"..." not a valid Win32 application, The application or DLL not valid windows im

[diggerjoy]

Hi SD,
Not trying to be difficult, but those instructions were for Windows 7, and I have Windows XP Media Center Edition  2005.  I did try looking for how to boot to systems recovery options on my own though, and it seemed they were saying to just go to Safe Mode to get Safe Mode with command prompt.  I did that, went through the process of selecting my user name (HP_Administrator), got C:\Documents and Settings\HP_Administrator>  Tried entering bootrec /fixmbr (I remembered to include the space).  Got the message that bootrec was not recognized as an internal or external command, operable program, or batch file.  So I typed exit, and then just got the black screen with safe mode in the 4 corners.  Didn't know how to get out of that, so I just turned off the computer with the power button.

I do have a disk my daughter made when we got this computer, it is labeled "HP Recovery Tools CD".  I looked at the contents with WinExplorer: it has a lot of language file folders, some file folders that begin with R and a number, some files that are labeled bootfont with a different extensions (they seem to correspond to the languages), and some files labeled WIN51, WIN51.B@, WIN511C, etc.

I also have a set of 3 recovery disks she made when we got the computer, I'm assuming they are for a destructive recovery?  I have not looked at them.

Also, under My Computer, C is my hard drive, but there is also a D drive labeled HP_Recovery.  I don't know if any of this info helps you decide what to do next.  As I said, I'm not trying to be difficult, but want to make sure I'm doing the right thing.  Thanks.

After writing all this, I found this site on line that appears to say to ignore the error message for Windows 2000 (but it doesn't say for XP): should I just ignore the error message ?

http://support.microsoft.com/kb/266745

I also found this site that says it also applies to XP:

http://www.tomshardware.com/forum/87475-45-fixmbr-dont

I'm not trying to undermine or second-guess you, just trying to help with research (I don't expect you to know everything. :>).  I won't do anything that you haven't checked and said I should do.  If you say go ahead then I'll do it.  Thanks!

[SuperDave]

Also, under My Computer, C is my hard drive, but there is also a D drive labeled HP_Recovery

Yes, that's the recovery console we're trying to get into.

After writing all this, I found this site on line that appears to say to ignore the error message for Windows 2000 (but it doesn't say for XP): should I just ignore the error message ?

I would say just ignore the warning as MS stated in their article. But first, you should save all your important data just in case we have to use the Recovery disks.

[diggerjoy]

Wow--that was QUICK!  No problems.  Here's the log from MBRcheck:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:         
Windows Version:      Windows XP Professional
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x00000f1c

