I have removed numerous spyware, malware and viruses over the past 15 years from workstations but this is a new one on me. The problem is that when the user opens IE it takes over 40 seconds to populate then while in this process it opens a second window with a reference to ad.doubleclick.net. I have researched this particular problem and the best solution I have found is to modify the host file. Well I have disabled the restore, ran spyware software, antivirus software and modified the host file to stop the second window to open to a current news site in relation to doubleclick. But the problem returns. I am hoping that someone else has run across this problem and could give me a suggestion. The unit is a Dell 4700 with 1.5 gig of ram and has over 9 gig hard drive space available. It is running XP Home Edition SP3. This is the first time I have ever attempted to obtain assistance with a forum so I am not sure if this is the right step for me or not. Any helpful suggestions would be greatly appreciated. In addition I have edited the registry and performed the basic clean up steps that are required in reference to removing self replicating malware.
Thank you,
Dennis Sturgill

Hi, Welcome to Helpmyos.com!

Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan box paste this in
  
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\*.sys
  %systemroot%\system32\drivers\*.dll
  %systemroot%\system32\drivers\*.ini
  %systemroot%\system32\drivers\*.exe
  %SYSTEMDRIVE%\*.*
  %PROGRAMFILES%\*.
  %appdata%\*.*
  netsvcs
  msconfig
  safebootminimal
  safebootnetwork
  activex
  drivers32
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  disk.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  mv61xx.sys
  usbstor.sys
  /md5stop
  CREATERESTOREPOINT
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time

Note: in the event that OTL fails to run, please use alternate download links to try again:

http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr

First and foremost I would like to thank Sneakyone for the response. I did not perform the suggestion mainly because I am not familiar with this procedure. It is nothing personal. I continued my research and found some interesting suggestions which I will list as follows:

I went to Internet Options\Security\Restricted sites and pasted the following entries:

You need to run adaware to remove them out of your registery.
Then you go to Tools on your Tool bar,
then to Internet Options,
Then click on the Security Tab,
Then click on the Restrictive Sites Icon.
Click on the "sites"
Then add these in
*.flycast.com
*.admonitor.net
*.excite.com
*.doubleclick.net
*.doubleclick.com
*.linkexchange.com
*.valueclick.com
*.sexlist.txt
*.counter3.sextracker.txt
*.sextracker.txt
*.sexlist.com
*.counter3.sextracker.com
*.sextracker.com
*.flexactive.com
*.gator.com
*.gator.net
*.cometcursor.com
*.comet.com
*.mycometcursor.com
*.onflow.com
*.onflow.txt

I then attempted to perform updates but I received the following error when attempting to do so:

error code 0x80072EFF.

This would not allow me to go to the update server for Microsoft. So I read about the following program: Hitman Pro 3.5.6 Build 115 which I ran in the safe mode with networking.
It found and deleted a Root Kit located at C:$MBR along with about 23 other infections that PC Tools and Norton Suite failed to catch.
This has allowed the updates to be installed. In addition the problem with the Doubleclick where windows was opening a second window in reference to the doubleclick has been resolved. ONe of the symptoms that was going on was that a svchost.exe was using an enourmous amount of processor time and continually grabbing more and more memory. The process could be deleted but it would come back. So I have never posted a fix before and I hope that this might help someother person who has been seriously infected with the TDL3 Rootkit. Bad stuff!!!!

Hi,

The TDSS rootkit is serious business if you do not know what you are doing, and running stuff like Hitman Pro, and Norton can cause problems when removing stuff like TDSS because it infects the MBR, and some random drivers.

I will take you through the process, but it requires cooperation. If you are not familiar with the procedures we and every other side that provides free help follow then that can cause problems.

OTL is necessary because it provides diagnostics showing important things like System information, processes, drivers, services, registry entries, files, and tons more.

If you could please run OTL we can get started.

Sneakyone,
Yes you are exactly correct. TDSS root kit is serious business. Fortunately I knew what I was doing and I was able to resolve the issue. And yes the MBR was infected. I was able to resolve the issue I was just posting the results to be considerate to you for attempting to assist me. For this I am truly grateful. The customer is up and running fine.
Thank you again,
Dennis

You're welcome, glad to help.