Trojan horse CRYPT.AQLW file can't delete? Help please!

[Dann427]

Ok so my friend has been infected with a virus that I cannot remove and from what I know, keeps duplicating itself. There is also a file that cannot be removed and says it is innaccessable, I am using teamviewer on his computer to try and help him but I cannot solve it. I also do not want to risk getting anything so I have pasted the notepads that the DDS has come up with. I am really confused at the moment, please help me fix this problem!

First Notepad - DDS, as instructed I have only put this one on. If needed I will post the second one. Thank you for helping me!

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_31

Run by Ariya at 16:00:14 on 2012-05-06

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2047.449 [GMT 1:00]

.

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG2012\avgrsx.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\TEMP\cqsaht\setup.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\AVG\AVG2012\avgidsagent.exe

C:\Program Files\AVG\AVG2012\avgnsx.exe

C:\Program Files\AVG\AVG2012\avgemcx.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Ask.com\Updater\Updater.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\AVG\AVG2012\avgtray.exe

C:\Program Files\AVG Secure Search\vprot.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE

C:\Program Files\TeamViewer\Version7\TeamViewer.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\TeamViewer\Version7\tv_w32.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\SearchProtocolHost.exe

c:\program files\teamviewer\version7\TeamViewer_Desktop.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\AVG\AVG2012\avgui.exe

C:\Program Files\AVG\AVG2012\avgscanx.exe

C:\Windows\system32\conhost.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\conhost.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\conhost.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://uk.search.yahoo.com/?fr=w3i&type=W3i_SP,204,0_0,StartPage,20110938,16939,0,8,0

mStart Page = hxxp://www.bigseekpro.com/hypercam/{DFA73CFD-DF38-4CD5-899E-CA10D0AAA329}

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll

uURLSearchHooks: NetAssistant: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\netassistant\NetAssistant.dll

uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - c:\program files\hyperionics db toolbar\tbhelper.dll

uURLSearchHooks: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll

mURLSearchHooks: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll

BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: Fast Search: {5ab7104a-b71f-49ad-9154-f7f8806ae848} - c:\program files\surf canyon\surfcanyon.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mif5ba~1\office14\GROOVEEX.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll

BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mif5ba~1\office14\URLREDIR.DLL

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: NetAssistant: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\netassistant\NetAssistant.dll

BHO: SMTTB2009 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\hyperionics db toolbar\tbcore3.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: Hyperionics DB Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - c:\program files\hyperionics db toolbar\tbcore3.dll

TB: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll

TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [Facebook Update] "c:\users\ariya\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver

uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [steam] "c:\program files\steam\Steam.exe" -silent

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [<NO NAME>]

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

mRun: [vProt] "c:\program files\avg secure search\vprot.exe"

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{802EF500-5784-4DA0-9324-96140E0408C9} : DhcpNameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.0.2\ViProtocol.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: ecojink - c:\windows\system32\config\systemprofile\appdata\local\ecojink.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mif5ba~1\office14\GROOVEEX.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\ariya\appdata\roaming\mozilla\firefox\profiles\lb07dvv8.default\

FF - prefs.js: browser.startup.homepage - hxxp://uk.foxstart.com/?rls=en:uk:zb

FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B3d17da72-03e7-4e12-a292-f031bbc784e8%7D&mid=713d8f2f898547d0b036bd2b2ba6d2e1-24bd564ae48e0af08340caeed311517bc1dfc63f&ds=AVG&v=11.0.0.9〈=en&pr=fr&d=2012-05-06%2014%3A27%3A50&sap=ku&q=

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\progra~1\mif5ba~1\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\mif5ba~1\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\11.0.2\npsitesafety.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.50401.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\research in motion limited\blackberry app world browser plugin\npappworld.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\ariya\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll

.

---- FIREFOX POLICIES ----

.

.

FF - user.js: extentions.y2layers.installId - 9d506fab-4967-46ed-867b-83020c78f632

FF - user.js: extentions.y2layers.defaultEnableAppsList - PageRage,PageRageGlobal,Buzzdock,BuzzdockTease,PageRage,PageRageGlobal,

.

============= SERVICES / DRIVERS ===============

.

R?2 AMService;AMService;c:\windows\temp\cqsaht\setup.exe run --> c:\windows\temp\cqsaht\setup.exe run [?]

