copy as is.

------------------------------------------------------------------------------------------------------------------------

File::
c:\windows\system32\Drivers\BW2NDIS5.sys
%COMMONAPPDATA%\Common Files\6F59E522-4689-156E-316C-D5B48819DE95.dat
%COMMONDESKTOP%\AVG 2011.lnk
%SYSTEM%\drivers\AVGIDSDriver.sys
%SYSTEM%\drivers\AVGIDSEH.sys
%SYSTEM%\drivers\AVGIDSFilter.sys
%SYSTEM%\drivers\AVGIDSShim.sys
%SYSTEM%\drivers\avgldx86.sys
%SYSTEM%\drivers\avgmfx86.sys
%SYSTEM%\drivers\avgrkx86.sys
%SYSTEM%\drivers\avgtdix.sys
%COMMONDesktop%\AVG Free 9.0.lnk
%PROGRAMFILES%\Mozilla Firefox\searchplugins\avg_igeared.xml
%SYSTEM%\avgrsstx.dll


Folder::
c:\program files\AVG
c:\documents and settings\All Users\Application Data\Avg7
c:\documents and settings\All Users\Application Data\AVG10
c:\documents and settings\Bob\Application Data\AVG10
%SYSTEMDRIVE%\$AVG
%COMMONAPPDATA%\AVG10
%COMMONAPPDATA%\MFAData
%COMMONPROGRAMS%\AVG 2011
%APPDATA%\AVG10
%PROGRAMFILES%\AVG
%SYSTEM%\drivers\AVG
%COMMONAPPDATA%\AVG Security Toolbar
%COMMONAPPDATA%\avg9
%COMMONPrograms%\AVG Free 9.0

DirLook::
 C:\601c41be92f319ec19
 C:\65bf44ad04b307a54456d43b6328

DRIVER::
Avg
AVGIDSAgent
AVGIDSDriver
AVGIDSEH
AVGIDSFilter
AVGIDSShim
Avgldx86
Avgmfx86
Avgrkx86
Avgtdix
avgwd
AVG Security Toolbar Service
avg9emc
avg9wd

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayRSAlert]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanFinished]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanFinishedThreatFound]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanStarted]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdEnd]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdEndFail]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdStart]
[-HKEY_CURRENT_USER\AppEvents\Schemes\Apps\avgtray]
[-HKEY_CURRENT_USER\Software\Avg]
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\.avgdx]
[-HKEY_CLASSES_ROOT\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A3E}]
[-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_CLASSES_ROOT\CLSID\{41B21542-2055-4212-A6F2-395CD109B14B}]
[-HKEY_CLASSES_ROOT\CLSID\{6F59E522-4689-156E-316C-D5B48819DE95} ]
[-HKEY_CLASSES_ROOT\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}]
[-HKEY_CLASSES_ROOT\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}]
[-HKEY_CLASSES_ROOT\CLSID\{EF0BB4CD-81FA-48AF-99B3-AB6C1F079BEC}]
[-HKEY_CLASSES_ROOT\CLSID\{F1FE4608-7924-4908-8E12-81CFA206F00A}]
[-HKEY_CLASSES_ROOT\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\Installer\Features\36E852A15FD8BDA48923830A21D156BE]
[-HKEY_CLASSES_ROOT\Installer\Features\69BC3230A1222404483A39DE4E0799CF]
[-HKEY_CLASSES_ROOT\Installer\Features\CFD2C1F142D260E3CB8B271543DA9F98]
[-HKEY_CLASSES_ROOT\Installer\Products\36E852A15FD8BDA48923830A21D156BE]
[-HKEY_CLASSES_ROOT\Installer\Products\69BC3230A1222404483A39DE4E0799CF]
[-HKEY_CLASSES_ROOT\Installer\Products\CFD2C1F142D260E3CB8B271543DA9F98]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\06DD9E4F7F3FF9C41BC2BD64A2CE18FE]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\38F747DBDC97B4E459142E21199F9D10]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011]
[-HKEY_CLASSES_ROOT\LinkScannerIE.NavFilter]
[-HKEY_CLASSES_ROOT\LinkScannerIE.NavFilter.1]
[-HKEY_CLASSES_ROOT\MicroScanner.MicroScanner]
[-HKEY_CLASSES_ROOT\piffile\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\linkscanner]
[-HKEY_LOCAL_MACHINE\SOFTWARE\AVG]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DevDiv\VC]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AVGSE.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0323CB96-221A-4042-84A3-93EDE47099FC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1A258E63-8DF5-4ADB-9832-38A0121D65EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AlwaysUnloadDll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}\{976BA62F-ABED-40e0-8F7B-6DE4F6756F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}\{976BA62F-ABEE-40e0-8F7B-6DE4F6756F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}\{976BA62F-ABEF-40e0-8F7B-6DE4F6756F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{9781B2D1-AF27-474F-A3A5-C0763FBDF3B7}]
[-HKEY_CLASSES_ROOT\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
[-HKEY_CLASSES_ROOT\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_CLASSES_ROOT\CLSID\{F2DDE6B2-9684-4A55-86D4-E255E237B77C}]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\avgsecuritytoolbar]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayWSAlert]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_CURRENT_USER\Software\AppDataLow\Avg]
[-HKEY_CURRENT_USER\Software\AVG Security Toolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\AVG Security Toolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG9Uninstall]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\AvgEms]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayRSAlert]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayScanFinished]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayScanFinishedThreatFound]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayScanStarted]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayWSAlert]
[-HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\avgtray]
[-HKEY_USERS\.DEFAULT\Software\AppDataLow\Avg]
[-HKEY_USERS\.DEFAULT\Software\Avg]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"=-
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"=-
"avg@igeared"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList]
"AVG"=-