Kernel Drivers (total 143):
  0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
  0x806E5000 \WINDOWS\system32\hal.dll
  0xF7A3C000 \WINDOWS\system32\KDCOM.DLL
  0xF794C000 \WINDOWS\system32\BOOTVID.dll
  0xF740D000 ACPI.sys
  0xF7A3E000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
  0xF73FC000 pci.sys
  0xF753C000 isapnp.sys
  0xF754C000 ohci1394.sys
  0xF755C000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
  0xF7950000 compbatt.sys
  0xF7954000 \WINDOWS\system32\DRIVERS\BATTC.SYS
  0xF7B04000 pciide.sys
  0xF77BC000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
  0xF7A40000 viaide.sys
  0xF7A42000 intelide.sys
  0xF756C000 MountMgr.sys
  0xF73DD000 ftdisk.sys
  0xF7A44000 dmload.sys
  0xF73B7000 dmio.sys
  0xF77C4000 PartMgr.sys
  0xF757C000 VolSnap.sys
  0xF739F000 atapi.sys
  0xF758C000 disk.sys
  0xF759C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
  0xF737F000 fltmgr.sys
  0xF736D000 sr.sys
  0xF75AC000 PxHelp20.sys
  0xF7356000 KSecDD.sys
  0xF72C9000 Ntfs.sys
  0xF729C000 NDIS.sys
  0xF7282000 Mup.sys
  0xF6D60000 kl1.sys
  0xF76FC000 \SystemRoot\system32\DRIVERS\intelppm.sys
  0xF631D000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
  0xF6309000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
  0xF7914000 \SystemRoot\system32\DRIVERS\usbohci.sys
  0xF62E5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0xF791C000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0xF770C000 \SystemRoot\system32\DRIVERS\imapi.sys
  0xF771C000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0xF772C000 \SystemRoot\system32\DRIVERS\redbook.sys
  0xF62C2000 \SystemRoot\system32\DRIVERS\ks.sys
  0xF7924000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
  0xF629A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
  0xF792C000 \SystemRoot\system32\DRIVERS\fdc.sys
  0xF6286000 \SystemRoot\system32\DRIVERS\parport.sys
  0xF773C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
  0xF7934000 \SystemRoot\system32\DRIVERS\PS2.sys
  0xF793C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0xF7A78000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
  0xF7944000 \SystemRoot\system32\DRIVERS\point32.sys
  0xF77D4000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0xF7A7A000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
  0xF7814000 \SystemRoot\system32\DRIVERS\aracpi.sys
  0xF6241000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
  0xF614A000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
  0xF6094000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
  0xF781C000 \SystemRoot\System32\Drivers\Modem.SYS
  0xF6080000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
  0xF774C000 \SystemRoot\system32\DRIVERS\nic1394.sys
  0xF7A28000 \SystemRoot\system32\DRIVERS\arpolicy.sys
  0xF7C8D000 \SystemRoot\system32\DRIVERS\audstub.sys
  0xF775C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  0xF7A2C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
  0xF6069000 \SystemRoot\system32\DRIVERS\ndiswan.sys
  0xF776C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
  0xF777C000 \SystemRoot\system32\DRIVERS\raspptp.sys
  0xF7824000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0xF6058000 \SystemRoot\system32\DRIVERS\psched.sys
  0xF778C000 \SystemRoot\system32\DRIVERS\msgpc.sys
  0xF782C000 \SystemRoot\system32\DRIVERS\ptilink.sys
  0xF7834000 \SystemRoot\system32\DRIVERS\raspti.sys
  0xF6000000 \SystemRoot\system32\DRIVERS\rdpdr.sys
  0xF779C000 \SystemRoot\system32\DRIVERS\termdd.sys
  0xF7A7C000 \SystemRoot\system32\DRIVERS\swenum.sys
  0xF5FA2000 \SystemRoot\system32\DRIVERS\update.sys
  0xF6D30000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0xF77AC000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0xF763C000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0xF7A7E000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0xF1A0B000 \SystemRoot\system32\drivers\RtkHDAud.sys
  0xF19E7000 \SystemRoot\system32\drivers\portcls.sys
  0xF766C000 \SystemRoot\system32\drivers\drmk.sys
  0xF1970000 \SystemRoot\system32\DRIVERS\klif.sys
  0xF7A8A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0xF7C12000 \SystemRoot\System32\Drivers\Null.SYS
  0xF7A8C000 \SystemRoot\System32\Drivers\Beep.SYS
  0xF7C14000 \SystemRoot\System32\Drivers\ATMhelpr.SYS
  0xF784C000 \SystemRoot\System32\drivers\vga.sys
  0xF7A8E000 \SystemRoot\System32\Drivers\mnmdd.SYS
  0xF7A90000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0xF7854000 \SystemRoot\System32\Drivers\Msfs.SYS
  0xF785C000 \SystemRoot\System32\Drivers\Npfs.SYS
  0xF6040000 \SystemRoot\system32\DRIVERS\rasacd.sys
  0xF7864000 \SystemRoot\system32\DRIVERS\kl2.sys
  0xF6030000 \SystemRoot\system32\DRIVERS\usbscan.sys
  0xF1915000 \SystemRoot\system32\DRIVERS\ipsec.sys
  0xF18BC000 \SystemRoot\system32\DRIVERS\tcpip.sys
  0xF1894000 \SystemRoot\system32\DRIVERS\netbt.sys
