Solve : "..." not a valid Win32 application, The application or DLL no

1.	Solve : "..." not a valid Win32 application, The application or DLL not valid windows im?
Answer» Hi SD, Not trying to be difficult, but those instructions were for Windows 7, and I have Windows XP Media Center Edition 2005. I did try looking for how to boot to systems recovery options on my own though, and it seemed they were saying to just go to Safe Mode to get Safe Mode with command prompt. I did that, went through the process of selecting my user name (HP_Administrator), got C:\Documents and Settings\HP_Administrator> Tried entering bootrec /fixmbr (I remembered to include the space). Got the message that bootrec was not recognized as an internal or external command, operable program, or batch file. So I typed exit, and then just got the black screen with safe mode in the 4 corners. Didn't know how to get out of that, so I just turned off the computer with the power button. I do have a disk my daughter made when we got this computer, it is labeled "HP Recovery Tools CD". I looked at the contents with WinExplorer: it has a lot of language file folders, some file folders that begin with R and a number, some files that are labeled bootfont with a different extensions (they seem to correspond to the languages), and some files labeled WIN51, [emailprotected], WIN511C, etc. I also have a set of 3 recovery disks she made when we got the computer, I'm assuming they are for a destructive recovery? I have not looked at them. Also, under My Computer, C is my hard drive, but there is also a D drive labeled HP_Recovery. I don't know if any of this info helps you decide what to do next. As I said, I'm not trying to be difficult, but want to make sure I'm doing the right THING. Thanks. After writing all this, I found this site on line that appears to say to ignore the error message for Windows 2000 (but it doesn't say for XP): should I just ignore the error message ? http://support.microsoft.com/kb/266745 I also found this site that says it also applies to XP: http://www.tomshardware.com/forum/87475-45-fixmbr-dont I'm not trying to undermine or second-guess you, just trying to help with research (I don't expect you to know everything. :>). I won't do anything that you haven't checked and said I should do. If you say go ahead then I'll do it. Thanks!Quote Also, under My Computer, C is my hard drive, but there is also a D drive labeled HP_Recovery Yes, that's the recovery console we're trying to get into. Quote After writing all this, I found this site on line that appears to say to ignore the error message for Windows 2000 (but it doesn't say for XP): should I just ignore the error message ? I would say just ignore the warning as MS stated in their article. But first, you should save all your important data just in case we have to use the Recovery disks. Wow--that was QUICK! No problems. Here's the log from MBRcheck: MBRCheck, version 1.2.3 (c) 2010, AD Command-line: Windows Version:Windows XP Professional Windows Information:Service Pack 3 (build 2600) Logical Drives Mask:0x00000f1c Kernel Drivers (total 143): 0x804D7000 \WINDOWS\system32\ntkrnlpa.exe 0x806E5000 \WINDOWS\system32\hal.dll 0xF7A3C000 \WINDOWS\system32\KDCOM.DLL 0xF794C000 \WINDOWS\system32\BOOTVID.dll 0xF740D000 ACPI.sys 0xF7A3E000 \WINDOWS\system32\DRIVERS\WMILIB.SYS 0xF73FC000 pci.sys 0xF753C000 isapnp.sys 0xF754C000 ohci1394.sys 0xF755C000 \WINDOWS\system32\DRIVERS\1394BUS.SYS 0xF7950000 compbatt.sys 0xF7954000 \WINDOWS\system32\DRIVERS\BATTC.SYS 0xF7B04000 pciide.sys 0xF77BC000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS 0xF7A40000 viaide.sys 0xF7A42000 intelide.sys 0xF756C000 MountMgr.sys 0xF73DD000 ftdisk.sys 0xF7A44000 dmload.sys 0xF73B7000 dmio.sys 0xF77C4000 PartMgr.sys 0xF757C000 VolSnap.sys 0xF739F000 atapi.sys 0xF758C000 disk.sys 0xF759C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS 0xF737F000 fltmgr.sys 0xF736D000 sr.sys 0xF75AC000 PxHelp20.sys 0xF7356000 KSecDD.sys 0xF72C9000 Ntfs.sys 0xF729C000 NDIS.sys 0xF7282000 Mup.sys 0xF6D60000 kl1.sys 0xF76FC000 \SystemRoot\system32\DRIVERS\intelppm.sys 0xF631D000 \SystemRoot\system32\DRIVERS\ati2mtag.sys 0xF6309000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS 0xF7914000 \SystemRoot\system32\DRIVERS\usbohci.sys 0xF62E5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS 0xF791C000 \SystemRoot\system32\DRIVERS\usbehci.sys 0xF770C000 \SystemRoot\system32\DRIVERS\imapi.sys 0xF771C000 \SystemRoot\system32\DRIVERS\cdrom.sys 0xF772C000 \SystemRoot\system32\DRIVERS\redbook.sys 0xF62C2000 \SystemRoot\system32\DRIVERS\ks.sys 0xF7924000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys 0xF629A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys 0xF792C000 \SystemRoot\system32\DRIVERS\fdc.sys 0xF6286000 \SystemRoot\system32\DRIVERS\parport.sys 0xF773C000 \SystemRoot\system32\DRIVERS\i8042prt.sys 0xF7934000 \SystemRoot\system32\DRIVERS\PS2.sys 0xF793C000 \SystemRoot\system32\DRIVERS\kbdclass.sys 0xF7A78000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys 0xF7944000 \SystemRoot\system32\DRIVERS\point32.sys 0xF77D4000 \SystemRoot\system32\DRIVERS\mouclass.sys 0xF7A7A000 \SystemRoot\system32\DRIVERS\armoucfltr.sys 0xF7814000 \SystemRoot\system32\DRIVERS\aracpi.sys 0xF6241000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys 0xF614A000 \SystemRoot\system32\DRIVERS\HSX_DP.sys 0xF6094000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys 0xF781C000 \SystemRoot\System32\Drivers\Modem.SYS 0xF6080000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys 0xF774C000 \SystemRoot\system32\DRIVERS\nic1394.sys 0xF7A28000 \SystemRoot\system32\DRIVERS\arpolicy.sys 0xF7C8D000 \SystemRoot\system32\DRIVERS\audstub.sys 0xF775C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys 0xF7A2C000 \SystemRoot\system32\DRIVERS\ndistapi.sys 0xF6069000 \SystemRoot\system32\DRIVERS\ndiswan.sys 0xF776C000 \SystemRoot\system32\DRIVERS\raspppoe.sys 0xF777C000 \SystemRoot\system32\DRIVERS\raspptp.sys 0xF7824000 \SystemRoot\system32\DRIVERS\TDI.SYS 0xF6058000 \SystemRoot\system32\DRIVERS\psched.sys 0xF778C000 \SystemRoot\system32\DRIVERS\msgpc.sys 0xF782C000 \SystemRoot\system32\DRIVERS\ptilink.sys 0xF7834000 \SystemRoot\system32\DRIVERS\raspti.sys 0xF6000000 \SystemRoot\system32\DRIVERS\rdpdr.sys 0xF779C000 \SystemRoot\system32\DRIVERS\termdd.sys 0xF7A7C000 \SystemRoot\system32\DRIVERS\swenum.sys 0xF5FA2000 \SystemRoot\system32\DRIVERS\update.sys 0xF6D30000 \SystemRoot\system32\DRIVERS\mssmbios.sys 0xF77AC000 \SystemRoot\System32\Drivers\NDProxy.SYS 0xF763C000 \SystemRoot\system32\DRIVERS\usbhub.sys 0xF7A7E000 \SystemRoot\system32\DRIVERS\USBD.SYS 0xF1A0B000 \SystemRoot\system32\drivers\RtkHDAud.sys 0xF19E7000 \SystemRoot\system32\drivers\portcls.sys 0xF766C000 \SystemRoot\system32\drivers\drmk.sys 0xF1970000 \SystemRoot\system32\DRIVERS\klif.sys 0xF7A8A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS 0xF7C12000 \SystemRoot\System32\Drivers\Null.SYS 0xF7A8C000 \SystemRoot\System32\Drivers\Beep.SYS 0xF7C14000 \SystemRoot\System32\Drivers\ATMhelpr.SYS 0xF784C000 \SystemRoot\System32\drivers\vga.sys 0xF7A8E000 \SystemRoot\System32\Drivers\mnmdd.SYS 0xF7A90000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0xF7854000 \SystemRoot\System32\Drivers\Msfs.SYS 0xF785C000 \SystemRoot\System32\Drivers\Npfs.SYS 0xF6040000 \SystemRoot\system32\DRIVERS\rasacd.sys 0xF7864000 \SystemRoot\system32\DRIVERS\kl2.sys 0xF6030000 \SystemRoot\system32\DRIVERS\usbscan.sys 0xF1915000 \SystemRoot\system32\DRIVERS\ipsec.sys 0xF18BC000 \SystemRoot\system32\DRIVERS\tcpip.sys 0xF1894000 \SystemRoot\system32\DRIVERS\netbt.sys 0xF1815000 \SystemRoot\System32\vsdatant.sys 0xF17EF000 \SystemRoot\system32\DRIVERS\ipnat.sys 0xF6513000 \SystemRoot\system32\DRIVERS\wanarp.sys 0xF5F9E000 \SystemRoot\system32\DRIVERS\hidusb.sys 0xF6503000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS 0xF786C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS 0xF7874000 \SystemRoot\system32\DRIVERS\arhidfltr.sys 0xF64F3000 \SystemRoot\system32\DRIVERS\arp1394.sys 0xF787C000 \SystemRoot\system32\DRIVERS\usbprint.sys 0xF5F92000 \SystemRoot\System32\drivers\ws2ifsl.sys 0xF17CD000 \SystemRoot\System32\drivers\afd.sys 0xF64E3000 \SystemRoot\system32\DRIVERS\netbios.sys 0xF17AB000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys 0xF7884000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 0xF1730000 \SystemRoot\system32\DRIVERS\rdbss.sys 0xF1698000 \SystemRoot\system32\DRIVERS\mrxsmb.sys 0xF64D3000 \SystemRoot\System32\Drivers\Fips.SYS 0xF788C000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS 0xF1674000 \SystemRoot\System32\Drivers\Fastfat.SYS 0xF165C000 \SystemRoot\System32\Drivers\dump_atapi.sys 0xF7AC0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS 0xBF800000 \SystemRoot\System32\win32k.sys 0xF19CB000 \SystemRoot\System32\drivers\Dxapi.sys 0xF78B4000 \SystemRoot\System32\watchdog.sys 0xBF000000 \SystemRoot\System32\drivers\dxg.sys 0xF7C3A000 \SystemRoot\System32\drivers\dxgthk.sys 0xBF012000 \SystemRoot\System32\ati2dvag.dll 0xBF055000 \SystemRoot\System32\ati2cqag.dll 0xBF09A000 \SystemRoot\System32\atikvmag.dll 0xBF0D0000 \SystemRoot\System32\ati3duag.dll 0xBF362000 \SystemRoot\System32\ativvaxx.dll 0xBF4BA000 \SystemRoot\System32\ATMFD.DLL 0xEF490000 \??