SECCENTER::
AVG Anti-Virus Free

-----------------------------------------------------------------------------------------------------------------------------------------------------

Save this as CFScript.txt

Referring to the picture above, drag CFScript into ComboFix.exe

You will be prompted to run Combofix again.

Follow the same instructions you did before for running ComboFix.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced here: C:\ComboFix.txt

In your next reply, please post that log.

If you can get online with that computer, do so. It appears that Avast is running, and just coming here to copy the text to Notepad shouldn't be a problem. Following that, go offline to run ComboFix per instructions.

Should I put this on a disc using a clean computer and then copy it to the bad one? Your instructions to disconnect from the internet sounded pretty dire and I don't want to go online to get the copy text if it would be bad.  I can only use a CD because I don't have any USB drives (just my backup drive and I don't want to use that one). Is it safe to use the bad computer to go online and post the log etc?

Hello again! I followed your instructions and here is the combofix log. I disabled Avast antivirus before doing combofix but when I came back to view the log it was running again. I hope I did this right. I see at the beginning of the log that it says Avast is enabled. I'm sorry. I read your instructions carefully but I think when the computer rebooted it restarted Avast.

ComboFix 11-02-15.01 - Bob 02/18/2011   8:35.11.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.502.214 [GMT -5:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
 * Created a new restore point