  0xF1815000 \SystemRoot\System32\vsdatant.sys
  0xF17EF000 \SystemRoot\system32\DRIVERS\ipnat.sys
  0xF6513000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0xF5F9E000 \SystemRoot\system32\DRIVERS\hidusb.sys
  0xF6503000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
  0xF786C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
  0xF7874000 \SystemRoot\system32\DRIVERS\arhidfltr.sys
  0xF64F3000 \SystemRoot\system32\DRIVERS\arp1394.sys
  0xF787C000 \SystemRoot\system32\DRIVERS\usbprint.sys
  0xF5F92000 \SystemRoot\System32\drivers\ws2ifsl.sys
  0xF17CD000 \SystemRoot\System32\drivers\afd.sys
  0xF64E3000 \SystemRoot\system32\DRIVERS\netbios.sys
  0xF17AB000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
  0xF7884000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
  0xF1730000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0xF1698000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0xF64D3000 \SystemRoot\System32\Drivers\Fips.SYS
  0xF788C000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
  0xF1674000 \SystemRoot\System32\Drivers\Fastfat.SYS
  0xF165C000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0xF7AC0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
  0xBF800000 \SystemRoot\System32\win32k.sys
  0xF19CB000 \SystemRoot\System32\drivers\Dxapi.sys
  0xF78B4000 \SystemRoot\System32\watchdog.sys
  0xBF000000 \SystemRoot\System32\drivers\dxg.sys
  0xF7C3A000 \SystemRoot\System32\drivers\dxgthk.sys
  0xBF012000 \SystemRoot\System32\ati2dvag.dll
  0xBF055000 \SystemRoot\System32\ati2cqag.dll
  0xBF09A000 \SystemRoot\System32\atikvmag.dll
  0xBF0D0000 \SystemRoot\System32\ati3duag.dll
  0xBF362000 \SystemRoot\System32\ativvaxx.dll
  0xBF4BA000 \SystemRoot\System32\ATMFD.DLL
  0xEF490000 \??\C:\WINDOWS\system32\drivers\mbam.sys
  0xEF428000 \SystemRoot\system32\DRIVERS\ndisuio.sys
  0xF789C000 \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
  0xEEE67000 \SystemRoot\system32\drivers\wdmaud.sys
  0xEF3B4000 \SystemRoot\system32\drivers\sysaudio.sys
  0xEECFC000 \SystemRoot\system32\DRIVERS\mrxdav.sys
  0xEEB53000 \SystemRoot\System32\Drivers\HTTP.sys
  0xEEAD3000 \SystemRoot\system32\DRIVERS\srv.sys
  0xEEB4F000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
  0xEE713000 \SystemRoot\System32\Drivers\Cdfs.SYS
  0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 56):
       0 System Idle Process
       4 System
     548 C:\WINDOWS\system32\smss.exe
     620 csrss.exe
     648 C:\WINDOWS\system32\winlogon.exe
     692 C:\WINDOWS\system32\services.exe
     704 C:\WINDOWS\system32\lsass.exe
     860 C:\WINDOWS\system32\ati2evxx.exe
     876 C:\WINDOWS\system32\svchost.exe
     948 svchost.exe
    1016 C:\WINDOWS\system32\svchost.exe
    1104 svchost.exe
    1160 svchost.exe
    1204 C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
    1472 C:\WINDOWS\system32\ati2evxx.exe
    1564 C:\WINDOWS\explorer.exe
    1868 C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
    2004 C:\WINDOWS\system32\spoolsv.exe
     164 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    1044 svchost.exe
    1100 C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    1176 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1304 C:\WINDOWS\arservice.exe
    1340 C:\Program Files\Microsoft\BingBar\SeaPort.EXE
    1416 C:\Program Files\Bonjour\mDNSResponder.exe
    1348 C:\WINDOWS\ehome\ehrecvr.exe
    1732 C:\WINDOWS\ehome\ehSched.exe
    1884 C:\Program Files\Java\jre6\bin\jqs.exe
    2056 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    2164 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    2296 svchost.exe
    2352 C:\WINDOWS\system32\svchost.exe
    2440 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    2504 mcrdsvc.exe
    2584 C:\WINDOWS\system32\wuauclt.exe
    3000 C:\WINDOWS\system32\dllhost.exe
    3264 alg.exe
    3280 wmiprvse.exe
    3352 C:\WINDOWS\ehome\ehtray.exe
    3368 C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
    3428 C:\WINDOWS\arpwrmsg.exe
    3596 C:\WINDOWS\ehome\ehmsas.exe
    3776 C:\Program Files\iTunes\iTunesHelper.exe
    4008 C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
    4072 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
     208 C:\Program Files\Common Files\Java\Java Update\jusched.exe
     584 C:\Program Files\real\realplayer\Update\realsched.exe
    1488 C:\PROGRA~1\ScanSoft\PAPERP~1\PPWEBCAP.EXE
    2816 C:\Program Files\iPod\bin\iPodService.exe
    2932 C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    2952 C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
    3248 C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
    3748 C:\hp\KBD\kbd.exe
    3880 C:\WINDOWS\system\hpsysdrv.exe
    1528 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    2236 C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00  (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000038`11f9bc00  (FAT32)