\C:\WINDOWS\system32\drivers\mbam.sys 0xEF428000 \SystemRoot\system32\DRIVERS\ndisuio.sys 0xF789C000 \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys 0xEEE67000 \SystemRoot\system32\drivers\wdmaud.sys 0xEF3B4000 \SystemRoot\system32\drivers\sysaudio.sys 0xEECFC000 \SystemRoot\system32\DRIVERS\mrxdav.sys 0xEEB53000 \SystemRoot\System32\Drivers\HTTP.sys 0xEEAD3000 \SystemRoot\system32\DRIVERS\srv.sys 0xEEB4F000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys 0xEE713000 \SystemRoot\System32\Drivers\Cdfs.SYS 0x7C900000 \WINDOWS\system32\ntdll.dll Processes (total 56): 0 System Idle Process 4 System 548 C:\WINDOWS\system32\smss.exe 620 csrss.exe 648 C:\WINDOWS\system32\winlogon.exe 692 C:\WINDOWS\system32\services.exe 704 C:\WINDOWS\system32\lsass.exe 860 C:\WINDOWS\system32\ati2evxx.exe 876 C:\WINDOWS\system32\svchost.exe 948 svchost.exe 1016 C:\WINDOWS\system32\svchost.exe 1104 svchost.exe 1160 svchost.exe 1204 C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe 1472 C:\WINDOWS\system32\ati2evxx.exe 1564 C:\WINDOWS\explorer.exe 1868 C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe 2004 C:\WINDOWS\system32\spoolsv.exe 164 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe 1044 svchost.exe 1100 C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe 1176 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe 1304 C:\WINDOWS\arservice.exe 1340 C:\Program Files\Microsoft\BingBar\SeaPort.EXE 1416 C:\Program Files\Bonjour\mDNSResponder.exe 1348 C:\WINDOWS\ehome\ehrecvr.exe 1732 C:\WINDOWS\ehome\ehSched.exe 1884 C:\Program Files\Java\jre6\bin\jqs.exe 2056 C:\Program Files\Common Files\LightScribe\LSSrvc.exe 2164 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe 2296 svchost.exe 2352 C:\WINDOWS\system32\svchost.exe 2440 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe 2504 mcrdsvc.exe 2584 C:\WINDOWS\system32\wuauclt.exe 3000 C:\WINDOWS\system32\dllhost.exe 3264 alg.exe 3280 wmiprvse.exe 3352 C:\WINDOWS\ehome\ehtray.exe 3368 C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe 3428 C:\WINDOWS\arpwrmsg.exe 3596 C:\WINDOWS\ehome\ehmsas.exe 3776 C:\Program Files\iTunes\iTunesHelper.exe 4008 C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe 4072 C:\Program Files\Microsoft IntelliPoint\ipoint.exe 208 C:\Program Files\Common Files\Java\Java Update\jusched.exe 584 C:\Program Files\real\realplayer\Update\realsched.exe 1488 C:\PROGRA~1\ScanSoft\PAPERP~1\PPWEBCAP.EXE 2816 C:\Program Files\iPod\bin\iPodService.exe 2932 C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe 2952 C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe 3248 C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe 3748 C:\hp\KBD\kbd.exe 3880 C:\WINDOWS\system\hpsysdrv.exe 1528 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe 2236 C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS) \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000038`11f9bc00 (FAT32) PhysicalDrive0 Model Number: WDCWD2500JS-60NCB1, Rev: 10.02E02 Size Device Name MBR Status -------------------------------------------- 232 GB \\.\PhysicalDrive0 Windows XP MBR code detected SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644 A Done!Ok, the MBR has been fixed. That's a major step. SysProt Antirootkit Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors). http://sites.google.com/site/sysprotantirootkit/ Unzip it into a folder on your desktop. Double click Sysprot.exe to start the program. Click on the Log tab. In the Write to log box select the following items. Process << Selected Kernel Modules << Selected SSDT << Selected Kernel Hooks << Selected IRP Hooks << NOT Selected Ports << NOT Selected Hidden Files << Selected At the bottom of the page Hidden Objects Only << Selected Click on the Create Log button on the bottom right. After a few seconds a new window should appear. Select Scan Root Drive. Click on the Start button. When it is complete a new window will appear to indicate that the scan is finished. The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here. I probably should have thought to ask this earlier: has my information been vulnerable during this INFECTION/invasion? In otherwords, paying bills on-line (at secure sites) or entering private info on the same sites, is there any chance that info has been compromised? Here's the scan (thank you for all this help, BTW): SysProt AntiRootkit v1.0.1.0 by swatkat **************************************************************************************** ************************************************************************************** No Hidden Processes found ************************************************************************************** ************************************************************************************** Kernel Modules: Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys Service Name: --- Module Base: F15A0000 Module End: F15B8000 Hidden: Yes Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS Service Name: --- Module Base: F7AC2000 Module End: F7AC4000 Hidden: Yes ************************************************************************************** ************************************************************************************** SSDT: Function Name: ZwAdjustPrivilegesToken Address: F18D466E Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwClose Address: F18D4F02 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwConnectPort Address: F177A2F4 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwCreateEvent Address: F18D57D0 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateFile Address: F17745CA Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwCreateKey Address: F179358A Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwCreateMutant Address: F18D56A8 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateNamedPipeFile Address: F18D4274 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreatePort Address: F177AA80 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwCreateProcess Address: F178DE4E Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwCreateProcessEx Address: F178E23C Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwCreateSection Address: F17976F6 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwCreateSemaphore Address: F18D5902 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateSymbolicLinkObject Address: F18D758C Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateThread Address: F18D4BA0 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateWaitablePort Address: F177ABB6 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwDebugActiveProcess Address: F18D6F36 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwDeleteFile Address: F17751E0 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwDeleteKey Address: F1794E3C Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwDeleteValueKey Address: F17947B2 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwDeviceIoControlFile Address: F18D5178 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwDuplicateObject Address: F178CD8A Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwEnumerateKey Address: F18D3FAC Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwEnumerateValueKey Address: F18D4056 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwFsControlFile Address: F18D4F84 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwLoadDriver Address: F176FE88 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwLoadKey Address: F1795794 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwLoadKey2 Address: F179599C Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwMapViewOfSection Address: F1797A5E Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwNotifyChangeKey Address: F18D41A2 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenEvent Address: F18D5872 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenFile Address: F1774DF2 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwOpenKey Address: F18D36BE Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenMutant Address: F18D5740 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenProcess Address: F1790160 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwOpenSection Address: F18D75B6 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenSemaphore Address: F18D59A4 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenThread Address: F178FD8A Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwProtectVirtualMemory Address: F17A4090 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwQueryKey Address: F18D4100 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwQueryMultipleValueKey Address: F18D3D28 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwQuerySection Address: F18D7958 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwQueryValueKey Address: F18D3978 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwQueueApcThread Address: F18D72A6 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwRenameKey Address: F179672A Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwReplaceKey Address: F1796060 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwReplyPort Address: F18D5D2E Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwReplyWaitReceivePort Address: F18D5BF4 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwRequestWaitReplyPort Address: F1779EC4 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwRestoreKey Address: F17970FC Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwResumeThread Address: F18D7E30 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSaveKey Address: F18D332A Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSecureConnectPort Address: F177A59C Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwSetContextThread Address: F18D4DBE Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSetInformationFile Address: F17755A4 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwSetInformationObject Address: F17A3F7C Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwSetInformationToken Address: F18D6586 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSetSecurityObject Address: F1796C6A Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwSetSystemInformation Address: F176F648 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwSetValueKey Address: F1793F72 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwSuspendProcess Address: F18D7B7C Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSuspendThread Address: F18D7CA4 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSystemDebugControl Address: F178EEA4 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwTerminateProcess Address: F178EC20 Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwTerminateThread Address: F18D4956 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwUnloadDriver Address: F177029C Driver Base: F1759000 Driver End: F17D8000 Driver Name: \SystemRoot\System32\vsdatant.sys Function Name: ZwUnmapViewOfSection Address: F18D780E Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwWriteVirtualMemory Address: F18D4AE0 Driver Base: F18B4000 Driver End: F1903000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys ************************************************************************************** ************************************************************************************** No Kernel Hooks found ************************************************************************************** ************************************************************************************** Hidden files/folders: Object: C:\Qoobox\BackEnv\AppData.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Cache.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Cookies.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Desktop.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Favorites.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\History.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Music.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\NetHood.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Personal.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Pictures.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\PrintHood.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Profiles.Folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Programs.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Recent.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\SendTo.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\SetPath.bat Status: Access denied Object: C:\Qoobox\BackEnv\StartMenu.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\StartUp.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\SysPath.dat Status: Access denied Object: C:\Qoobox\BackEnv\Templates.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\VikPev00 Status: Access denied Quote has my information been vulnerable during this infection/invasion? In otherwords, paying bills on-line (at secure sites) or entering private info on the same sites, is there any chance that info has been compromised? Well, you did have a rootkit which could have compromised your computer. Here's what you should do just to be safe. Do you have ZoneAlarm Firewall? It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue. Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and SECURITY tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to: What danger is presented by rootkits? Rootkits and how to combat them r00tkit Analysis: What Is A Rootkit If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords** where applicable. Do NOT* change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.* (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? What Should I Do If I've Become A Victim Of Identity Theft? Identity Theft Victims Guide - What to do It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully: When should I re-format? How should I reinstall? Help: I Got Hacked. Now What Do I Do? Help: I Got Hacked. Now What Do I Do? Part II Where to draw the line? When to recommend a format and reinstall? Guides for format and reinstall: how-to-reformat-and-reinstall-your-operating-system-the-easy-way However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat. If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful. Should you have any questions, please feel free to ask. *************************************************** I'd like to scan your machine with ESET OnlineScan •Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan •Click the button. •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on to download the ESET Smart Installer. Save it to your desktop. Double click on the icon on your desktop. •Check •Click the button. •Accept any security warnings from your browser. •Check •Push the Start button. •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. •When the scan completes, push •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. •Push the button. •Push A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt Hi Dave, Well, now that I’m thoroughly sick, I have questions, and I hope you can help and don’t mind continuing to help me . I run Zone Alarm Security Suite and the teatimer program (is it SAS, or Spybot? I’ve had it on my computer since you helped me a couple of years ago.) I also have WOT. I periodically update and run CCleaner, SAS, Spybot, Spyware Blaster, MBAM, although unfortunately I’ll admit it’s probably been 6 months. Why didn’t ZA or teatimer catch this stuff coming in? Do you think they prevented anything going out? I tried reading all the links you provided; frankly, I was way in over my head and didn’t understand a good deal of it. I got the idea that rootkits can sometimes be purposely installed for legitimate use. In December I had problems logging into one of the servers at work through the internet, and the tech people said they had to remotely access my computer to fix the problem. They sent me an “invitation” I had to accept so they could gain remote access. Is there any chance that’s where the rootkits came from and they’re harmless? Is there any way to tell where they came from and what they did--or are doing? I read also that malware can be downloaded to your computer through image files. Unfortunately, I have downloaded LOTS of image files--I draw as a hobby and when I see a picture I like, I download it to use as a reference. I have hundreds of pictures. I backed them all up to CD along with my other files when I did the back-ups this week. Would they have been scanned when downloaded? Would something have shown up if there was something in them? Could they/should they be scanned now on the CD? (I’d like to keep them if I could, but if there’s any chance they’ll do harm, I won’t keep them--but is it safe to get my other files off the disk now?) Are there any other types of files malware could now be hiding in--word or excel files, for example.. I read that the only way to be sure my computer is clean is to reformat completely and reinstall the disks. I’m not sure I could handle that, even if I bought the disks (could it be done from the recovery disks, or does reformatting require original installation disks?) Besides, how safe is it really for how long--if this stuff got in once, why couldn’t it get in again the first time I went on-line? Is it really a fail-safe? I don’t save/remember passwords, not even in Outlook for e-mail; I don’t keep password lists on my computer--but I do have a document I save to flash-drive with passwords. Is it possible my passwords are compromised anyway--could the info be stolen when I had the file open while working in it? Same with account #s--the only time they’re on my computer is when I type them in on a “secure” site. Wouldn’t that require a program to log keystrokes, and is there any way to tell if that happened? (I e-filed my taxes, all our taxes, on-line about a month ago. I shudder to think that I typed in social security #s and everything. Is this info vulnerable?) One of the articles mentioned something about changing passwords if you use a router. We have a router; this computer is attached to the router through a line, but my daughter’s laptop is wireless. This computer is the administrator for the router. Is her computer in danger? Do I need to change the password? (And if I do, how do I know it’s safe to do it now?) I had ZA off for about a day when it seemed to be causing the problem (I exited from the task tray; does that turn off the firewall too, or just the antivirus?) It’s been back on most of the time since then though. But teatimer resident is still off--I turned it off when your instructions said to. Should I turn it back on yet? ZA scanned while ESET was scanning, and it came up with 4 items--but when I looked at them, it appeared they were all items quarantined by TDSSKiller. I’m assuming they’re nothing to worry about now. Is that correct? Last thing: In prepping ESET to scan, the instructions said to check “scan archives”. When I checked that box, there was another box above it checked, the one for fix problems. Since the instructions didn’t say to check that box, I unchecked