R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-8-26 176128]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]

R2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\common files\magix services\database\bin\FABS.exe [2009-8-27 1253376]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-6 654408]

R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-5-6 2666880]

R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\common files\avg secure search\vtoolbarupdater\11.0.2\ToolbarUpdater.exe [2012-5-6 932736]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-8-26 6380032]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-8-26 221696]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-8-15 101904]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-6 22344]

R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2009-6-10 657408]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-15 136176]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-4-1 183560]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\common files\magix services\database\bin\fbserver.exe [2008-8-7 3276800]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-8-18 39272]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-15 136176]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-6 129976]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

.

=============== Created Last 30 ================

.

2012-05-06 14:35:19 -------- d-----w- c:\users\ariya\appdata\local\{AE2CC03D-4AC1-43CF-9561-E8A6F5DE3E0B}

2012-05-06 14:34:58 -------- d-----w- c:\users\ariya\appdata\local\{F49C6BE8-D3E7-4677-A27C-0279D2E3C45E}

2012-05-06 13:29:13 -------- d-----w- c:\users\ariya\appdata\roaming\AVG2012

2012-05-06 13:28:27 -------- d-----w- c:\users\ariya\appdata\local\AVG Secure Search

2012-05-06 13:27:49 -------- d-----w- c:\programdata\AVG Secure Search

2012-05-06 13:27:43 -------- d-----w- c:\program files\common files\AVG Secure Search

2012-05-06 13:27:42 -------- d-----w- c:\program files\AVG Secure Search

2012-05-06 13:26:49 -------- d--h--w- c:\programdata\Common Files

2012-05-06 13:24:01 -------- d--h--w- C:\$AVG

2012-05-06 13:23:59 -------- d-----w- c:\windows\system32\drivers\AVG

2012-05-06 13:23:59 -------- d-----w- c:\programdata\AVG2012

2012-05-06 13:22:54 -------- d-----w- c:\program files\AVG

2012-05-06 13:19:24 -------- d-----w- c:\programdata\MFAData

2012-05-06 13:13:21 -------- d-----w- c:\program files\CCleaner

2012-05-06 13:09:34 -------- d-----w- c:\users\ariya\appdata\roaming\Malwarebytes

2012-05-06 13:09:24 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-06 13:09:24 -------- d-----w- c:\programdata\Malwarebytes

2012-05-06 13:09:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-05-06 10:37:31 -------- d-----w- c:\program files\TeamViewer

2012-05-06 08:30:00 -------- d-----w- c:\users\ariya\appdata\local\{013C2E10-695B-4A43-9878-80109372A96E}

2012-05-06 08:29:46 -------- d-----w- c:\users\ariya\appdata\local\{D9651F86-7A68-4D29-AD86-EDA0C3DB8CAC}

2012-05-05 23:28:31 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-05-05 23:28:26 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-05-05 21:58:05 -------- d-----w- c:\users\ariya\appdata\local\{F1208264-1248-4679-9FA9-AE063CE3F95A}

2012-05-05 21:57:53 -------- d-----w- c:\users\ariya\appdata\local\{A3F1BC28-D34E-4003-B376-C2F57D57662E}

2012-05-05 10:07:57 -------- d-----w- c:\users\ariya\appdata\local\{E850923D-B67C-4B02-8388-67009D2C68B8}

2012-05-05 10:07:41 -------- d-----w- c:\users\ariya\appdata\local\{AF521640-C121-44DE-BFBA-AE8D9DED5D5C}

2012-05-04 15:49:17 -------- d-----w- c:\users\ariya\appdata\local\{0CF04481-1AC8-418C-9C4B-244B8349B598}

2012-05-04 15:49:00 -------- d-----w- c:\users\ariya\appdata\local\{A793C59B-E656-4B86-9975-0DD84C98DCE1}

2012-05-03 15:33:33 -------- d-----w- c:\users\ariya\appdata\local\{CB756D30-D079-4AE1-AA69-E1512AC36B0D}

2012-05-03 15:33:20 -------- d-----w- c:\users\ariya\appdata\local\{2D28E324-9CAF-41EB-8E5E-3DBB0CABDFED}

2012-05-02 18:47:17 -------- d-----w- c:\users\ariya\appdata\local\{5619EDD7-562E-47DD-9250-63B6A93A6CA4}

