code 80073EFE and hijack this log

Hi ,

Welcome to Dell Community Malware Removal Forums,

I'm K27 and i will be reviewing your log for you.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

Please DO NOT use this system for anything else apart from what I direct you to do until I have given you the all clear

I know you already run MBAM but please follow these instructions:

• Double click your Malwarebytes desktop icon
• Click the UPDATE tab at the top
• Scan for and install any updates it finds
• Then choose the SCANNER tab and run a FULL SCAN
• Once finished if MBAM found anything please click Show Results
• Make sure EVERYTHING has a check in the box next to it and then click Remove Selected
• Post the MBAM log results back to this thread

NOTE: If MBAM encounters a file that is hard to remove it will prompt for a delete on reboot, answer yes to this and once rebooted please run another scan and post that scan's log results along with the log results from before reboot which can be found under the LOGS tab of Malwarebytes.


I need to see some additional information about what is happening in your machine.
Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.com
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool.
• When done, DDS will open two (2) logs

• Save both reports to your desktop.
• The instructions here ask you to attach the Attach.txt.

• Instead of attaching, please copy/past both logs into your next reply.

• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE


Please COPY/PASTE the MBAM log and BOTH DDS logs back to this thread, Also please provide the log from the first time you run MBAM, it can be found under the Logs tab and will be dated of when you run MBAM,
And please post the MBAM log from when you run it on you own <---Important I really need to see this log

Thanks
K27.

Oh I forgot to mention the first MBAM that I ran was done in safe mode. The second was not (don't know if this matters or not but passing the info along to you).

Thank you for your help! I am still getting the 80072EFE error along with a Windows Defender error that it will not update either. I have also noticed (as of this morning) I have blocked start-up programs but for the time being I am leaving them blocked as I do not know what they are. Here is the first of TWO MBAM logs, the first I ran in safe mode this morning:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4171

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18904

6/6/2010 8:39:45 AM
mbam-log-2010-06-06 (08-39-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 251245
Time elapsed: 33 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Mike\AppData\Local\Temp\Low\win1DD4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win1FFB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win37B9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win39FF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win3FF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win519E.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win5403.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win616.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win6B64.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win6DC9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win8286.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win8558.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win9C6B.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\win9F2E.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winA1A2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winB650.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winB913.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winBAEB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winD035.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winD26B.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winEA2A.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winEC31.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Mike\AppData\Local\Temp\Low\winEE48.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Here is the second one after I noticed you replied to this thread (ran just a little while ago):

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4173

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

6/6/2010 2:56:46 PM
mbam-log-2010-06-06 (14-56-46).txt

Scan type: Full scan (C:\|)
Objects scanned: 254529
Time elapsed: 56 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And now the DDS log:

DDS (Ver_10-03-17.01) - NTFSx86 
Run by Mike at 15:08:55.17 on Sun 06/06/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2036.904 [GMT -5:00]

AV: Defender Pro Antivirus *On-access scanning enabled* (Updated)   {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Defender Pro Internet Security *On-access scanning enabled* (Outdated)   {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Defender Pro Antispyware *enabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Defender Pro Internet Security *enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Internet Security *enabled*   {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Firewall *enabled*   {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\AERTSrv.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.knology.net/index.php
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2081111
uSearch Bar =
mSearchAssistant =
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Defender Pro Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ ]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\mike\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: netzero.com
Trusted Zone: netzero.net
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll c:\progra~1\google\google~2\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-5-2 161048]
R2 MMIndexer;Media Manager Indexer;c:\program files\common files\microsoft shared\media manager\AIRSVCU.EXE [1997-7-15 136704]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-1 1153368]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-9-18 103944]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2008-1-20 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2008-1-20 251904]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 Arrakis3;Defender Pro Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-8-7 108176]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-11-11 30192]

=============== Created Last 30 ================

2010-06-05 15:37:17 0 d-----w- C:\MAIDEN
2010-06-04 23:44:27 0 d-----w- C:\SPIDERMAN3
2010-06-04 18:30:35 0 d-----w- c:\windows\system32\catroot2
2010-06-03 13:06:19 0 d-----w- c:\program files\Trend Micro
2010-06-02 18:07:10 0 d-----w- c:\program files\Media Manager
2010-06-02 18:06:54 0 d-----w- C:\My Pictures
2010-06-02 18:06:24 0 d-----w- c:\program files\Microsoft Picture It!
2010-06-01 21:23:13 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-28 22:29:59 132 ----a-w- C:\httpdwl.dat
2010-05-18 01:34:14 0 d-----w- c:\programdata\DVD Shrink
2010-05-18 01:34:12 0 d-----w- c:\program files\DVD Shrink