it. Should I have left it checked? Should I run ESET again with it checked? My big fear is having done the income taxes and paying bills on-line, wondering how much of a possibility there is that my information was compromised. I thought as I was on a secure site there was nothing to worry about. Is there no way to determine if anything was stolen? I apologize for all the questions; this really just has me sick. Here’s the scan; I appreciate anything you can do to help or any information you can give me. [emailprotected] as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=ee88f3395f713448af264009a4a0aa3e # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-04-06 02:22:58 # local_time=2012-04-05 10:22:58 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 71250665 71250665 0 0 # compatibility_mode=8192 67108863 100 0 70886976 70886976 0 0 # compatibility_mode=9217 16776533 100 13 2026307 11854075 0 0 # scanned=153944 # found=4 # cleaned=0 # scan_time=20021 C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0002.dtaWin64/Olmarik.AD trojan (unable to clean)00000000000000000000000000000000I C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0004.dtaWin64/Olmarik.AG trojan (unable to clean)00000000000000000000000000000000I C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0005.dtaa variant of Win32/Rootkit.Kryptik.KS trojan (unable to clean)00000000000000000000000000000000I C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0006.dtaWin64/Olmarik.AF trojan (unable to clean)00000000000000000000000000000000I Quote I run Zone Alarm Security Suite and the teatimer program (is it SAS, or Spybot? Is your Zone Alarm Security Suite firewall enabled? TeaTimer belongs to Spybot. Quote Why didn’t ZA or teatimer catch this stuff coming in? Do you think they prevented anything going out? If your Firewall is like mine I would imagine it caught the out-going traffic. Quote They sent me an “invitation” I had to accept so they could gain remote access. Is there any chance that’s where the rootkits came from and they’re harmless? Is there any way to tell where they came from and what they did--or are doing? It's almost impossible to determine where the rootkit came from. Quote I read also that malware can be downloaded to your computer through image files. Unfortunately, I have downloaded LOTS of image files--I draw as a hobby and when I see a picture I like, I download it to use as a reference. I have hundreds of pictures. I backed them all up to CD along with my other files when I did the back-ups this week. Would they have been scanned when downloaded? Would something have shown up if there was something in them? Could they/should they be scanned now on the CD? (I’d like to keep them if I could, but if there’s any chance they’ll do harm, I won’t keep them--but is it safe to get my other files off the disk now?) I really depends where you downloaded them from. I really can't say if they had been scanned but I would imagine they were. They should be scanned before replacing them on your computer. Scan them with your AV and also MBAM. Quote Are there any other types of files malware could now be hiding in--word or excel files, for example.. Not likely unless you received a file from someone who was infected. Quote I read that the only way to be sure my computer is clean is to reformat completely and reinstall the disks. I’m not sure I could handle that, even if I bought the disks (could it be done from the recovery disks, or does reformatting require original installation disks?) Besides, how safe is it really for how long--if this stuff got in once, why couldn’t it get in again the first time I went on-line? Is it really a fail-safe? That's really the safest way to go and it is fail-safe Quote I don’t save/remember passwords, not even in Outlook for e-mail; I don’t keep password lists on my computer--but I do have a document I save to flash-drive with passwords. Is it possible my passwords are compromised anyway--could the info be stolen when I had the file open while working in it? Same with account #s--the only time they’re on my computer is when I type them in on a “secure” site. Wouldn’t that require a program to log keystrokes, and is there any way to tell if that happened? (I e-filed my taxes, all our taxes, on-line about a month ago. I shudder to think that I typed in social security #s and everything. Is this info vulnerable?) That could only be done if a keylogger was put on your computer and there was no evidence of that. Quote One of the articles mentioned something about changing passwords if you use a router. We have a router; this computer is attached to the router through a line, but my daughter’s laptop is wireless. This computer is the administrator for the router. Is her computer in danger? Do I need to change the password? (And if I do, how do I know it’s safe to do it now?) Some modems do have passwords on them and some don't. I probably wouldn't hurt to change it. Quote I had ZA off for about a day when it seemed to be causing the problem (I exited from the task tray; does that turn off the firewall too, or just the antivirus?) It’s been back on most of the time since then though. But teatimer resident is still off--I turned it off when your instructions said to. Should I turn it back on yet? I'm not sure how ZoneAlarm works. You should turn on teatimer again. Quote ZA scanned while ESET was scanning, and it came up with 4 items--but when I looked at them, it appeared they were all items quarantined by TDSSKiller. I’m assuming they’re nothing to worry about now. Is that correct? As soon as TDSSKiller is removed, they will be gone. Quote My big fear is having done the income taxes and paying bills on-line, wondering how much of a possibility there is that my information was compromised. I thought as I was on a secure site there was nothing to worry about. Is there no way to determine if anything was stolen? I highly doubt it especially if you have the ZoneAlarm Firewall enabled. Let's do some cleanup To uninstall ComboFix Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane. In the field, type in ComboFix /uninstall (Note: Make sure there's a space between the word ComboFix and the forward-slash.) Then, press Enter, or click OK. This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore. ************************************************* Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC** will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. *************************************************** Use the Secunia Software Inspector to check for out of date software. •Click Start Now •Check the box next to Enable thorough system inspection. •Click Start** •Allow the scan to finish and scroll down to see if any updates are needed. •Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like FIREFOX. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly. Safe Surfing! Hi Superdave, I can't thank you ENOUGH, both for helping me and for having the patience to answer all my questions (and address my fears!). I ran the scans you recommended. I have just a couple more questions: I have been running Zone Alarm suite, spybot, and SAS for a couple of years; I update them periodically (I have to get back onto a schedule again, I admit) and also do scans with MBAM, CCleaner, Spyware Blaster...should I keep doing all of this, or are any of them not really necessary? I was thinking I should add TFC (or is CCleaner enough), ESET, Securia occasionally...should I? Should I also be running anything else on a regular basis (like TDSSkiller?) or are these better left to only when there are problems and someone who actually knows what they're doing is supervising their use? Should I now delete all of the programs we used in this fix and their logs from my desktop, or just move them to a folder and keep them? Secunia listed 4 instances of Java; I checked Java's website and they said delete older versions, so I'm just updating the latest. Are we all done now, and would it be OK to defrag? With all the stuff I've removed, I'm sure it needs it. Again, Thank you for all you've done; I can't imagine how I would have handled this without you. As I said, this computer is my livelihood and my family's sole income and source of security. What you've done is extremely important. Thank you again!Quote I have been running Zone Alarm suite, spybot, and SAS for a couple of years; I update them periodically (I have to get back onto a schedule again, I admit) and also do scans with MBAM, CCleaner, Spyware Blaster...should I keep doing all of this, or are any of them not really necessary? It's probably not necessary but if you have the time it wouldn't hurt. Quote I was thinking I should add TFC (or is CCleaner enough), ESET, Securia occasionally...should I? Wouldn't hurt. Quote Should I also be running anything else on a regular basis (like TDSSkiller?) or are these better left to only when there are problems and someone who actually knows what they're doing is supervising their use? No, that's not necessary. Quote Should I now delete all of the programs we used in this fix and their logs from my desktop, or just move them to a folder and keep them? Not necessary. You probably won't need them again. Quote Are we all done now, and would it be OK to defrag? With all the stuff I've removed, I'm sure it needs it. It's a good idea to do that about once a month. You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.

