Mediafire is running a tad slow at the moment - but I have had some more experience with this beastie now and I getting a feel for it’s quirks… Back when I have got the log
Mediafire has now gone down ???
Looking at the size it is small enough to attach in a post - could you do that please
The attachment is under additional options when you add a reply
Got it - will need to check one file out - but first
Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" [HKLM] -> Reg Error: Key error. []
[Files/Folders - Modified Within 30 Days]
NY -> vde3mjc4.sys -> C:\Windows\System32\drivers\vde3mjc4.sys
NY -> uze3mjc4.sys -> C:\Windows\System32\drivers\uze3mjc4.sys
NY -> 32 C:\Users\diviesh\AppData\Local\temp\*.tmp files -> C:\Users\diviesh\AppData\Local\temp\*.tmp
NY -> 1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
NY -> 1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
I will review the information when it comes back in.
Then re-run OTS with the following custom scan
/md5start
wmiadap.exe
/md5stop
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
heres the log from the fix
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
[Files/Folders - Modified Within 30 Days]
C:\Windows\System32\drivers\vde3mjc4.sys moved successfully.
C:\Windows\System32\drivers\uze3mjc4.sys moved successfully.
C:\Users\diviesh\AppData\Local\temp\DMI734B.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\DMIC1A9.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR1238.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR12C5.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR5B87.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR5C33.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR6C68.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR6CB6.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR6CC6.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR6CE6.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR7EB7.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR834A.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR9DC4.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR9DF4.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARA073.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARA1AC.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARA533.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARA6E9.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARA7B.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARB27.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARBD2.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARBF2.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARD7C.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARDBB.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARE1C6.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARE1D7.tmp deleted successfully.
File delete failed. C:\Users\diviesh\AppData\Local\temp~DF0B35508D1E2D24FD.TMP scheduled to be deleted on reboot.
C:\Users\diviesh\AppData\Local\temp~DF23E17A0E3B5DC8D7.TMP deleted successfully.
File delete failed. C:\Users\diviesh\AppData\Local\temp~DF35F78904EE20F309.TMP scheduled to be deleted on reboot.
C:\Users\diviesh\AppData\Local\temp~DF50169A89D6EDC4F4.TMP deleted successfully.
File delete failed. C:\Users\diviesh\AppData\Local\temp~DF6114117440A94FE6.TMP scheduled to be deleted on reboot.
File delete failed. C:\Users\diviesh\AppData\Local\temp~DF887531FA8C4BE74F.TMP scheduled to be deleted on reboot.
File delete failed. C:\Users\diviesh\AppData\Local\temp~DF8D4E6CEB5A335B30.TMP scheduled to be deleted on reboot.
File delete failed. C:\Users\diviesh\AppData\Local\temp~DFB38FC80F88D6B0C8.TMP scheduled to be deleted on reboot.
C:\ProgramData\00f3c594.tmp deleted successfully.
< End of fix log >
OTS by OldTimer - Version 3.1.19.5 fix logfile created on 01312010_202644
Files\Folders moved on Reboot…
File\Folder C:\Users\diviesh\AppData\Local\temp~DF0B35508D1E2D24FD.TMP not found!
File\Folder C:\Users\diviesh\AppData\Local\temp~DF35F78904EE20F309.TMP not found!
File\Folder C:\Users\diviesh\AppData\Local\temp~DF6114117440A94FE6.TMP not found!
File\Folder C:\Users\diviesh\AppData\Local\temp~DF887531FA8C4BE74F.TMP not found!
File\Folder C:\Users\diviesh\AppData\Local\temp~DF8D4E6CEB5A335B30.TMP not found!
File\Folder C:\Users\diviesh\AppData\Local\temp~DFB38FC80F88D6B0C8.TMP not found!
Registry entries deleted on Reboot…
That file was legitimate - I just had no MD5 on the last run
Could you run this programme (no need to download it to your desktop) - This programme when it runs will get some data from sysinternals but it is quite safe
On completion it will either say nothing found or will produce a log - could you let me know which
http://noahdfear.net/downloads/maxhandle.exe
Hi Mate,
I have run and it “says nothing” found.
I am still getting redirected initially first 5-6 clicks and then it seems ok.
Haven’t had a warning yet so it seems to be improving
OK that was to check for a new variant malware that has just appeared
I will have a review and a thunk - back soon
Hi Essexboy, any progress with this - still no warnings but the the link redirects seem to be getting worse and now i seem to get the odd pop up aswell 
Apologies for the delay I was sidetracked looking at a new infection
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Hi Everyone on this forum who has suffered painfully with this problem.
I finally found that the rootkit trojen had embedded itself in c:\windows\system32\drivers\atapi.sys
it was finally discovered using Hitman Pro, you can download it from the link below
http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html
I hope this helps all of you who are suffereing.
I would also like offer my sincere thanks to essexboy, your help has been greatly appreciated.