They must be deleted then run sdfix.exe. After that post a Hijack This log of the J: drive.

First off, Thanks for your help here! Is there a way to tell these apps that the infected drive is J: so they know to look to load and scan the registry of that drive vs. the current CLEAN system drive? Or should I be reinstalling the infected drive back into it's system and booting into safe mode on the infected machine? I have run sdfix on it before (a week or more ago) and it seemed OK for a bit but it was reinfected next time I went to use it. Are you familiar with nuking thes viri when mounted like mine--as a non system disk? Mark

There is a way to copy from clean drive to infected drive without infecting your clean drive but don't copy from the infected drive to the clean drive. In response #1 SDFix is located at J:\SDFix so just run that and let me know what files were deleted/ could not delete. You should be able to put the drive back into the computer it came out of a run it once you run SDFix , get online and post a Hijack This log.

Since I wasn't sure if the SDFIX on J: was current, I redownloaded and installed it from a thumb drive. When I was trying to start it in safe mode--with the infected drive plugged in, it was stuck in a rebooting cycle (at MSUP.sys)until I shut all the way down, unplugged the infected J: until it was past the initial bootup files and then plugged it back in and made sure it was mounted before I ran the runthis.bat file. After it ran, and it said it needed to reboot, I saw the same reboot problem so I did the same thing. It doesn't look like it identified or did much if anything but here is it's log file: [b]SDFix: Version 1.240 [/b] Run by Administrator on Tue 11/25/2008 at 11:44 AM Microsoft Windows XP [Version 5.1.2600] Running From: I:\SDFix [b]Checking Services [/b]: Restoring Default Security Values Restoring Default Hosts File Rebooting [b]Checking Files [/b]: No Trojan Files Found Removing Temp Files [b]ADS Check [/b]: [b]Final Check [/b]: catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-25 12:04:46 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 [b]Remaining Services [/b]: Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [b]Remaining Files [/b]: [b]Files with Hidden Attributes [/b]: Fri 2 May 2008 3,493,888 A..H. --- I:\DOCUME~1\THEMAN~1\APPLIC~1\U3\TEMP\LAUNCH~1.exe [b]Finished![/b]

Can you put the drive back into the computer it came out of? I think we can get it running from there.

I can do that but it seems to me that it would be much easier (especially to eliminate rootkit type infections) to make the necessary changes when the system files are not in use--as is the case when the drive is connected via the usb port. This would entail an application that would load the registry in protected/virtual memory space, scan it as if it were a live hive and be able to remove the registry entries and the files that those entries point to. Are there no programs out there designed to work in a similar fashion? Am I just off base here or what?

If you know what there names are and where they are located manually removing them is no problem with .reg and .bat files. Doing manually searches through the registry and system files can take some time and lengthy post. Using tools to do it is much easier and faster. Some tools will cross from drive to drive and some want as you can see with SDFix as it should have found some registry entries. Another tool, Combofix has to check in through the internet before each run so it may/may not run for you. It probably takes five minutes to put the drive back in and boot into windows and about an hour to clean the computer. But its nighty night time for me.

Ok then....WHen I moved the drive back into it's system and rebooted--and ran MalwareBytes, I had a bunch of infections, fixed them, and it looks like I got the right combination or rebooting and running SDFix/GMer a couple times and this is what I've got: [b]SDFix: Version 1.240 [/b] Run by Administrator on Wed 11/26/2008 at 10:41 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix [b]Checking Services [/b]: [b]Name [/b]: TDSSserv.sys [b]Path [/b]: \systemroot\system32\drivers\TDSSmhct.sys TDSSserv.sys - Deleted Restoring Default Security Values Restoring Default Hosts File Rebooting [b]Checking Files [/b]: Trojan Files Found: C:\WINDOWS\system32\drivers\TDSSmhct.sys - Deleted Removing Temp Files [b]ADS Check [/b]: [b]Final Check [/b]: catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-26 11:00:50 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 [b]Remaining Services [/b]: Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7" "C:\\Documents and Settings\\PBX\\Application Data\\U3\\00001862657340C1\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe"="C:\\Documents and Settings\\PBX\\Application Data\\U3\\00001862657340C1\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe:*:Enabled:Skype" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7" [b]Remaining Files [/b]: File Backups: - C:\SDFix\backups\backups.zip [b]Files with Hidden Attributes [/b]: Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Utilities\Spybot - Search & Destroy\advcheck.dll" Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Utilities\Spybot - Search & Destroy\SDHelper.dll" Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Utilities\Spybot - Search & Destroy\SDUpdate.exe" Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Utilities\Spybot - Search & Destroy\SpybotSD.exe" Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Utilities\Spybot - Search & Destroy\TeaTimer.exe" Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Utilities\Spybot - Search & Destroy\Tools.dll" Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe" Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\PBX\Application Data\U3\temp\Launchpad Removal.exe" [b]Finished![/b] GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-11-26 12:33:10 Windows 5.1.2600 Service Pack 2 ---- Registry - GMER 1.0.14 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sr@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sr@ImagePath system32\DRIVERS\sr.sys ---- EOF - GMER 1.0.14 ---- Malwarebytes' Anti-Malware 1.30 Database version: 1427 Windows 5.1.2600 Service Pack 2 11/26/2008 1:09:15 PM mbam-log-2008-11-26 (13-09-14).txt Scan type: Full Scan (C:\|) Objects scanned: 66611 Time elapsed: 16 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:10:38 PM, on 11/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\Program Files\Utilities\Airlink101 WLAN Monitor\WLANmon.exe C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Utilities\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\HiJackThis\HiJackThis.exe O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll O4 - HKLM\..\Run: [Airlink101 Airlink101 WLAN Monitor] C:\Program Files\Utilities\Airlink101 WLAN Monitor\WLANmon.exe O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Utilities\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Utilities\Spybot - Search & Destroy\TeaTimer.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Utilities\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Utilities\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic... O16 - DPF: {9E065E4A-BD9D-4547-8F90-985DC62A5591} (PlayerPT Control) - http://192.168.1.50/PlayerPT.cab O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) - O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) - O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) - O17 - HKLM\System\CCS\Services\Tcpip\..\{B09FAEF2-F9A5-49F6-BFD0-2780168491D8}: NameServer = 68.6.16.30,68.2.16.30 O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe -- End of file - 3531 bytes Do you see anything here I should worry about or can we call it good? Thanks for your time and support! -Mark

I don't see an antivirus running, you should install one before you continue. I use the free version of AVG antivirus, you can download it at this link: AVG Free Antivirus Update it once you get it installed. Verify that your version of java is 6 update 10 or better. Go to start> control panel> java> about, if not do the following and remove any older versions before installing the new one: Your java is out of date and may have been exploited. Download the latest version of java from this link Java Click on the JRE 6 Update 10 download button. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version. Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked": O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) - O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) - O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) - Exit Hijack This Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3 Combofix is a powerful tool so follow the instructions exactly or you could damage your computer. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results". Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. In your case to run Combofix do the following: 1. Go offline turn off your Antivirus, Spybot and any other antispyware that you may have. 2. Run Combofix and save its log. 3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned. 4. Post the Combofix log. Remember to re-enable the protection again afterwards before connecting to the Internet. Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running or move the mouse, it will cause your system to hang.) Please post the log it produces.

I have tried these suggestions but I cannot get to a website to download directly to my pc so I downloaded it to a thumbdrive from another computer and tried to download it that way. Unfortunately, I cannot open the programs to run them. Any ideas?