Solve : "..." not a valid Win32 application, The application or DLL not valid windows im?

Answer»

Hi SD,
Not trying to be difficult, but those instructions were for Windows 7, and I have Windows XP Media Center Edition 2005. I did try looking for how to boot to systems recovery options on my own though, and it seemed they were saying to just go to Safe Mode to get Safe Mode with command prompt. I did that, went through the process of selecting my user name (HP_Administrator), got C:\Documents and Settings\HP_Administrator> Tried entering bootrec /fixmbr (I remembered to include the space). Got the message that bootrec was not recognized as an internal or external command, operable program, or batch file. So I typed exit, and then just got the black screen with safe mode in the 4 corners. Didn't know how to get out of that, so I just turned off the computer with the power button.

I do have a disk my daughter made when we got this computer, it is labeled "HP Recovery Tools CD". I looked at the contents with WinExplorer: it has a lot of language file folders, some file folders that begin with R and a number, some files that are labeled bootfont with a different extensions (they seem to correspond to the languages), and some files labeled WIN51, [emailprotected], WIN511C, etc.

I also have a set of 3 recovery disks she made when we got the computer, I'm assuming they are for a destructive recovery? I have not looked at them.

Also, under My Computer, C is my hard drive, but there is also a D drive labeled HP_Recovery. I don't know if any of this info helps you decide what to do next. As I said, I'm not trying to be difficult, but want to make sure I'm doing the right THING. Thanks.

After writing all this, I found this site on line that appears to say to ignore the error message for Windows 2000 (but it doesn't say for XP): should I just ignore the error message ?

http://support.microsoft.com/kb/266745

I also found this site that says it also applies to XP:

http://www.tomshardware.com/forum/87475-45-fixmbr-dont

I'm not trying to undermine or second-guess you, just trying to help with research (I don't expect you to know everything. :>). I won't do anything that you haven't checked and said I should do. If you say go ahead then I'll do it. Thanks!Quote

Also, under My Computer, C is my hard drive, but there is also a D drive labeled HP_Recovery

Yes, that's the recovery console we're trying to get into.
Quote

After writing all this, I found this site on line that appears to say to ignore the error message for Windows 2000 (but it doesn't say for XP): should I just ignore the error message ?