PhysicalDrive0 Model Number: WDCWD2500JS-60NCB1, Rev: 10.02E02

      Size  Device Name          MBR Status
  --------------------------------------------
    232 GB  \\.\PhysicalDrive0   Windows XP MBR code detected
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644 A


Done!

[SuperDave]

Ok, the MBR has been fixed. That's a major step.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[diggerjoy]

I probably should have thought to ask this earlier: has my information been vulnerable during this infection/invasion?  In otherwords, paying bills on-line (at secure sites) or entering private info on the same sites, is there any chance that info has been compromised?   

Here's the scan (thank you for all this help, BTW):

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F15A0000
Module End: F15B8000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7AC2000
Module End: F7AC4000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAdjustPrivilegesToken
Address: F18D466E
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwClose
Address: F18D4F02
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwConnectPort
Address: F177A2F4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateEvent
Address: F18D57D0
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateFile
Address: F17745CA
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateKey
Address: F179358A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateMutant
Address: F18D56A8
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateNamedPipeFile
Address: F18D4274
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreatePort
Address: F177AA80
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcess
Address: F178DE4E
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcessEx
Address: F178E23C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateSection
Address: F17976F6
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateSemaphore
Address: F18D5902
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateSymbolicLinkObject
Address: F18D758C
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateThread
Address: F18D4BA0
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateWaitablePort
Address: F177ABB6
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDebugActiveProcess
Address: F18D6F36
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDeleteFile
Address: F17751E0
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteKey
Address: F1794E3C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteValueKey
Address: F17947B2
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeviceIoControlFile
Address: F18D5178
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDuplicateObject
Address: F178CD8A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwEnumerateKey
Address: F18D3FAC
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwEnumerateValueKey
Address: F18D4056
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwFsControlFile
Address: F18D4F84
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwLoadDriver
Address: F176FE88
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadKey
Address: F1795794
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadKey2
Address: F179599C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwMapViewOfSection
Address: F1797A5E
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwNotifyChangeKey
Address: F18D41A2
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenEvent
Address: F18D5872
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenFile
Address: F1774DF2
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenKey
Address: F18D36BE
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenMutant
Address: F18D5740
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenProcess
Address: F1790160
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenSection
Address: F18D75B6
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenSemaphore
Address: F18D59A4
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenThread
Address: F178FD8A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwProtectVirtualMemory
Address: F17A4090
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwQueryKey
Address: F18D4100
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryMultipleValueKey
Address: F18D3D28
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQuerySection
Address: F18D7958
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryValueKey
Address: F18D3978
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueueApcThread
Address: F18D72A6
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRenameKey
Address: F179672A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwReplaceKey
Address: F1796060
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwReplyPort
Address: F18D5D2E
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwReplyWaitReceivePort
Address: F18D5BF4
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRequestWaitReplyPort
Address: F1779EC4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRestoreKey
Address: F17970FC
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwResumeThread
Address: F18D7E30
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSaveKey
Address: F18D332A
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSecureConnectPort
Address: F177A59C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetContextThread
Address: F18D4DBE
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetInformationFile
Address: F17755A4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetInformationObject
Address: F17A3F7C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetInformationToken
Address: F18D6586
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetSecurityObject
Address: F1796C6A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetSystemInformation
Address: F176F648
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetValueKey
Address: F1793F72
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSuspendProcess
Address: F18D7B7C
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSuspendThread
Address: F18D7CA4
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSystemDebugControl
Address: F178EEA4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwTerminateProcess
Address: F178EC20
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwTerminateThread
Address: F18D4956
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwUnloadDriver
Address: F177029C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwUnmapViewOfSection
Address: F18D780E
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwWriteVirtualMemory
Address: F18D4AE0
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

[SuperDave]

has my information been vulnerable during this infection/invasion?  In otherwords, paying bills on-line (at secure sites) or entering private info on the same sites, is there any chance that info has been compromised?

Well, you did have a rootkit which could have compromised your computer. Here's what you should do just to be safe.
Do you have ZoneAlarm Firewall?

It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:

 What danger is presented by rootkits?
 Rootkits and how to combat them
 r00tkit Analysis: What Is A Rootkit

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
 Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Should you have any questions, please feel free to ask.
*****************************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[diggerjoy]

Hi Dave,

Well, now that I’m thoroughly sick, I have questions, and I hope you can help and don’t mind continuing to help me
.
I run Zone Alarm Security Suite and the teatimer program (is it SAS, or Spybot?  I’ve had it on my computer since you helped me a couple of years ago.)  I also have WOT.  I periodically update and run CCleaner, SAS, Spybot, Spyware Blaster, MBAM, although unfortunately I’ll admit it’s probably been 6 months.  Why didn’t ZA or teatimer catch this stuff coming in?  Do you think they prevented anything going out?

I tried reading all the links you provided; frankly, I was way in over my head and didn’t understand a good deal of it.  I got the idea that rootkits can sometimes be purposely installed for legitimate use.  In December I had problems logging into one of the servers at work through the internet, and the tech people said they had to remotely access my computer to fix the problem.  They sent me an “invitation” I had to accept so they could gain remote access.  Is there any chance that’s where the rootkits came from and they’re harmless?  Is there any way to tell where they came from and what they did--or are doing?

I read also that malware can be downloaded to your computer through image files.  Unfortunately, I have downloaded LOTS of image files--I draw as a hobby and when I see a picture I like, I download it to use as a reference.  I have hundreds of pictures.  I backed them all up to CD along with my other files when I did the back-ups this week.  Would they have been scanned when downloaded?  Would something have shown up if there was something in them?  Could they/should they be scanned now on the CD? (I’d like to keep them if I could, but if there’s any chance they’ll do harm, I won’t keep them--but is it safe to get my other files off the disk now?)

Are there any other types of files malware could now be hiding in--word or excel files, for example..

I read that the only way to be sure my computer is clean is to reformat completely and reinstall the disks.  I’m not sure I could handle that, even if I bought the disks (could it be done from the recovery disks, or does reformatting require original installation disks?)  Besides, how safe is it really for how long--if this stuff got in once, why couldn’t it get in again the first time I went on-line?  Is it really a fail-safe? 

I don’t save/remember passwords, not even in Outlook for e-mail; I don’t keep password lists on my computer--but I do have a document I save to flash-drive with passwords.  Is it possible my passwords are compromised anyway--could the info be stolen when I had the file open while working in it?  Same with account #s--the only time they’re on my computer is when I type them in on a “secure” site.  Wouldn’t that require a program to log keystrokes, and is there any way to tell if that happened? (I e-filed my taxes, all our taxes, on-line about a month ago.  I shudder to think that I typed in social security #s and everything.  Is this info vulnerable?)