2012-05-02 18:47:06 -------- d-----w- c:\users\ariya\appdata\local\{D769BD59-BF8F-4610-A1D0-919A8FDA830C}

2012-05-01 16:24:49 -------- d-----w- c:\users\ariya\appdata\roaming\LolClient

2012-05-01 15:13:05 -------- d-----w- c:\users\ariya\appdata\local\{14AECAC7-4434-4D64-A6C4-8211D14D260F}

2012-05-01 15:12:51 -------- d-----w- c:\users\ariya\appdata\local\{4A98DA7F-3669-4148-81F1-41C1FE7B5072}

2012-04-30 21:53:24 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll

2012-04-30 21:53:24 509448 ----a-w- c:\windows\system32\XAudio2_2.dll

2012-04-30 21:53:24 467984 ----a-w- c:\windows\system32\d3dx10_39.dll

2012-04-30 21:53:24 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll

2012-04-30 21:53:24 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll

2012-04-30 21:50:19 -------- d-----w- C:\Riot Games

2012-04-30 21:05:30 -------- d-----w- c:\users\ariya\appdata\local\PMB Files

2012-04-30 21:05:29 -------- d-----w- c:\programdata\PMB Files

2012-04-30 21:05:17 -------- d-----w- c:\program files\Pando Networks

2012-04-30 20:49:57 -------- d-----w- c:\users\ariya\appdata\local\{1DCB7A99-5FC7-46CA-9417-1AECA9F2C602}

2012-04-30 20:49:39 -------- d-----w- c:\users\ariya\appdata\local\{DA64DFE1-5F32-4C3C-9285-E33E89F6845F}

2012-04-29 10:19:46 -------- d-----w- c:\users\ariya\appdata\local\{78579D77-DA73-4369-81E9-8F037AC619B3}

2012-04-29 10:19:32 -------- d-----w- c:\users\ariya\appdata\local\{BAD46870-F7EE-4550-917A-3AE412514140}

2012-04-28 17:07:40 -------- d-----w- c:\users\ariya\appdata\local\{66A26ADC-A33F-4328-9247-6EFF46CFD3D5}

2012-04-28 17:07:17 -------- d-----w- c:\users\ariya\appdata\local\{2F32907E-C7A8-472E-BB3B-5FD09FAF499E}

2012-04-27 19:20:52 -------- d-----w- c:\users\ariya\appdata\local\{E4DC4BC2-EEF3-4725-9660-29C5D6F650C5}

2012-04-27 19:20:39 -------- d-----w- c:\users\ariya\appdata\local\{E70989F3-D23A-4411-8BC2-185046B953E3}

2012-04-26 17:59:19 -------- d-----w- c:\users\ariya\appdata\local\{66551C86-D07B-4372-B619-8FD6CDF5B433}

2012-04-26 17:59:06 -------- d-----w- c:\users\ariya\appdata\local\{DA3C227C-ED97-457E-9BDB-638FBF0A923A}

2012-04-25 16:16:18 -------- d-----w- c:\users\ariya\appdata\local\{2C40B425-2E08-4C58-81CB-D6372E8F2D31}

2012-04-25 16:16:01 -------- d-----w- c:\users\ariya\appdata\local\{5193273A-E37F-4CEB-90AB-D149A6D49576}

2012-04-24 19:58:50 -------- d-----w- c:\users\ariya\appdata\local\{678866A6-C6B8-44EF-BF9F-98F0F39A7A7A}

2012-04-24 19:58:35 -------- d-----w- c:\users\ariya\appdata\local\{65C30C1C-72B7-4CB4-9F32-6A181F915FB3}

2012-04-23 14:51:37 -------- d-----w- c:\users\ariya\appdata\local\{D3EA5405-C14D-48D5-993D-77B31E3E2503}

2012-04-23 14:51:24 -------- d-----w- c:\users\ariya\appdata\local\{A904C416-6BB1-45FE-AE54-58DF7C029F64}

2012-04-22 15:35:55 -------- d-----w- c:\users\ariya\appdata\local\{5E06A41B-57E1-4CA1-86B1-D8B04401860D}

2012-04-22 15:35:37 -------- d-----w- c:\users\ariya\appdata\local\{0EF008EA-92FC-4D78-9F64-83556CDAB6D4}

2012-04-21 10:06:09 -------- d-----w- c:\users\ariya\appdata\local\{9A1737FD-007A-49E7-A9B5-F268F3D295D3}

2012-04-21 10:05:56 -------- d-----w- c:\users\ariya\appdata\local\{A663394F-5F1F-4738-AD60-74C25DC587D4}

2012-04-20 20:07:05 -------- d-----w- c:\users\ariya\appdata\local\{569AD7BE-6DAB-47B3-B129-1D977BBB7E53}

2012-04-20 20:06:51 -------- d-----w- c:\users\ariya\appdata\local\{C08B9172-4AB6-4A95-A621-D03E7502090F}

2012-04-20 19:34:26 -------- d-----w- c:\users\ariya\appdata\local\{A74DC77F-54BC-438F-BE7D-93D5B3900F3F}

2012-04-20 19:34:14 -------- d-----w- c:\users\ariya\appdata\local\{C28B479A-8396-4916-B8B4-F9ADA39E395A}

2012-04-19 15:34:09 -------- d-----w- c:\users\ariya\appdata\local\{D0308067-965B-46F4-BA0D-CC1A3DA40FB8}

2012-04-19 15:33:50 -------- d-----w- c:\users\ariya\appdata\local\{C5A7D9E8-981D-487F-9250-D94B7D1502C4}

2012-04-19 03:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys

2012-04-18 17:58:47 -------- d-----w- c:\users\ariya\appdata\local\{A0ABF289-76DB-4E0B-A2A6-19F9417970CE}

2012-04-18 17:58:29 -------- d-----w- c:\users\ariya\appdata\local\{1B63D34E-4219-4BFB-BB44-0DA3E7E933AA}

2012-04-17 14:43:01 -------- d-----w- c:\users\ariya\appdata\local\{456F586D-91C4-4C1A-806B-3A7A3A500731}

2012-04-17 14:42:49 -------- d-----w- c:\users\ariya\appdata\local\{CAF030CE-56AA-4328-95CE-D52C9C6DAB84}

2012-04-16 19:45:52 -------- d-----w- c:\users\ariya\appdata\local\{88A16200-463C-491B-9555-258031D6D8BA}

2012-04-16 19:45:40 -------- d-----w- c:\users\ariya\appdata\local\{F20AF46B-BE86-4117-BD26-19746177E777}

2012-04-15 12:57:46 -------- d-----w- c:\users\ariya\appdata\local\{1E46989A-C42B-4F77-B3CE-79DEF9938711}

2012-04-15 12:57:34 -------- d-----w- c:\users\ariya\appdata\local\{AA34E097-F0B4-4284-BB29-476105E75659}

2012-04-14 22:23:16 -------- d-----w- c:\users\ariya\appdata\local\{EDCE1BC3-4CC5-4604-AA9C-0FD78BE9FAF3}

2012-04-14 22:23:03 -------- d-----w- c:\users\ariya\appdata\local\{2F91A007-1FDD-4AF1-8A8D-A6F6192F9090}

2012-04-14 15:06:33 -------- d-----w- c:\users\ariya\appdata\local\{FCB99D93-4400-477C-8388-3B1A9D7FF99B}

2012-04-14 15:06:17 -------- d-----w- c:\users\ariya\appdata\local\{870CB96D-E90D-4191-A60A-371F8148F302}

2012-04-14 13:32:27 -------- d-----w- c:\users\ariya\PwnXileHD

2012-04-14 13:13:03 -------- d-----w- c:\users\ariya\appdata\local\{F4EEC25A-F677-48EB-B626-41B3AA7F6DCD}

2012-04-14 13:12:47 -------- d-----w- c:\users\ariya\appdata\local\{8521045B-891C-4411-9181-586A8A98BE86}

2012-04-14 02:24:52 -------- d-----w- c:\programdata\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}

2012-04-14 02:24:01 -------- d-----w- c:\windows\system32\appmgmt

2012-04-13 14:35:32 -------- d-----w- c:\users\ariya\appdata\local\{32DF2CE5-6084-4E98-99DE-053B980DEE38}

2012-04-13 14:35:18 -------- d-----w- c:\users\ariya\appdata\local\{E63597E5-3223-40B0-8813-45D87F152900}

2012-04-13 02:08:01 -------- d-----w- c:\users\ariya\appdata\local\{AD2E601A-39F3-41D4-95C2-961D92638936}

2012-04-13 02:07:25 -------- d-----w- c:\users\ariya\appdata\local\{16EE44AB-CDEB-4992-9C0E-6603B772CEC8}

2012-04-12 15:32:25 -------- d-----w- c:\users\ariya\appdata\local\{C1621D9B-8779-42A5-84D0-DCD73B5ECCA5}

2012-04-12 15:32:12 -------- d-----w- c:\users\ariya\appdata\local\{0BE73C1A-9967-4194-8749-C40D4A065E2C}

2012-04-11 16:19:32 -------- d-----w- c:\users\ariya\appdata\local\{B66D043C-424B-4944-A4C3-E53E04089935}

2012-04-11 16:19:21 -------- d-----w- c:\users\ariya\appdata\local\{F1ADB503-FE11-4800-85DC-D3E4A6A7567A}

2012-04-11 16:16:40 -------- d-----w- c:\users\ariya\appdata\local\{6BCD0C81-3CA1-42BD-A604-FE61ECCC1847}

2012-04-11 11:27:28 -------- d-----w- c:\users\ariya\appdata\local\{2E718E14-E385-4A4F-8891-C70E7B1C0F1A}

2012-04-11 11:27:16 -------- d-----w- c:\users\ariya\appdata\local\{E1C97042-D154-4714-BC12-1DCFF9175426}

2012-04-10 15:53:31 -------- d-----w- c:\users\ariya\appdata\local\{CF92AE4A-3664-4175-962E-B6851DAA943C}

2012-04-10 15:53:19 -------- d-----w- c:\users\ariya\appdata\local\{50C6711D-C833-4BC8-BFD3-F08F78D68399}

2012-04-10 15:51:35 -------- d-----w- c:\users\ariya\appdata\local\{18A88A12-3B04-4F07-BF0B-9DAE566468FB}

2012-04-10 15:51:23 -------- d-----w- c:\users\ariya\appdata\local\{F246B0BA-AE09-4B07-80F5-EFC52EAAB154}

2012-04-10 13:35:52 -------- d-----w- c:\users\ariya\appdata\local\{D9E9A2B9-C4A1-43CF-B3D3-3D732BFA9BBF}

2012-04-10 13:35:40 -------- d-----w- c:\users\ariya\appdata\local\{48B7DA48-C77E-4CFB-8900-D48338FBC17C}

2012-04-09 20:15:19 -------- d-----w- c:\users\ariya\appdata\local\{29EB0134-A781-4393-BF78-EBA9EFB03931}

2012-04-09 20:15:07 -------- d-----w- c:\users\ariya\appdata\local\{B40E6705-2ECA-4269-9719-F92F8FB55F0C}

2012-04-09 19:28:28 -------- d-----w- c:\users\ariya\appdata\local\{C68D5361-B5E5-4C81-9B69-C5057C97818F}

2012-04-09 19:28:14 -------- d-----w- c:\users\ariya\appdata\local\{84C66F07-8E17-48D8-9414-8AF4D571D93A}

2012-04-08 10:59:53 -------- d-----w- c:\users\ariya\appdata\local\{C33C9AD7-1DCD-44FA-9883-439C8141D83D}

2012-04-08 10:59:39 -------- d-----w- c:\users\ariya\appdata\local\{0E7AA9AB-9F0A-4597-8658-52D6491C8987}

2012-04-07 11:08:12 -------- d-----w- c:\users\ariya\appdata\local\{1F1EE7E5-3E28-4C0F-9B12-9C9D2867AE29}

2012-04-07 11:07:51 -------- d-----w- c:\users\ariya\appdata\local\{24E75807-D61A-4103-943A-A4739A687A9C}

.

==================== Find3M ====================

.

2012-05-05 23:28:26 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-02 19:35:30 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-03-19 04:17:28 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2012-02-22 04:25:32 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys

.

============= FINISH: 16:01:10.74 ===============

[Dann427]

Also there is an adloader installed so whenever he goes on firefox the ads keep coming up in a different tab

[MrCharlie]

Welcome to the forum.

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......

• There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
  
• There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
  
• I strongly suggest you back up all of the important items on the system before we continue.
  

Please let me know you have read this and agree to it.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

------------------------------------------------------------------------

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[MrCharlie]

How are we doing??

Do you still need help or can I close this post??

MrC

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!