A windows XP Pro SP3 laptop (Dell latitude 600) had a virus called "antimalware doctor". But now I'm not sure what the infection is called - the browsers (ie7 and firefox) keep being redirected, and startup processes keep being regenerated with different names. See the log files below. What's disturbing is that I have run updated combofix, tdsskiller, malwarebytes full scan and superantispyware full scans -- all AFTER running RKILL, and in safe mode with networking an administrative user. But rkill keeps finding and stopping startup programs that appear to be changing name each time I reboot and remove them with mbam or sas:
examples of what rkill ends on different reboots:
C:\Documents and Settings\All Users\Start Menu\Programs\audioparseob
C:\Documents and Settings\All Users\Start Menu\Programs\bridgeacctob
Sometimes I run rkill (in safe mode), it finds nothing, then I run it again 10 seconds later, and it finds and ends something.
As always, with AVG9, combofix warned me to uninstall it. I did, same message. I used avg remover, same message. So I finally read about deleting the avg program folder. Now I still get the warning about AVG being installed (its not), but combofix will at least allow me to proceed.
But after the first time I ran combofix (I have since moved the laptop to my shop from the owners house), for some reason, combofix will not proceed past the "autoscan / scanning for infected files" point. Windows freezes and I have to reboot. Could it be because I'm not connected to the web? (remember, combofix proceeds to the autoscan menu.)
FYI for what its worth I turned off system restore (but some infected files still appear to be appearing in the restore folders!).
I tried all the above as a result of what I saw on several sites including bleepingcomputer.com:
I'm currently trying kaspersky rescue disk 10 but since I didn't see it referenced online I'm skeptical. (Plus I think it may be getting stuck as well in the "loading nodules" phase!)
Since all the above was done in safe mode with networking, as an admin user -- Should I do these scans all again in normal mode as the user who was infected? Is that likelty to make a difference?
Based on my logs, what do you suggest I try next?