==================== Find3M  ====================

2010-06-06 14:55:09 81984 ----a-w- c:\windows\system32\bdod.bin
2010-06-03 17:18:26 2656 ----a-w- c:\users\mike\appdata\roaming\wklnhst.dat
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 21:50:02 23111 ----a-w- c:\windows\hpqins15.dat
2010-02-25 00:39:00 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-25 00:39:00 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-25 00:39:00 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-14 21:53:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-09 19:15:13 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-11-28 15:52:44 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-11-28 15:52:44 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-11-28 15:52:44 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2008-11-11 21:20:25 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:10:13.78 ===============

Finally the DDS attach log. Again, thanks for your help and patience as I am novice at most of this

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 11/11/2008 7:37:52 AM
System Uptime: 6/6/2010 1:41:14 PM (2 hours ago)

Motherboard: Dell Inc. |  | 0RY007
Processor: Intel(R) Celeron(R) CPU          450  @ 2.20GHz | Socket 775 | 2194/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 283 GiB total, 189.271 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 9.772 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11.5
ArcSoft Software Suite
Browser Address Error Redirector
BufferChm
CareBears Catch A Star (remove only)
CCScore
Compatibility Pack for the 2007 Office system
Copy
Defender Pro 5-in-1
Dell-eBay
Dell Best of Web
Dell Dock
Dell Getting Started Guide
Dell Support Center (Support Software)
Destinations
DeviceDiscovery
DJ_AIO_05_F4400_Software_Min
DVD Shrink 3.2
EA Download Manager
EDocs
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
ESSvpaht
ESSvpot
F4400
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
GoToAssist 8.0.0.514
GPBaseService2
HelloKitty (remove only)
HiJackThis
HLPIndex
HLPRFO
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 13.0
HP Deskjet F4400 Printer Driver Software 13.0 Rel .5
HP Imaging Device Functions 13.0
HP Print Projects 1.0
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Update
HPPhotoGadget
hpPrintProjects
HPProductAssistant
HPSSupply
hpWLPGInstaller
ImgBurn
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections 12.1.11.0
Java(TM) 6 Update 7
JumpStart Artist
JumpStart Explorers
Kodak EasyShare software
KSU
LITTLEST PET SHOP™
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 3.5 SP1
Microsoft Media Manager 1.5
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Picture It! 2.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Works
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nikon Message Center
Notifier
OGA Notifier 2.0.0048.0
OTtBP
OTtBPSDK
PCDADDIN
PCDHELP
PictureProject
QuickTime
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Scan
SFR
SFR2
SHASTA
Shop for HP Supplies
SKIN0001
SKINXSDK
SmartWebPrinting
SolutionCenter
Spybot - Search & Destroy
Status
Strawberry Shortcake - Amazing Cookie Party
The Digital Arts and Crafts Studio
Toolbox
TrayApp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VPRINTOL
WebReg
WinRAR archiver
WIRELESS
WONswap

==== End Of File ===========================

Hi Mikeinfla,

You are more than Welcome,

The first thing we need to do is disable Spybot's Teatimer function as it interfere with the tools we are going to use,  instructions for disabling TeaTimer below:

•    Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
•    On the left hand side, click on Tools, then click on the Resident Icon in the list.
•    Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
•    Click on the "System Startup" icon in the List
•    Uncheck the "TeaTimer" box and "OK" any prompts.
•    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
•    Exit Spybot S&D when done.
•    (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

.

Next I need you to go to programs and features in control panel and remove the below items. If they were downloaded from a trusted and reliable source then you can keep them and just skip this bit.

• Start (windows icon bottom left corner of screen)
• Control panel
• Add/Remove programs

SKIN0001
SKINXSDK

• Uninstall
• Reboot PC

This next bit is very important:

Please click the Windows key (the one with the Windows icon located on bottom left of Keyboard) > and copy/paste the bold writing regedit /e C:\regback.reg to the diagloge box and hit enter.
Please wait until your loading icon (hour glass/spinning circle) finishes before continuing.

Then Please download OTM by OldTimer. Save it to your desktop.

Double click OTM.exe to start the tool.

• Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

  ----------------------------------------------------------------------

  :processes
  explorer.exe
  
  :reg
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\Run]
  " "=-
  
  :files
  C:\httpdwl.dat
  c:\windows\system32\bdod.bin
  
  :commands
  [emptytemp]
  [start explorer]
  [reboot]

  ---------------------------------------------------------------------

  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
  
  Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

   

  If the machine reboots, the Results log can be found here:

  c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

  Where mmddyyyy_hhmmss is the date of the tool run.