I would say just ignore the warning as MS stated in their article. But first, you should save all your important data just in case we have to use the Recovery disks. Wow--that was QUICK! No problems. Here's the log from MBRcheck:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:Windows XP Professional
Windows Information:Service Pack 3 (build 2600)
Logical Drives Mask:0x00000f1c

Kernel Drivers (total 143):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7A3C000 \WINDOWS\system32\KDCOM.DLL
0xF794C000 \WINDOWS\system32\BOOTVID.dll
0xF740D000 ACPI.sys
0xF7A3E000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF73FC000 pci.sys
0xF753C000 isapnp.sys
0xF754C000 ohci1394.sys
0xF755C000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7950000 compbatt.sys
0xF7954000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B04000 pciide.sys
0xF77BC000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A40000 viaide.sys
0xF7A42000 intelide.sys
0xF756C000 MountMgr.sys
0xF73DD000 ftdisk.sys
0xF7A44000 dmload.sys
0xF73B7000 dmio.sys
0xF77C4000 PartMgr.sys
0xF757C000 VolSnap.sys
0xF739F000 atapi.sys
0xF758C000 disk.sys
0xF759C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF737F000 fltmgr.sys
0xF736D000 sr.sys
0xF75AC000 PxHelp20.sys
0xF7356000 KSecDD.sys
0xF72C9000 Ntfs.sys
0xF729C000 NDIS.sys
0xF7282000 Mup.sys
0xF6D60000 kl1.sys
0xF76FC000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF631D000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6309000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7914000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF62E5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF791C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF770C000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF771C000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF772C000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF62C2000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7924000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF629A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF792C000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF6286000 \SystemRoot\system32\DRIVERS\parport.sys
0xF773C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7934000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF793C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A78000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xF7944000 \SystemRoot\system32\DRIVERS\point32.sys
0xF77D4000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A7A000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xF7814000 \SystemRoot\system32\DRIVERS\aracpi.sys
0xF6241000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0xF614A000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
0xF6094000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xF781C000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6080000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF774C000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7A28000 \SystemRoot\system32\DRIVERS\arpolicy.sys
0xF7C8D000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF775C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A2C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6069000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF776C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF777C000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7824000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6058000 \SystemRoot\system32\DRIVERS\psched.sys
0xF778C000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF782C000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7834000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6000000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF779C000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7A7C000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5FA2000 \SystemRoot\system32\DRIVERS\update.sys
0xF6D30000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF77AC000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF763C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A7E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF1A0B000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF19E7000 \SystemRoot\system32\drivers\portcls.sys
0xF766C000 \SystemRoot\system32\drivers\drmk.sys
0xF1970000 \SystemRoot\system32\DRIVERS\klif.sys
0xF7A8A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C12000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A8C000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7C14000 \SystemRoot\System32\Drivers\ATMhelpr.SYS
0xF784C000 \SystemRoot\System32\drivers\vga.sys
0xF7A8E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A90000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7854000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF785C000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6040000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF7864000 \SystemRoot\system32\DRIVERS\kl2.sys
0xF6030000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF1915000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF18BC000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF1894000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF1815000 \SystemRoot\System32\vsdatant.sys
0xF17EF000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF6513000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF5F9E000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF6503000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF786C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7874000 \SystemRoot\system32\DRIVERS\arhidfltr.sys
0xF64F3000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF787C000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF5F92000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF17CD000 \SystemRoot\System32\drivers\afd.sys
0xF64E3000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF17AB000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xF7884000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF1730000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF1698000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF64D3000 \SystemRoot\System32\Drivers\Fips.SYS
0xF788C000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF1674000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF165C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7AC0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF19CB000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78B4000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C3A000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09A000 \SystemRoot\System32\atikvmag.dll
0xBF0D0000 \SystemRoot\System32\ati3duag.dll
0xBF362000 \SystemRoot\System32\ativvaxx.dll
0xBF4BA000 \SystemRoot\System32\ATMFD.DLL
0xEF490000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xEF428000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF789C000 \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
0xEEE67000 \SystemRoot\system32\drivers\wdmaud.sys
0xEF3B4000 \SystemRoot\system32\drivers\sysaudio.sys
0xEECFC000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xEEB53000 \SystemRoot\System32\Drivers\HTTP.sys
0xEEAD3000 \SystemRoot\system32\DRIVERS\srv.sys
0xEEB4F000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEE713000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 56):
0 System Idle Process
4 System
548 C:\WINDOWS\system32\smss.exe
620 csrss.exe
648 C:\WINDOWS\system32\winlogon.exe
692 C:\WINDOWS\system32\services.exe
704 C:\WINDOWS\system32\lsass.exe
860 C:\WINDOWS\system32\ati2evxx.exe
876 C:\WINDOWS\system32\svchost.exe
948 svchost.exe
1016 C:\WINDOWS\system32\svchost.exe
1104 svchost.exe
1160 svchost.exe
1204 C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
1472 C:\WINDOWS\system32\ati2evxx.exe
1564 C:\WINDOWS\explorer.exe
1868 C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
2004 C:\WINDOWS\system32\spoolsv.exe
164 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
1044 svchost.exe
1100 C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
1176 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1304 C:\WINDOWS\arservice.exe
1340 C:\Program Files\Microsoft\BingBar\SeaPort.EXE
1416 C:\Program Files\Bonjour\mDNSResponder.exe
1348 C:\WINDOWS\ehome\ehrecvr.exe
1732 C:\WINDOWS\ehome\ehSched.exe
1884 C:\Program Files\Java\jre6\bin\jqs.exe
2056 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2164 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
2296 svchost.exe
2352 C:\WINDOWS\system32\svchost.exe
2440 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
2504 mcrdsvc.exe
2584 C:\WINDOWS\system32\wuauclt.exe
3000 C:\WINDOWS\system32\dllhost.exe
3264 alg.exe
3280 wmiprvse.exe
3352 C:\WINDOWS\ehome\ehtray.exe
3368 C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
3428 C:\WINDOWS\arpwrmsg.exe
3596 C:\WINDOWS\ehome\ehmsas.exe
3776 C:\Program Files\iTunes\iTunesHelper.exe
4008 C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
4072 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
208 C:\Program Files\Common Files\Java\Java Update\jusched.exe
584 C:\Program Files\real\realplayer\Update\realsched.exe
1488 C:\PROGRA~1\ScanSoft\PAPERP~1\PPWEBCAP.EXE
2816 C:\Program Files\iPod\bin\iPodService.exe
2932 C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
2952 C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
3248 C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
3748 C:\hp\KBD\kbd.exe
3880 C:\WINDOWS\system\hpsysdrv.exe
1528 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
2236 C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000038`11f9bc00 (FAT32)

PhysicalDrive0 Model Number: WDCWD2500JS-60NCB1, Rev: 10.02E02

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644 A

Done!Ok, the MBR has been fixed. That's a major step.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

I probably should have thought to ask this earlier: has my information been vulnerable during this INFECTION/invasion? In otherwords, paying bills on-line (at secure sites) or entering private info on the same sites, is there any chance that info has been compromised?