One of the articles mentioned something about changing passwords if you use a router.  We have a router; this computer is attached to the router through a line, but my daughter’s laptop is wireless.  This computer is the administrator for the router.  Is her computer in danger?  Do I need to change the password? (And if I do, how do I know it’s safe to do it now?)

I had ZA off for about a day when it seemed to be causing the problem (I exited from the task tray; does that turn off the firewall too, or just the antivirus?)  It’s been back on most of the time since then though.  But teatimer resident is still off--I turned it off when your instructions said to.  Should I turn it back on yet?

ZA scanned while ESET was scanning, and it came up with 4 items--but when I looked at them, it appeared they were all items quarantined by TDSSKiller.  I’m assuming they’re nothing to worry about now.  Is that correct?

Last thing: In prepping ESET to scan, the instructions said to check “scan archives”.  When I checked that box, there was another box above it checked, the one for fix problems.  Since the instructions didn’t say to check that box, I unchecked it.  Should I have left it checked?  Should I run ESET again with it checked?

My big fear is having done the income taxes and paying bills on-line, wondering how much of a possibility there is that my information was compromised.  I thought as I was on a secure site there was nothing to worry about.  Is there no way to determine if anything was stolen?

I apologize for all the questions; this really just has me sick.  Here’s the scan; I appreciate anything you can do to help or any information you can give me.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ee88f3395f713448af264009a4a0aa3e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-04-06 02:22:58
# local_time=2012-04-05 10:22:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 71250665 71250665 0 0
# compatibility_mode=8192 67108863 100 0 70886976 70886976 0 0
# compatibility_mode=9217 16776533 100 13 2026307 11854075 0 0
# scanned=153944
# found=4
# cleaned=0
# scan_time=20021
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0002.dta   Win64/Olmarik.AD trojan (unable to clean)   00000000000000000000000000000000   I
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0004.dta   Win64/Olmarik.AG trojan (unable to clean)   00000000000000000000000000000000   I
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0005.dta   a variant of Win32/Rootkit.Kryptik.KS trojan (unable to clean)   00000000000000000000000000000000   I
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0006.dta   Win64/Olmarik.AF trojan (unable to clean)   00000000000000000000000000000000   I

[SuperDave]

I run Zone Alarm Security Suite and the teatimer program (is it SAS, or Spybot? 

Is your Zone Alarm Security Suite firewall enabled? TeaTimer belongs to Spybot.

Why didn’t ZA or teatimer catch this stuff coming in?  Do you think they prevented anything going out?

If your Firewall is like mine I would imagine it caught the out-going traffic.

They sent me an “invitation” I had to accept so they could gain remote access.  Is there any chance that’s where the rootkits came from and they’re harmless?  Is there any way to tell where they came from and what they did--or are doing?

It's almost impossible to determine where the rootkit came from.

I read also that malware can be downloaded to your computer through image files.  Unfortunately, I have downloaded LOTS of image files--I draw as a hobby and when I see a picture I like, I download it to use as a reference.  I have hundreds of pictures.  I backed them all up to CD along with my other files when I did the back-ups this week.  Would they have been scanned when downloaded?  Would something have shown up if there was something in them?  Could they/should they be scanned now on the CD? (I’d like to keep them if I could, but if there’s any chance they’ll do harm, I won’t keep them--but is it safe to get my other files off the disk now?)

I really depends where you downloaded them from. I really can't say if they had been scanned but I would imagine they were. They should be scanned before replacing them on your computer. Scan them with your AV and also MBAM.

Are there any other types of files malware could now be hiding in--word or excel files, for example..

Not likely unless you received a file from someone who was infected.

I read that the only way to be sure my computer is clean is to reformat completely and reinstall the disks.  I’m not sure I could handle that, even if I bought the disks (could it be done from the recovery disks, or does reformatting require original installation disks?)  Besides, how safe is it really for how long--if this stuff got in once, why couldn’t it get in again the first time I went on-line?  Is it really a fail-safe? 

That's really the safest way to go and it is fail-safe

I don’t save/remember passwords, not even in Outlook for e-mail; I don’t keep password lists on my computer--but I do have a document I save to flash-drive with passwords.  Is it possible my passwords are compromised anyway--could the info be stolen when I had the file open while working in it?  Same with account #s--the only time they’re on my computer is when I type them in on a “secure” site.  Wouldn’t that require a program to log keystrokes, and is there any way to tell if that happened? (I e-filed my taxes, all our taxes, on-line about a month ago.  I shudder to think that I typed in social security #s and everything.  Is this info vulnerable?)

That could only be done if a keylogger was put on your computer and there was no evidence of that.

One of the articles mentioned something about changing passwords if you use a router.  We have a router; this computer is attached to the router through a line, but my daughter’s laptop is wireless.  This computer is the administrator for the router.  Is her computer in danger?  Do I need to change the password? (And if I do, how do I know it’s safe to do it now?)

Some modems do have passwords on them and some don't. I probably wouldn't hurt to change it.

I had ZA off for about a day when it seemed to be causing the problem (I exited from the task tray; does that turn off the firewall too, or just the antivirus?)  It’s been back on most of the time since then though.  But teatimer resident is still off--I turned it off when your instructions said to.  Should I turn it back on yet?

I'm not sure how ZoneAlarm works. You should turn on teatimer again.

ZA scanned while ESET was scanning, and it came up with 4 items--but when I looked at them, it appeared they were all items quarantined by TDSSKiller.  I’m assuming they’re nothing to worry about now.  Is that correct?

As soon as TDSSKiller is removed, they will be gone.

My big fear is having done the income taxes and paying bills on-line, wondering how much of a possibility there is that my information was compromised.  I thought as I was on a secure site there was nothing to worry about.  Is there no way to determine if anything was stolen?

I highly doubt it especially if you have the ZoneAlarm Firewall enabled.
Let's do some cleanup

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

*****************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*****************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[diggerjoy]

Hi Superdave,
I can't thank you enough, both for helping me and for having the patience to answer all my questions (and address my fears!).  I ran the scans you recommended.  I have just a couple more questions:

I have been running Zone Alarm suite, spybot, and SAS for a couple of years; I update them periodically (I have to get back onto a schedule again, I admit) and also do scans with MBAM, CCleaner, Spyware Blaster...should I keep doing all of this, or are any of them not really necessary?  I was thinking I should add TFC (or is CCleaner enough), ESET, Securia occasionally...should I?  Should I also be running anything else on a regular basis (like TDSSkiller?) or are these better left to only when there are problems and someone who actually knows what they're doing is supervising their use?

Should I now delete all of the programs we used in this fix and their logs from my desktop, or just move them to a folder and keep them?

Secunia listed 4 instances of Java; I checked Java's website and they said delete older versions, so I'm just updating the latest.

Are we all done now, and would it be OK to defrag?  With all the stuff I've removed, I'm sure it needs it.

Again, Thank you for all you've done; I can't imagine how I would have handled this without you.  As I said, this computer is my livelihood and my family's sole income and source of security.  What you've done is extremely important.  Thank you again!

[SuperDave]

I have been running Zone Alarm suite, spybot, and SAS for a couple of years; I update them periodically (I have to get back onto a schedule again, I admit) and also do scans with MBAM, CCleaner, Spyware Blaster...should I keep doing all of this, or are any of them not really necessary?

It's probably not necessary but if you have the time it wouldn't hurt.

I was thinking I should add TFC (or is CCleaner enough), ESET, Securia occasionally...should I?

Wouldn't hurt.

Should I also be running anything else on a regular basis (like TDSSkiller?) or are these better left to only when there are problems and someone who actually knows what they're doing is supervising their use?

No, that's not necessary.

Should I now delete all of the programs we used in this fix and their logs from my desktop, or just move them to a folder and keep them?

Not necessary. You probably won't need them again.

Are we all done now, and would it be OK to defrag?  With all the stuff I've removed, I'm sure it needs it.

It's a good idea to do that about once a month.

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.