  Please post the OTM log back to this thread.

  Thanks,
  K27.

Had no problem finding teatimer, etc in SpyBot. But in the next step I went into control panel and selected "uninstall a program" (there is no add/remove programs option in Vista that I am aware of). When I did this step I did not see SKIN0001 or SKINXSDK. I have no idea what they are so I do want them removed. I haven't made any further steps as I am stumped at this point. I do not see an option for "show hidden files" or anything like that when I go to the uninstall screen.

Thanks,

Mike

Mike, I apologize for intruding in this thread. K27 and I are in different time zones and he is not online tonight.

I did not see SKIN0001 or SKINXSDK. I have no idea what they are so I do want them removed.

Bugbatter:

No problem. The more help the better. I will try the steps he gave me tomorrow (after 10pm here). I am off work until Friday and will have time to play around with this tomorrow and longer if needed.

Thanks,

Mike

Hi Mikeinfla,

Bugbatter is quite right, the programs I listed to be removed are related to your Kodak software and are quite save to keep.

It was last for me when I posted my last replay and was a mistake on my part, Sorry about that. :emotion-10:

Please continue with the instructions, SKIPPING the part about removing SKIN0001 and SKINXSDK.

Thanks

K27

My computer did not want to d/load OTM. Said it was an unsafe file but I d/loaded it anyway. I have no idea what any of this does so I am glad I have some decent help! Here are the results:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\Run\\ not found.
========== FILES ==========
C:\httpdwl.dat moved successfully.
c:\windows\system32\bdod.bin moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Mike
->Temp folder emptied: 6496888 bytes
->Temporary Internet Files folder emptied: 117091882 bytes
->Java cache emptied: 2654986 bytes
->Flash cache emptied: 31575 bytes
 
User: Public
 
User: Rhonda
->Temp folder emptied: 4971882 bytes
->Temporary Internet Files folder emptied: 181250005 bytes
->Java cache emptied: 5149716 bytes
->Flash cache emptied: 9610 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 27738427 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 16689132 bytes
RecycleBin emptied: 14010029495 bytes
 
Total Files Cleaned = 13,706.00 mb
 
 
OTM by OldTimer - Version 3.1.12.2 log created on 06072010_081145

Files moved on Reboot...
C:\Users\Mike\AppData\Local\Temp\Low\Google Toolbar\GoogleToolbarWelcome.log moved successfully.
File C:\Users\Mike\AppData\Local\Temp\~DF2D78.tmp not found!
File C:\Users\Mike\AppData\Local\Temp\~DF2D82.tmp not found!
File C:\Users\Mike\AppData\Local\Temp\~DF2E31.tmp not found!
File C:\Users\Mike\AppData\Local\Temp\~DF2E5E.tmp not found!
File C:\Users\Mike\AppData\Local\Temp\~DF2E9F.tmp not found!
File C:\Users\Mike\AppData\Local\Temp\~DF2EC2.tmp not found!
C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File C:\Windows\temp\flaD25F.tmp not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7ZLRYSL\ad[1].aspx not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7ZLRYSL\ad[2].aspx not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7ZLRYSL\ad[3].aspx not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7ZLRYSL\ad[4].aspx not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JA9CXCCV\7a324c767530774d384c494143546165[1].htm not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JA9CXCCV\ad_loader[1].php not found!
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JA9CXCCV\tpp[1].htm moved successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAF0Z0DX\results[1].aspx moved successfully.
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAF0Z0DX\view[1].html not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAF0Z0DX\view[2].html not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAF0Z0DX\view[3].html not found!
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WXDBQFO\ad[1].aspx moved successfully.
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WXDBQFO\pluck_1_4[1].js not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WXDBQFO\vodka-empire-1-what-vodka-empire[1].html%20 not found!

Registry entries deleted on Reboot...

Hi,

Good work :emotion-2:

Sometimes some of the files I ask you to run will be flagged by Anti-Virus Programs as being malicious due to the capabilities of the file and what it can do.
You done the right thing continuing with the download, anything I ask you to download and run should cause no harm to the system and is certainly not malicious.

YOU MUST DISABLE ALL REAL TIME PROTECTION BEFORE RUNNING THE NEXT TOOL,

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

• Anti Virus
• Anti Spyware
• Firewall

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Then please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to launch it
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
• When the "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
• Leave your system completely idle while this longer scan is in progress.
• When the scan is done, save the scan log to the Windows clipboard
• Open Notepad or a similar text editor
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
• Exit the Program
• Save the Scan log as ARK.txt and post it in your next reply.
• Now, re-enable the active protection component of any antivirus/antimalware programs you disabled before performing the scan.