Here's the scan (thank you for all this help, BTW):

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F15A0000
Module End: F15B8000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7AC2000
Module End: F7AC4000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAdjustPrivilegesToken
Address: F18D466E
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwClose
Address: F18D4F02
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwConnectPort
Address: F177A2F4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateEvent
Address: F18D57D0
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateFile
Address: F17745CA
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateKey
Address: F179358A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateMutant
Address: F18D56A8
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateNamedPipeFile
Address: F18D4274
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreatePort
Address: F177AA80
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcess
Address: F178DE4E
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcessEx
Address: F178E23C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateSection
Address: F17976F6
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateSemaphore
Address: F18D5902
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateSymbolicLinkObject
Address: F18D758C
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateThread
Address: F18D4BA0
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateWaitablePort
Address: F177ABB6
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDebugActiveProcess
Address: F18D6F36
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDeleteFile
Address: F17751E0
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteKey
Address: F1794E3C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteValueKey
Address: F17947B2
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeviceIoControlFile
Address: F18D5178
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDuplicateObject
Address: F178CD8A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwEnumerateKey
Address: F18D3FAC
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwEnumerateValueKey
Address: F18D4056
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwFsControlFile
Address: F18D4F84
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwLoadDriver
Address: F176FE88
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadKey
Address: F1795794
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadKey2
Address: F179599C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwMapViewOfSection
Address: F1797A5E
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwNotifyChangeKey
Address: F18D41A2
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenEvent
Address: F18D5872
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenFile
Address: F1774DF2
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenKey
Address: F18D36BE
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenMutant
Address: F18D5740
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenProcess
Address: F1790160
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenSection
Address: F18D75B6
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenSemaphore
Address: F18D59A4
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenThread
Address: F178FD8A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwProtectVirtualMemory
Address: F17A4090
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwQueryKey
Address: F18D4100
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryMultipleValueKey
Address: F18D3D28
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQuerySection
Address: F18D7958
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryValueKey
Address: F18D3978
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueueApcThread
Address: F18D72A6
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRenameKey
Address: F179672A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwReplaceKey
Address: F1796060
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwReplyPort
Address: F18D5D2E
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwReplyWaitReceivePort
Address: F18D5BF4
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRequestWaitReplyPort
Address: F1779EC4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRestoreKey
Address: F17970FC
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwResumeThread
Address: F18D7E30
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSaveKey
Address: F18D332A
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSecureConnectPort
Address: F177A59C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetContextThread
Address: F18D4DBE
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetInformationFile
Address: F17755A4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetInformationObject
Address: F17A3F7C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetInformationToken
Address: F18D6586
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetSecurityObject
Address: F1796C6A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetSystemInformation
Address: F176F648
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetValueKey
Address: F1793F72
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSuspendProcess
Address: F18D7B7C
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSuspendThread
Address: F18D7CA4
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSystemDebugControl
Address: F178EEA4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwTerminateProcess
Address: F178EC20
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwTerminateThread
Address: F18D4956
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwUnloadDriver
Address: F177029C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwUnmapViewOfSection
Address: F18D780E
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwWriteVirtualMemory
Address: F18D4AE0
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Quote

has my information been vulnerable during this infection/invasion? In otherwords, paying bills on-line (at secure sites) or entering private info on the same sites, is there any chance that info has been compromised?

Well, you did have a rootkit which could have compromised your computer. Here's what you should do just to be safe.
Do you have ZoneAlarm Firewall?

It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and SECURITY tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Should you have any questions, please feel free to ask.
*****************************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
Hi Dave,

Well, now that I’m thoroughly sick, I have questions, and I hope you can help and don’t mind continuing to help me
.
I run Zone Alarm Security Suite and the teatimer program (is it SAS, or Spybot? I’ve had it on my computer since you helped me a couple of years ago.) I also have WOT. I periodically update and run CCleaner, SAS, Spybot, Spyware Blaster, MBAM, although unfortunately I’ll admit it’s probably been 6 months. Why didn’t ZA or teatimer catch this stuff coming in? Do you think they prevented anything going out?

I tried reading all the links you provided; frankly, I was way in over my head and didn’t understand a good deal of it. I got the idea that rootkits can sometimes be purposely installed for legitimate use. In December I had problems logging into one of the servers at work through the internet, and the tech people said they had to remotely access my computer to fix the problem. They sent me an “invitation” I had to accept so they could gain remote access. Is there any chance that’s where the rootkits came from and they’re harmless? Is there any way to tell where they came from and what they did--or are doing?

I read also that malware can be downloaded to your computer through image files. Unfortunately, I have downloaded LOTS of image files--I draw as a hobby and when I see a picture I like, I download it to use as a reference. I have hundreds of pictures. I backed them all up to CD along with my other files when I did the back-ups this week. Would they have been scanned when downloaded? Would something have shown up if there was something in them? Could they/should they be scanned now on the CD? (I’d like to keep them if I could, but if there’s any chance they’ll do harm, I won’t keep them--but is it safe to get my other files off the disk now?)

Are there any other types of files malware could now be hiding in--word or excel files, for example..

I read that the only way to be sure my computer is clean is to reformat completely and reinstall the disks. I’m not sure I could handle that, even if I bought the disks (could it be done from the recovery disks, or does reformatting require original installation disks?) Besides, how safe is it really for how long--if this stuff got in once, why couldn’t it get in again the first time I went on-line? Is it really a fail-safe?

I don’t save/remember passwords, not even in Outlook for e-mail; I don’t keep password lists on my computer--but I do have a document I save to flash-drive with passwords. Is it possible my passwords are compromised anyway--could the info be stolen when I had the file open while working in it? Same with account #s--the only time they’re on my computer is when I type them in on a “secure” site. Wouldn’t that require a program to log keystrokes, and is there any way to tell if that happened? (I e-filed my taxes, all our taxes, on-line about a month ago. I shudder to think that I typed in social security #s and everything. Is this info vulnerable?)

One of the articles mentioned something about changing passwords if you use a router. We have a router; this computer is attached to the router through a line, but my daughter’s laptop is wireless. This computer is the administrator for the router. Is her computer in danger? Do I need to change the password? (And if I do, how do I know it’s safe to do it now?)

I had ZA off for about a day when it seemed to be causing the problem (I exited from the task tray; does that turn off the firewall too, or just the antivirus?) It’s been back on most of the time since then though. But teatimer resident is still off--I turned it off when your instructions said to. Should I turn it back on yet?

ZA scanned while ESET was scanning, and it came up with 4 items--but when I looked at them, it appeared they were all items quarantined by TDSSKiller. I’m assuming they’re nothing to worry about now. Is that correct?

Last thing: In prepping ESET to scan, the instructions said to check “scan archives”. When I checked that box, there was another box above it checked, the one for fix problems. Since the instructions didn’t say to check that box, I unchecked it. Should I have left it checked? Should I run ESET again with it checked?

My big fear is having done the income taxes and paying bills on-line, wondering how much of a possibility there is that my information was compromised. I thought as I was on a secure site there was nothing to worry about. Is there no way to determine if anything was stolen?