FILE ::
"c:\documents and settings\All Users\Application Data\Common Files\6F59E522-4689-156E-316C-D5B48819DE95.dat"
"c:\documents and settings\All Users\Desktop\AVG 2011.lnk"
"c:\documents and settings\All Users\Desktop\AVG Free 9.0.lnk"
"c:\program files\Mozilla Firefox\searchplugins\avg_igeared.xml"
"c:\windows\system32\avgrsstx.dll"
"c:\windows\system32\drivers\AVGIDSDriver.sys"
"c:\windows\system32\drivers\AVGIDSEH.sys"
"c:\windows\system32\drivers\AVGIDSFilter.sys"
"c:\windows\system32\drivers\AVGIDSShim.sys"
"c:\windows\system32\drivers\avgldx86.sys"
"c:\windows\system32\drivers\avgmfx86.sys"
"c:\windows\system32\drivers\avgrkx86.sys"
"c:\windows\system32\drivers\avgtdix.sys"
"c:\windows\system32\Drivers\BW2NDIS5.sys"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\AVG10
c:\documents and settings\All Users\Application Data\AVG10\Chjw\30ccfcf3ccfcb3e6\avgcchff.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\30ccfcf3ccfcb3e6\avgcchfi.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\30ccfcf3ccfcb3e6\avgcchmf.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\30ccfcf3ccfcb3e6\avgcchmi.dat
c:\documents and settings\All Users\Application Data\AVG10\lsdb\prev\prvcache.dat
c:\documents and settings\All Users\Application Data\AVG10\lsdb\prev\prvglbl.dat
c:\documents and settings\All Users\Application Data\Avg7
c:\documents and settings\All Users\Application Data\MFAData
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110208-150103.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110208-201128.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110208-150103.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110208-201128.log
c:\documents and settings\All Users\Application Data\MFAData\mfaurlconf.ini
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\dm_marketing_message-hi.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_LinkScanner.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Smart-Scanning.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Social-Networking.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\ico-blue-bg.gif
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\LinkScanner-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\LinkScanner.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\OK.png
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Smart-Scanning.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\SmartScanning-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Social-Networking.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\SocialNetworking-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Thumbs.db
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\ui-background.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\dm_marketing_message-en-us.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_LinkScanner.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Smart-Scanning.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Social-Networking.html
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10antirkx1204yo.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10antivirx1204bw.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10avgx1204gi.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10avisx1204uq.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10basex1204rl.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10emailsx1204pr.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10guix1204kq.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10idatx1204ck.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10idpx1204mn.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10lng_usx1204nr.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10onlnscx1204ql.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10rdstx1204ti.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10resshldx1204yb.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10srchsrfx1204ij.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10sshttpbx1204sb.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10tdidrvx1204sz.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10tuneupx1204pz.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10update2x1204it.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10updatex1204br.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10xplx1204rx.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_lic8dn.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_mis15ni.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_mps11fx.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10corex1435tj.bin
c:\documents and settings\All Users\Application Data\MFAData\state.dat
c:\documents and settings\Bob\Application Data\AVG10
c:\documents and settings\Bob\Application Data\AVG10\cfgall\usergui.cfg
c:\program files\AVG
c:\program files\Mozilla Firefox\searchplugins\avg_igeared.xml

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVGIDSDRIVER
-------\Legacy_AVGIDSEH
-------\Legacy_AVGIDSFILTER
-------\Legacy_AVGIDSSHIM
-------\Legacy_AVGLDX86
-------\Legacy_AVGRKX86
-------\Legacy_AVGTDIX
-------\Service_Avg

(((((((((((((((((((((((((   Files Created from 2011-01-18 to 2011-02-18  )))))))))))))))))))))))))))))))
.

2011-02-15 21:15 . 2011-02-15 21:16 -------- d-----w- c:\program files\ERUNT
2011-02-15 19:43 . 2011-02-15 19:43 388096 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-11 18:35 . 2011-02-11 18:35 -------- d-----w- c:\program files\ESET
2011-02-11 16:17 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-11 16:17 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-11 16:17 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-11 16:17 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-11 16:17 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-11 16:17 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-11 16:17 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-11 16:16 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-02-11 16:16 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-11 16:16 . 2011-02-11 16:16 -------- d-----w- c:\program files\Alwil Software
2011-02-11 16:16 . 2011-02-11 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-02-11 12:20 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-02-10 15:59 . 2011-02-10 15:59 -------- d-----w- c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com
2011-02-10 15:59 . 2011-02-10 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-10 15:59 . 2011-02-15 13:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-10 15:52 . 2011-02-10 15:52 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-02-10 15:36 . 2011-02-15 14:44 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-02-10 14:35 . 2011-02-10 14:35 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-02-10 14:35 . 2011-02-10 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-02-10 14:31 . 2011-02-10 14:31 -------- d-----w- c:\program files\CCleaner
2011-02-09 19:20 . 2011-02-09 19:20 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-02-09 17:16 . 2011-02-09 17:16 -------- d--h--w- c:\windows\PIF
2011-02-09 15:44 . 2011-02-09 15:44 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\PCHealth
2011-02-09 14:17 . 2011-02-09 14:27 -------- d-----w- C:\65bf44ad04b307a54456d43b6328
2011-02-09 12:40 . 2010-10-06 01:27 150200 ----a-w- c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
2011-02-08 22:26 . 2011-02-08 22:26 -------- d-----w- c:\windows\system32\XPSViewer
2011-02-08 22:26 . 2011-02-08 22:26 -------- d-----w- c:\program files\MSBuild
2011-02-08 22:25 . 2011-02-08 22:26 -------- d-----w- C:\601c41be92f319ec19
2011-02-08 18:03 . 2011-02-08 18:03 -------- d-----w- c:\documents and settings\Bob\Application Data\InstallShield
2011-02-08 16:07 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-02-08 16:07 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-02-08 16:06 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-02-08 16:06 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-02-08 16:05 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-02-08 16:02 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-02-08 15:17 . 2011-02-08 15:17 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-02-08 14:40 . 2011-02-08 14:40 -------- d-----w- c:\documents and settings\Bob\Application Data\Malwarebytes
2011-02-08 14:40 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-08 14:40 . 2011-02-08 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-08 14:40 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-08 14:40 . 2011-02-08 14:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2005-08-16 09:18 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2005-08-16 09:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2005-08-16 09:18 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-08-16 09:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08 . 2005-08-16 09:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2005-08-16 09:18 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2005-08-16 09:18 17408 ------w- c:\windows\system32\corpol.dll
2010-12-20 17:26 . 2005-08-16 09:18 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2005-08-16 09:18 389120 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2005-08-16 09:18 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2005-08-16 09:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2005-08-16 09:18 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 03:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\601c41be92f319ec19 ----

2011-02-08 22:25 . 2008-06-19 16:03 73 ------w- c:\601c41be92f319ec19\i386\msxpsinc.gpd
2011-02-08 22:25 . 2008-06-19 05:33 72 ------w- c:\601c41be92f319ec19\i386\msxpsinc.ppd
2011-02-08 22:25 . 2008-06-19 05:33 72 ------w- c:\601c41be92f319ec19\amd64\msxpsinc.ppd
2011-02-08 22:25 . 2008-06-19 05:33 2204 ------w- c:\601c41be92f319ec19\i386\msxpsdrv.inf
2011-02-08 22:25 . 2008-06-19 05:33 2204 ------w- c:\601c41be92f319ec19\amd64\msxpsdrv.inf
2011-02-08 22:25 . 2008-07-06 12:06 10929 ------w- c:\601c41be92f319ec19\amd64\msxpsdrv.cat
2011-02-08 22:25 . 2008-07-06 12:06 10929 ------w- c:\601c41be92f319ec19\i386\msxpsdrv.cat
2011-02-08 22:25 . 2008-07-06 12:06 147456 ------w- c:\601c41be92f319ec19\amd64\filterpipelineprintproc.dll
2011-02-08 22:25 . 2008-07-06 12:06 89088 ------w- c:\601c41be92f319ec19\i386\filterpipelineprintproc.dll
2011-02-08 22:25 . 2008-07-06 12:06 765440 ------w- c:\601c41be92f319ec19\i386\mxdwdrv.dll
2011-02-08 22:25 . 2008-07-06 12:06 1676288 ------w- c:\601c41be92f319ec19\i386\xpssvcs.dll
2011-02-08 22:25 . 2008-07-06 12:06 748032 ------w- c:\601c41be92f319ec19\amd64\mxdwdrv.dll
2008-07-06 22:36 . 2008-07-06 22:36 2936832 ------w- c:\601c41be92f319ec19\amd64\xpssvcs.dll
2008-06-19 16:03 . 2008-06-19 16:03 73 ------w- c:\601c41be92f319ec19\amd64\msxpsinc.gpd

---- Directory of C:\65bf44ad04b307a54456d43b6328 ----

2010-04-12 03:17 . 2010-04-12 03:17 11104 ----a-w- c:\65bf44ad04b307a54456d43b6328\2052\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12640 ----a-w- c:\65bf44ad04b307a54456d43b6328\2070\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 13152 ----a-w- c:\65bf44ad04b307a54456d43b6328\3082\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12640 ----a-w- c:\65bf44ad04b307a54456d43b6328\1053\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12640 ----a-w- c:\65bf44ad04b307a54456d43b6328\1055\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 13152 ----a-w- c:\65bf44ad04b307a54456d43b6328\1045\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12640 ----a-w- c:\65bf44ad04b307a54456d43b6328\1046\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12640 ----a-w- c:\65bf44ad04b307a54456d43b6328\1049\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 11616 ----a-w- c:\65bf44ad04b307a54456d43b6328\1042\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12640 ----a-w- c:\65bf44ad04b307a54456d43b6328\1043\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12640 ----a-w- c:\65bf44ad04b307a54456d43b6328\1044\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12640 ----a-w- c:\65bf44ad04b307a54456d43b6328\1040\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 11616 ----a-w- c:\65bf44ad04b307a54456d43b6328\1041\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 13152 ----a-w- c:\65bf44ad04b307a54456d43b6328\1036\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12128 ----a-w- c:\65bf44ad04b307a54456d43b6328\1037\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12640 ----a-w- c:\65bf44ad04b307a54456d43b6328\1038\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 13152 ----a-w- c:\65bf44ad04b307a54456d43b6328\1032\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12640 ----a-w- c:\65bf44ad04b307a54456d43b6328\1033\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12640 ----a-w- c:\65bf44ad04b307a54456d43b6328\1035\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12640 ----a-w- c:\65bf44ad04b307a54456d43b6328\1030\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 13152 ----a-w- c:\65bf44ad04b307a54456d43b6328\1031\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12128 ----a-w- c:\65bf44ad04b307a54456d43b6328\1025\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 11104 ----a-w- c:\65bf44ad04b307a54456d43b6328\1028\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 12640 ----a-w- c:\65bf44ad04b307a54456d43b6328\1029\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 11104 ----a-w- c:\65bf44ad04b307a54456d43b6328\3076\HotFixInstallerUI.dll
2010-04-12 03:17 . 2010-04-12 03:17 321888 ----a-w- c:\65bf44ad04b307a54456d43b6328\HotFixInstaller.exe
2010-04-12 03:17 . 2010-04-12 03:17 14599680 ----a-w- c:\65bf44ad04b307a54456d43b6328\NDP30SP2-KB976769.msp
2010-04-12 03:17 . 2010-04-12 03:17 4210688 ----a-w- c:\65bf44ad04b307a54456d43b6328\NDP20SP2-KB976765.msp
2010-04-12 03:17 . 2010-04-12 03:17 2607104 ----a-w- c:\65bf44ad04b307a54456d43b6328\NDP20SP2-KB980773.msp
2010-04-12 03:08 . 2010-04-12 03:08 74519 ----a-w- c:\65bf44ad04b307a54456d43b6328\1029\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 76465 ----a-w- c:\65bf44ad04b307a54456d43b6328\1030\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 116656 ----a-w- c:\65bf44ad04b307a54456d43b6328\1031\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 78951 ----a-w- c:\65bf44ad04b307a54456d43b6328\1032\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 100363 ----a-w- c:\65bf44ad04b307a54456d43b6328\1033\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 75533 ----a-w- c:\65bf44ad04b307a54456d43b6328\1035\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 127060 ----a-w- c:\65bf44ad04b307a54456d43b6328\1036\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 59647 ----a-w- c:\65bf44ad04b307a54456d43b6328\1037\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 67624 ----a-w- c:\65bf44ad04b307a54456d43b6328\1038\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 115589 ----a-w- c:\65bf44ad04b307a54456d43b6328\1040\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 104768 ----a-w- c:\65bf44ad04b307a54456d43b6328\1041\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 147711 ----a-w- c:\65bf44ad04b307a54456d43b6328\1042\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 76257 ----a-w- c:\65bf44ad04b307a54456d43b6328\1043\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 73305 ----a-w- c:\65bf44ad04b307a54456d43b6328\1044\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 73386 ----a-w- c:\65bf44ad04b307a54456d43b6328\1045\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 97721 ----a-w- c:\65bf44ad04b307a54456d43b6328\1046\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 141033 ----a-w- c:\65bf44ad04b307a54456d43b6328\1049\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 76556 ----a-w- c:\65bf44ad04b307a54456d43b6328\1053\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 77193 ----a-w- c:\65bf44ad04b307a54456d43b6328\1055\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 102032 ----a-w- c:\65bf44ad04b307a54456d43b6328\2052\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 76519 ----a-w- c:\65bf44ad04b307a54456d43b6328\2070\eula.rtf
2010-04-12 03:08 . 2010-04-12 03:08 94271 ----a-w- c:\65bf44ad04b307a54456d43b6328\3082\eula.rtf
2010-04-12 03:07 . 2010-04-12 03:07 15616 ----a-w- c:\65bf44ad04b307a54456d43b6328\DHtmlHeader.html
2010-04-12 03:07 . 2010-04-12 03:07 7306 ----a-w- c:\65bf44ad04b307a54456d43b6328\header.bmp
2010-04-12 03:07 . 2010-04-12 03:07 3803 ----a-w- c:\65bf44ad04b307a54456d43b6328\ParameterInfo.xml
2010-04-12 03:07 . 2010-04-12 03:07 110348 ----a-w- c:\65bf44ad04b307a54456d43b6328\watermark.bmp
2010-04-12 03:07 . 2010-04-12 03:07 76237 ----a-w- c:\65bf44ad04b307a54456d43b6328\1025\eula.rtf
2010-04-12 03:07 . 2010-04-12 03:07 37119 ----a-w- c:\65bf44ad04b307a54456d43b6328\1028\eula.rtf
2010-04-12 03:07 . 2010-04-12 03:07 37119 ----a-w- c:\65bf44ad04b307a54456d43b6328\3076\eula.rtf

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

c:\documents and settings\Bob\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    stera

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/11/2011 11:17 AM 294608]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/11/2011 11:17 AM 17744]
R2 ehMonitor;Media Center Monitor Service;c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [9/7/2005 5:18 PM 49336]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-127277287-1306173454-2756325771-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\D* x**]
"NamÈy÷"="pxplay.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2616)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-02-18  08:55:09 - machine was rebooted
ComboFix-quarantined-files.txt  2011-02-18 13:55
ComboFix2.txt  2011-02-15 16:26

Pre-Run: 10,448,576,512 bytes free
Post-Run: 10,268,381,184 bytes free

- - End Of File - - 8AD852E45BF0E4F43E431B57FF61E4FF

Are you online with that computer? If so, how is it running?

I can go online and it seems to be running fine.

I haven't really done much online because I was worried about how secure it was. My web surfing has been limited to brief searches for virus information and downloading virus scanners, which I only did after I ran a few virus scanners copied from a CD to get rid of the nasties. I updated all the windows security fixes that were neglected and kept Avast because that's just my personal favorite and I always have Windows Firewall on, except I turn it off when I do a virus scan.

I was told it had Blaster but I didn't find it, even using all the blaster tools I could find. My brother said it kept shutting down and it had all the signs of blaster, but I think someone else had started a scan before the computer ended up in my hands and maybe that cured it. When I turned the computer on an AVG scan resumed so someone had attempted to fix it. I found the rootkit with Kaspersky then Rootkit buster but nothing would remove it so I used combofix. It found rootkit tdl3 but it said it cleaned bootkit tdl4. I did another combofix and it did the same thing, found and cleaned the rootkit again. However all other virus scanners were coming up clean after combofix and a few more passes of the other scanners. I got clean scans from Kaspersky, Avast, ESET, HitMan Pro, TDSSKiller, Malwarebytes, and SuperAntispyware but  not combofix. I made sure to install/uninstall the different virus scanners to make sure they would not conflict with each other.  I was worried the computer wasn't really clean because combofix was still finding bootkit tdl4 and there was some nasty stuff cleaned off this thing.

If you think it's a false alarm or you can't find anything, I can accept that and move on. This computer is in much butter shape than when i got it. Everyone else thought it was dead and unfixable but now it boots up fine, i can get online, and it seems stable.

The problem with systems having so many infections - especially if one is a backdoor.bot - is that you can never be absolutely sure that it is 100% clean. If your mother intends to use the computer for online shopping or banking I would suggest a reformat.   If it is  being used just for email and surfing, that is better, but if you suspect any misuse of passwords, or anything like that, you might want to consider a reformat and reinstall of Windows. Definitely back up those pictures!

Run your CCleaner.

** Because CCleaner removes everything in temp folders, if you have anything saved in a temp folder, back it up or move it to a permanent folder prior to running CCleaner.

** We will be cleaning cookies as well. Make a note of any passwords, etc. that you want to save. If you do not want to delete cookies, simply uncheck that option.

1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

2. Then select the items you wish to clean up. In the Windows Tab:

• Clean all entries in the "Internet Explorer" section.
• Clean all the entries in the "Windows Explorer" section
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose. In the Applications Tab:
• Clean all in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean any others that you choose.

3. Click the "Analyze" button. When the list of files comes up, click the "Run Cleaner" button.

4. A pop up box will appear advising this process will permanently delete files from your system.

5. Click "OK" and it will scan and clean your system.

6. Click "exit" when done. REBOOT.

Let's uninstall ComboFix.

* Click Start then Run
Copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and / Then hit enter.

This will remove ComboFix, run some cleanup procedures, and flush System Restore, thus creating a clean Restore Point.

Finally, please update your MalwareBytes' Anti-Malware and run a scan. Please post the log and let me know how things are running.