If the ARK tool crashes your machine or causes a Blue Screen error, please post the log results from the first inital quick scan,this can be saved in the same way as the full scan in the above instructions.

Please leave all active protection disabled while running the online scan

Run an online virus scan called Kaspersky from HERE.

• 1. At the main page. Press on " Accept". After reading the contents.
  2. At the next window Select Update. Allow the Database to update.
  Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
  3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
  4. Select Scan Report.
  5. If any threats were found they will appear in the report
  6. Select "Save error report as"
  Then in the file name just type in kaspersky
  Under "save as type" select text .txt
  Save it to your Desktop.

  Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.

   

  Please post the ARK log and the Kaspersky log back to this thread.

  Thanks,
  K27.

   

I was unable to get Kaspersky to run. It would not give me an option to "accept" it just grayed out. Maybe it takes a while? Anyway, here is the ARK.txt

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-07 17:29:19
Windows 6.0.6002 Service Pack 2
Running: vw9zkyl2.exe; Driver: C:\Users\Mike\AppData\Local\Temp\kxldypod.sys

---- System - GMER 1.0.15 ----

SSDT            \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys                                                                                ZwOpenProcess [0xAA054C90]
SSDT            \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys                                                                                ZwOpenThread [0xAA054D7E]
SSDT            \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys                                                                                ZwTerminateProcess [0xAA054BF4]
SSDT            \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys                                                                                ZwTerminateThread [0xAA054EC4]

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!KeSetEvent + 3F1                                                                                                                 81EEAB54 2 Bytes  [90, 4C] {NOP ; DEC ESP}
.text           ntkrnlpa.exe!KeSetEvent + 3F4                                                                                                                 81EEAB57 1 Byte  [AA]
.text           ntkrnlpa.exe!KeSetEvent + 40D                                                                                                                 81EEAB70 2 Bytes  [7E, 4D] {JLE 0x4f}
.text           ntkrnlpa.exe!KeSetEvent + 410                                                                                                                 81EEAB73 1 Byte  [AA]
.text           ntkrnlpa.exe!KeSetEvent + 621                                                                                                                 81EEAD84 6 Bytes  [F4, 4B, 05, AA, C4, 4E]
.text           ...                                                                                                                                          
.rsrc           C:\Windows\system32\DRIVERS\mouclass.sys                                                                                                      entry point in ".rsrc" section [0x8BB21014]

---- User code sections - GMER 1.0.15 ----

.text           C:\Windows\system32\svchost.exe[1312] ntdll.dll!NtProtectVirtualMemory                                                                        76EC4D34 5 Bytes  JMP 0082000A
.text           C:\Windows\system32\svchost.exe[1312] ntdll.dll!NtWriteVirtualMemory                                                                          76EC5674 5 Bytes  JMP 0083000A
.text           C:\Windows\system32\svchost.exe[1312] ntdll.dll!KiUserExceptionDispatcher                                                                     76EC5DC8 5 Bytes  JMP 0081000A
.text           C:\Windows\system32\svchost.exe[1312] ole32.dll!CoCreateInstance                                                                              766F9EA6 5 Bytes  JMP 00A5000A
.text           C:\Windows\system32\svchost.exe[1312] USER32.dll!GetCursorPos                                                                                 76B10B88 5 Bytes  JMP 01B8000A
.text           C:\Windows\Explorer.EXE[3604] ntdll.dll!NtProtectVirtualMemory                                                                                76EC4D34 5 Bytes  JMP 007D000A
.text           C:\Windows\Explorer.EXE[3604] ntdll.dll!NtWriteVirtualMemory                                                                                  76EC5674 5 Bytes  JMP 0082000A
.text           C:\Windows\Explorer.EXE[3604] ntdll.dll!KiUserExceptionDispatcher                                                                             76EC5DC8 5 Bytes  JMP 007C000A
.text           C:\Windows\system32\wuauclt.exe[4024] ntdll.dll!NtProtectVirtualMemory                                                                        76EC4D34 5 Bytes  JMP 000E000A
.text           C:\Windows\system32\wuauclt.exe[4024] ntdll.dll!NtWriteVirtualMemory                                                                          76EC5674 5 Bytes  JMP 0010000A
.text           C:\Windows\system32\wuauclt.exe[4024] ntdll.dll!KiUserExceptionDispatcher                                                                     76EC5DC8 5 Bytes  JMP 000D000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe[836] @ C:\Windows\system32\WS2_32.dll [NSI.dll!NsiSetAllParameters]  [77021AC8] C:\Windows\system32\NSI.dll (NSI User-mode interface DLL/Microsoft Corporation)
IAT             C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe[836] @ C:\Windows\system32\WS2_32.dll [NSI.dll!NsiGetParameter]      [770219DB] C:\Windows\system32\NSI.dll (NSI User-mode interface DLL/Microsoft Corporation)
IAT             C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe[836] @ C:\Windows\system32\WS2_32.dll [NSI.dll!NsiGetAllParameters]  [77021630] C:\Windows\system32\NSI.dll (NSI User-mode interface DLL/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                                                         [73E57817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                                                          [73EAA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                                                      [73E5BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]                                                [73E4F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                                                          [73E575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                                                       [73E4E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM]                                           [73E88395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream]                                              [73E5DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                                                      [73E4FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                                                       [73E4FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                                                        [73E471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM]                                                [73EDCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile]                                                   [73E7C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                                                      [73E4D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                                                                [73E46853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                                                               [73E4687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[3604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]                                                  [73E52AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\tdx \Device\Tcp                                                                                                                       bdftdif.sys
AttachedDevice  \Driver\tdx \Device\Udp                                                                                                                       bdftdif.sys
AttachedDevice  \FileSystem\fastfat \Fat                                                                                                                      fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device           -> \Driver\atapi \Device\Harddisk0\DR0                                                                                                       85A49D01

---- Files - GMER 1.0.15 ----

File            C:\Windows\system32\DRIVERS\mouclass.sys                                                                                                      suspicious modification
File            C:\Windows\system32\drivers\atapi.sys                                                                                                         suspicious modification

---- EOF - GMER 1.0.15 ----

Finally got Kaspersky to scan but it has been going for over 3 hours. It just finished and found nothing wrong

Hi,

Even though Kaspersky came back clean, you are still infected with a rootkit called TDL3. We can remove this, but we still have work to do.

Please Open notepad and copy/paste the text between the dotted lines to the notepad page. (Note: DO NOT copy the lines, just the text between them)

==========================================================

@echo off
cls
echo................Searching for File..............
echo...............Please be patient................
dir /a d /s "%systemdrive%\mouclass.sys" > log.txt
notepad log.txt
del %0

==========================================================

Save this as search.bat
Choose to "Save type as - All Files"
Save it on your desktop.

It should look like this:
Double click on search.bat & allow it to run.

Once the search has finished there will be a notepad file saved to your desktop, please copy/paste the contents of the notepad file be to me.

Thanks
K27

I ran it and it finished almost instantly. The black box that was running said ......searching for file...... please be patient..... file not found

Again, this part was instant but about 20 seconds later the log popped up and here is what it says (and I hope I did the above right. It working so fast makes me wonder if I did it right).

 Volume in drive C is OS
 Volume Serial Number is 4462-9F49

 Directory of C:\Windows\System32\drivers

01/20/2008  09:23 PM            34,360 mouclass.sys
               1 File(s)         34,360 bytes

 Directory of C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_3dfa3917

11/02/2006  04:49 AM            31,848 mouclass.sys
               1 File(s)         31,848 bytes

 Directory of C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_8b7c4328

01/20/2008  09:23 PM            34,360 mouclass.sys
               1 File(s)         34,360 bytes

 Directory of C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6000.16609_none_4c56cf70d52c8670

01/20/2008  09:09 PM            34,360 mouclass.sys
               1 File(s)         34,360 bytes

 Directory of C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6000.20734_none_4cbafb05ee66fb5a

01/20/2008  09:09 PM            34,360 mouclass.sys
               1 File(s)         34,360 bytes

 Directory of C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6001.18000_none_4e340b7cd25b3352

01/20/2008  09:23 PM            34,360 mouclass.sys
               1 File(s)         34,360 bytes

     Total Files Listed:
               6 File(s)        203,648 bytes
               0 Dir(s)  227,067,691,008 bytes free

Hi Mikeinfla,

Your doing really well, that was exactly what was meant to happen :emotion-2:

PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

• Anti Virus
• Anti Spyware
• Firewall

Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:

Combo-fix MUST be save to your desktop before running the tool

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When prompted to install the recovery console please make sure to do so as the is a VERY IMPORTANT backup of Combo-fix XP only

You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run Combo-Fix,
Post back and we will install it manually.

DO NOT mouse click when Combo-Fix is running as this will cause Combo-Fix to Stall and it will not work as it should

Please include the C:\ComboFix.txt in your next reply for further review.

Thanks