I apologize for all the questions; this really just has me sick. Here’s the scan; I appreciate anything you can do to help or any information you can give me.

[emailprotected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ee88f3395f713448af264009a4a0aa3e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-04-06 02:22:58
# local_time=2012-04-05 10:22:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 71250665 71250665 0 0
# compatibility_mode=8192 67108863 100 0 70886976 70886976 0 0
# compatibility_mode=9217 16776533 100 13 2026307 11854075 0 0
# scanned=153944
# found=4
# cleaned=0
# scan_time=20021
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0002.dtaWin64/Olmarik.AD trojan (unable to clean)00000000000000000000000000000000I
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0004.dtaWin64/Olmarik.AG trojan (unable to clean)00000000000000000000000000000000I
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0005.dtaa variant of Win32/Rootkit.Kryptik.KS trojan (unable to clean)00000000000000000000000000000000I
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0006.dtaWin64/Olmarik.AF trojan (unable to clean)00000000000000000000000000000000I
Quote

I run Zone Alarm Security Suite and the teatimer program (is it SAS, or Spybot?

Is your Zone Alarm Security Suite firewall enabled? TeaTimer belongs to Spybot.
Quote

Why didn’t ZA or teatimer catch this stuff coming in? Do you think they prevented anything going out?

If your Firewall is like mine I would imagine it caught the out-going traffic.
Quote

They sent me an “invitation” I had to accept so they could gain remote access. Is there any chance that’s where the rootkits came from and they’re harmless? Is there any way to tell where they came from and what they did--or are doing?

It's almost impossible to determine where the rootkit came from.
Quote

I read also that malware can be downloaded to your computer through image files. Unfortunately, I have downloaded LOTS of image files--I draw as a hobby and when I see a picture I like, I download it to use as a reference. I have hundreds of pictures. I backed them all up to CD along with my other files when I did the back-ups this week. Would they have been scanned when downloaded? Would something have shown up if there was something in them? Could they/should they be scanned now on the CD? (I’d like to keep them if I could, but if there’s any chance they’ll do harm, I won’t keep them--but is it safe to get my other files off the disk now?)

I really depends where you downloaded them from. I really can't say if they had been scanned but I would imagine they were. They should be scanned before replacing them on your computer. Scan them with your AV and also MBAM.
Quote

Are there any other types of files malware could now be hiding in--word or excel files, for example..

Not likely unless you received a file from someone who was infected.
Quote

I read that the only way to be sure my computer is clean is to reformat completely and reinstall the disks. I’m not sure I could handle that, even if I bought the disks (could it be done from the recovery disks, or does reformatting require original installation disks?) Besides, how safe is it really for how long--if this stuff got in once, why couldn’t it get in again the first time I went on-line? Is it really a fail-safe?

That's really the safest way to go and it is fail-safe
Quote

I don’t save/remember passwords, not even in Outlook for e-mail; I don’t keep password lists on my computer--but I do have a document I save to flash-drive with passwords. Is it possible my passwords are compromised anyway--could the info be stolen when I had the file open while working in it? Same with account #s--the only time they’re on my computer is when I type them in on a “secure” site. Wouldn’t that require a program to log keystrokes, and is there any way to tell if that happened? (I e-filed my taxes, all our taxes, on-line about a month ago. I shudder to think that I typed in social security #s and everything. Is this info vulnerable?)

That could only be done if a keylogger was put on your computer and there was no evidence of that.
Quote

One of the articles mentioned something about changing passwords if you use a router. We have a router; this computer is attached to the router through a line, but my daughter’s laptop is wireless. This computer is the administrator for the router. Is her computer in danger? Do I need to change the password? (And if I do, how do I know it’s safe to do it now?)

Some modems do have passwords on them and some don't. I probably wouldn't hurt to change it.
Quote

I had ZA off for about a day when it seemed to be causing the problem (I exited from the task tray; does that turn off the firewall too, or just the antivirus?) It’s been back on most of the time since then though. But teatimer resident is still off--I turned it off when your instructions said to. Should I turn it back on yet?

I'm not sure how ZoneAlarm works. You should turn on teatimer again.
Quote

ZA scanned while ESET was scanning, and it came up with 4 items--but when I looked at them, it appeared they were all items quarantined by TDSSKiller. I’m assuming they’re nothing to worry about now. Is that correct?

As soon as TDSSKiller is removed, they will be gone.
Quote

My big fear is having done the income taxes and paying bills on-line, wondering how much of a possibility there is that my information was compromised. I thought as I was on a secure site there was nothing to worry about. Is there no way to determine if anything was stolen?

I highly doubt it especially if you have the ZoneAlarm Firewall enabled.
Let's do some cleanup

To uninstall ComboFix

Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

Then, press Enter, or click OK.
This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

*****************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*****************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like FIREFOX.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
Hi Superdave,
I can't thank you ENOUGH, both for helping me and for having the patience to answer all my questions (and address my fears!). I ran the scans you recommended. I have just a couple more questions:

I have been running Zone Alarm suite, spybot, and SAS for a couple of years; I update them periodically (I have to get back onto a schedule again, I admit) and also do scans with MBAM, CCleaner, Spyware Blaster...should I keep doing all of this, or are any of them not really necessary? I was thinking I should add TFC (or is CCleaner enough), ESET, Securia occasionally...should I? Should I also be running anything else on a regular basis (like TDSSkiller?) or are these better left to only when there are problems and someone who actually knows what they're doing is supervising their use?

Should I now delete all of the programs we used in this fix and their logs from my desktop, or just move them to a folder and keep them?

Secunia listed 4 instances of Java; I checked Java's website and they said delete older versions, so I'm just updating the latest.

Are we all done now, and would it be OK to defrag? With all the stuff I've removed, I'm sure it needs it.

Again, Thank you for all you've done; I can't imagine how I would have handled this without you. As I said, this computer is my livelihood and my family's sole income and source of security. What you've done is extremely important. Thank you again!Quote

I have been running Zone Alarm suite, spybot, and SAS for a couple of years; I update them periodically (I have to get back onto a schedule again, I admit) and also do scans with MBAM, CCleaner, Spyware Blaster...should I keep doing all of this, or are any of them not really necessary?

It's probably not necessary but if you have the time it wouldn't hurt.
Quote

I was thinking I should add TFC (or is CCleaner enough), ESET, Securia occasionally...should I?

Wouldn't hurt.
Quote

Should I also be running anything else on a regular basis (like TDSSkiller?) or are these better left to only when there are problems and someone who actually knows what they're doing is supervising their use?

No, that's not necessary.
Quote

Should I now delete all of the programs we used in this fix and their logs from my desktop, or just move them to a folder and keep them?

Not necessary. You probably won't need them again.
Quote

Are we all done now, and would it be OK to defrag? With all the stuff I've removed, I'm sure it needs it.

It's a good idea to do that about once a month.

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.

Solve : "..." not a valid Win32 application, The application or DLL not valid windows im?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment