Nooby12

Rich: don't worry, no problem. I'll keep an eye out on how things go. MBAM is working fine and though I'm mystified as to what occurred today, it's not something I've time to deal with right now and certainly wouldn't dream of pestering support. I need to re-check everything because as like as not, it'll be my fault somewhere along the line. All best: Nooby.

Hi Rich: thanks again for your input -- and sincere apologies from me for any inconvenience caused. Unfortunately . . . Something really odd is happening with the Mbam software installed on this computer, as evidenced not only by my inmability to find any record of a threat in the log files, but by the existence of two identical logs (which I uploaded), one of which *should* have been the daily protection log . . but wasn't. (And yes: I did indeed double-check before I exported the log / protection files and zipped 'em.) Further investigation now shows that although the threat discovered by MBam in this morning's 9.23am scan was recorded in the Quarantine Log (all times are UK time) the Daily Protection Log -- which is now functioning again, after what appears to have been the inexplicable duplication of data from one log to the other -- does not record the existence of any such scan. At all. I am uploading two screenshots plus a re-run of the original alert: * the original Threat Alert of 9.23am today, January 11th; * The Quarantine Log, which shows that MBAM quarantined the threat at 9.23am today, January 11th; * the newly functioning "Daily Protection Log", which unlike earlier this afternoon, no longer duplicates the scan log, but now reports MBAM activity as it happened . . . EXCEPT no mention is made of the 9.23am scan, or the resulting Threat Alert. Instead: the Daily Protection Log reports that no scan was made until 10.05am today. That simply isn't true. In summary, therefore, I am now concerned about: 1) The mysterious duplication of the scan log such that it appeared as the daily protection log; 2) The omission from the scan log of any reference to a 9.23am scan and the identification of the Carberp.ED Trojan threat; 3) The resulting diagnostics obstruction -- because neither you nor I were able to view an accurate record of what happened; 4) The "restoration" of the daily protection log to the form it should have been in -- but without any mention in that log of either the 9.23am scan nor the 9.23am threat identification. Is something, somewhere, somehow exerting a malign influence over MBAM's performance?? Were it not for the evidence of the Quarantine log, I'd almost believe that this threat alert never occurred. . . And yet it did. Sorry to be nuisance!

Thanks, sadowwar for your help, and apologies for being a nuisance. Just a quick question: is there an explanation as to why an MBAM alert is flashed up in regard to a file threat but that alert isn't recorded in the scan log??? Or am I misunderstanding this?? (Wouldn't surprise me.)

Thanks, shadowwar. My MBAM History shows two logs for this morning's activity, a scan log and a protection log. They're identical. The scan log is as quoted in my original post, but here are both as zip files -- hope it helps (as noted, I'm a bit bemused at experiencing a warning over a file threat when the log itself doesn't record such a threat. However, also as noted, I am distinctly inexpert in such matters.) Mbam log file.zip MBAM Protection log.zip

Not sure if this is a False Positive or not -- but the very mention of this particular Trojan has me jolting me upright in my seat. This particular version of Abbyy FineReader was installed on this computer on November 11th 2014; since that time, a number of scheduled MBAM scans have been carried out and the all-clear given every time. This morning, however, the routine scan reported "Malicious items detected: 1": Trojan.Carberp.ED in Program Files x86 ABBYY FineReader 5.0 Pro\ExtDictSaver.exe. Apologies for not being a rocket scientist where FPs are concerned, but I'm a bit lost as to why this alert message appeared when the actual scan log doesn't mention it at all: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 11/01/2015 Scan Time: 10:14:32 Logfile: Administrator: Yes Version: 2.00.4.1028 Malware Database: v2015.01.11.05 Rootkit Database: v2015.01.07.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: xxxxxxxxxxxxxxxxx Scan Type: Threat Scan Result: Completed Objects Scanned: 138 Time Elapsed: 0 min, 21 sec Memory: Disabled Startup: Disabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) Screenshot attached.

Hi Mr C. Unfortunately, it seems we're getting nowhere fast. Or slowly. I ran CHKDSK/F and attempted to keep track of it on-screen as it worked through its verifications processes. It certainly verified 200,896 file records (ye gods, that many???) and also verified all indexes. No errors anywhere. It then went into stage 3, security descriptors, and I've no idea what happened then because the screen scrolled at a rapid rate and then, well, that was it. The computer went into Windows mode, and the usual seemingly healthy boot-up followed by the usual period of program inaccessibility. To discover what CHKDSK/F actually found, or actually did, I've been to the Windows Event Viewer. But it wasn't running: Event Log service is unavailable. Verify that the service is running. And it wouldn't allow me to re-start. (Windows could not start the Windows Event Log service on Locasl Computer. Error 5: Access is denied.) I have now spent what seems like hours, working through what also seems to be like several dozen different solutions to a problem whose roots must surely reside in the way this bloody awful Operating System was 'developed' (if such be the word) by Microsoft: Vista is crap, always was, always will be. No amount of fiddling with folder properties or changing permissions or adding new objects and users has made the slightest difference. Instinct, which may be wrong, but anyway, tells me that this has nothing to do with any malware or virus problem, rather that it's a not untypical Vista screw-up that may indeed be resulting in all kinds of side effects. I appreciate, that won't extend as far as the Master Boot Record but then again, as I simply cannot harvest any meaningful system information from this computer because of the persistent Error 5: Access is denied, then who knows? Certainly the different scanners appear to have given widely varying results. There's not much in the way of consensus here. On which basis, I feel I've taken up far far too much of your valuable time already. There will be other users out there with computers more amenable to recovery than this one is and your help is needed by them as much as it has been by me. Accordingly, I'm now considering whether the best thing here is to take this computer into a local repair shop and ask them to wipe the drive and start over with a fresh install. It's not something I can do myself, but at least I have everything backed up to not one but two different external drives, as well as flash memory. Maybe that'll sort out the mess -- and end my frustration, too, because I'm not going to waste any more time, trying to follow Microsoft 'fixes' that actually don't fix anything. Life's a lot more important than a tin box with a screen wired into the electricity supply. Sincere thanks, then, for your time and your patience. I've popped in a little donation but really, it's inadequate to the help you've given me but I hope represents in some small way an acknowledgment of the enormous service you and your similarly expert colleagues provide so readily and so freely. Sincere thanks again, Mr C., And the very best to you and yours.

UPDATE: Unfortunately it is proving impossible to proceed further, viz: 1. Re start computer with flash drive at Drive F: 2. Repeatedly press F8 to bring up Advanced Boot Options menu. 3. Highlight 'Repair your computer' option 4. Screen blacks out and nothing happens for around 30 seconds 5. Screen returns with this message: A problem has been detected and Windows has been shut down to prevent damage to your computer. There's a load of guff after that about checking flash drives and running virus scans, neither of which seem relevant here, and then the conclusion: Run CHKDSK/F to check for hard drive corruption and then restart. Technical info: STOP: 0x 0000007B (0X80599BB0 0XC00000034 0X000000000 0X000000000 This alert screen appears in 4:3 only on this 16:9 widescreen monitor and seems to be shifted to the left in such a way that the start of lefthand text is off-screen and not readable. I have not run the check disk process, rather preferred to refer to you first. The last time I ran this on any computer, it took hours to complete though was effective. I've no problem with running CHKDSK tomorrow morning and leaving it to its own devices whilst I'm out. Meanwhile: CD emulation drivers are still disabled. There is no Windows installation and / or repair disk for this computer's OS but there is a Dell "recovery partition" which I haven't gone anywhere near in view of its potential to be the kind of ballistic solution I'd much prefer to avoid. Thanks again. Sorry to be a nuisance.

Thanks for all this help and step by step guiding, Mr C. I'm now into the process as per above: 1. Uninstall completed of SUPER AntiSpyware; EaseUS Todo Backup Home; and Panda Active Scan. 2. Successive re-boots to ensure uninstallatioin (via Revo) has been completed. 3. Installation and run of DeFogger. This has successfully disabled CD emulation drivers -- no error messages. 4. Sequential restore points (snapshots) created by MagiCure (Rollback RX) after uninstalls. 5. Computer is stable and working fine at moment. 6. Full backup of data files to external hard drive completed before any changes made, using Easeus before uninstall. Backup is in Easeus proprietary format but no problem as subsequent re-installation will allow now currently denied access. Have printed everything out so as to work step by step with ticks / comments against each stage. Delay in posting here has been due to the seemingly inordinate amount of time involved in every separate re-start (for reasons given earlier.) Am now going to run Farbar from flash drive (x32 version) and restart into System Recovery Options. No need for you to reply to this; I merely wanted you to know that your advice is being followed. Thanks again.

Just to confirm: that is the final line of the log (above). The c&p missed the lefthand end tag of As mentioned earlier, this computer is performing without any noticeable difficulties, once the immediate post-boot phase is concluded. That phase seems to last several minutes, during which time the desktop is there and all the icons, but context sensitive information doesn't come up when moused over, and then, even when it does, the opening of any program -- usually Firefox, or Windows Explorer, or Windows Mail -- is so delayed as to make me wonder if I've actually opened anything at all. However: once that post boot-up phase is concluded, and the first programs are *finally* opened, then the computer runs as it should do. In particular, there is no re-direction of browser or any "strange" material on-screen. Finally. . . as far as the browser is concerned, this runs with the plug-ins (i) Ghostery; (ii) AdBlock Plus; and (iii) NoScript. I've been quite comfortable with that arrangement for some time. but nothing else.

Sincere thanks again for your continuing help. It's greatly appreciated. Here are the latest scan results: ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- MBRScan v1.1.1 OS : Windows Vista Service Pack 2 (32 bit) PROCESSOR : x86 Family 6 Model 23 Stepping 6, GenuineIntel BOOT : Normal Boot DATE : 2013/04/16 (ISO 8601) at 18:38:26 ________________________________________________________________________________ DISK : Device\Harddisk0\DR0 __SAMSUNG HD322HJ (1AC01113) BUS_TYPE : (0x03) P-ATA USE_PIO : NO MAX_TRANSFER : 128 Kb ALIGNMENT_MASK : word aligned ________________________________________________________________________________ Device\Harddisk0\DR0 298.1 Go [Fixed] ==> Unknown MBR Code MBR_MD5 : 6A72A78EAF8F6CFBADF4541EB76E3FCD MBR_SHA1 : C61D31143123496FDA65716A6853B734FFF42B0C Device\Harddisk0\Partition1 86.26 Mo 0xDE Dell Utility Device\Harddisk0\Partition2 15.00 Go 0x07 NTFS / HPFS Device\Harddisk0\Partition3 283.0 Go 0x07 NTFS / HPFS __ BOOTABLE __ ________________________________________________________________________________ ############################### Additional scan ################################ DRIVER : C:\Users\Pussycat\AppData\Local\Temp\aswMBR.sys => Invisible on the disk ADDRESS : 0xA18D6000 SIZE : 48.0 Ko BCD EmsSettings {0CE4991B-E6B3-4B16-B23C-5E0D9250E5D9} => BcdLibraryBoolean_EmsEnabled (16000020) SystemStartOptions : /NOEXECUTE=OPTIN /BOOTLOG ________________________________________________________________________________ _____FAKED \Device\Harddisk0\DR0 0x00000000 FA E9 EB 00 00 A8 D6 01 4E 4A 44 4C 00 00 00 00 úéë..¨Ö.NJDL.... 0x00000010 00 00 55 8B EC 66 8B 46 04 66 2B D2 66 0F B7 1E ..U.ìf.F.f+Òf.·. 0x00000020 0A 00 66 F7 F3 8B C8 8B C2 8A 1E 08 00 F6 F3 8A ..f÷ó.È.Â....öó. 0x00000030 F0 FE C4 8A D4 0F B6 06 08 00 2A C2 FE C0 5D C3 ðþÄ.Ô.¶...*ÂþÀ]à 0x00000040 55 8B EC BE 96 01 C7 04 10 00 8B 46 08 89 44 02 U.ì¾..Ç....F..D. 0x00000050 66 8B 46 0A 66 89 44 04 66 8B 46 04 66 89 44 08 f.F.f.D.f.F.f.D. 0x00000060 66 2B C0 66 89 44 0C B4 42 B2 80 CD 13 5D C3 55 f+Àf.D.´B².Í.]ÃU 0x00000070 8B EC 83 C4 FE EB 6E C6 46 FE 00 66 FF 76 04 E8 .ì.ÄþënÆFþ.f.v.è 0x00000080 90 FF 83 C4 04 3B 46 08 76 03 8A 46 08 88 46 FF ...Ä.;F.v..F..F. 0x00000090 81 F9 FF 03 77 18 C4 5E 0A 86 CD C0 E1 06 80 E2 .ù..w.Ä^..ÍÀá..â 0x000000A0 3F 0A CA B2 80 8A 46 FF B4 02 CD 13 EB 14 66 FF ?.ʲ..F.´.Í.ë.f. 0x000000B0 76 0A 8A 46 FF 32 E4 50 66 FF 76 04 E8 81 FF 83 v..F.2äPf.v.è... 0x000000C0 C4 0A 73 0F 2B C0 B2 80 CD 13 FE 46 FE 80 7E FE Ä.s.+À².Í.þFþ.~þ 0x000000D0 03 72 A8 66 0F B6 46 FF 29 46 08 66 01 46 04 C1 .r¨f.¶F.)F.f.F.Á 0x000000E0 E0 09 01 46 0A 83 7E 08 00 75 8C 8B E5 5D C3 FA à..F..~..u..å]Ãú 0x000000F0 2B C0 8E D0 BC 00 7C FB B9 80 00 BE 00 7C BF 00 +À.м.|û¹..¾.|¿. 0x00000100 06 8E C0 8E D8 FC F3 66 A5 EA 0E 01 60 00 8C C8 ..À.Øüóf¥ê..`..È 0x00000110 8E D8 B2 80 B4 08 CD 13 80 E1 3F 88 0E 08 00 FE .ز.´.Í..á?....þ 0x00000120 C6 88 36 09 00 33 C0 8A C6 F6 E1 A3 0A 00 B4 41 Æ.6..3À.Æöá£..´A 0x00000130 BB AA 55 B2 80 CD 13 72 05 C6 06 0C 00 01 66 68 »ªU².Í.r.Æ....fh 0x00000140 00 00 00 10 68 80 00 66 FF 36 04 00 E8 20 FF 83 ....h..f.6..è .. 0x00000150 C4 0A 68 00 10 07 26 81 3E 00 00 55 AA 74 30 B9 Ä.h...&.>..Uªt0¹ 0x00000160 04 00 BE BE 01 2E 80 3C 80 75 19 66 2E 8B 44 08 ..¾¾...<.u.f..D. 0x00000170 56 66 68 00 7C 00 00 6A 01 66 50 E8 F1 FE 83 C4 Vfh.|..j.fPèñþ.Ä 0x00000180 0A 5E EB 05 83 C6 10 E2 DC 6A 00 68 00 7C CB 68 .^ë..Æ.âÜj.h.|Ëh 0x00000190 00 10 6A 03 CB 90 10 00 00 00 00 00 00 00 00 00 ..j.Ë........... 0x000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001B0 6D 00 00 00 00 62 7A 99 00 00 00 60 00 00 00 01 m....bz....`.... 0x000001C0 01 00 DE FE 3F 0A 3F 00 00 00 0C B2 02 00 00 17 ..Þþ?.?....².... 0x000001D0 0D 0B 07 FE FF FF 00 B8 02 00 00 00 E0 01 80 FE ...þ...¸....à..þ 0x000001E0 FF FF 07 FE FF FF 00 B8 E2 01 00 28 60 23 00 00 ...þ...¸â..(`#.. 0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª __ORIGINAL \Device\Harddisk0\DR0 0x00000000 33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00 3À.м.|.À.ؾ.|¿. 0x00000010 06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00 .¹..üó¤Ph..Ëû¹.. 0x00000020 BD BE 07 80 7E 00 00 7C 0B 0F 85 10 01 83 C5 10 ½¾..~..|......Å. 0x00000030 E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00 âñÍ..V.UÆF..ÆF.. 0x00000040 B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09 ´A»ªUÍ.]r..ûUªu. 0x00000050 F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74 ÷Á..t.þF.f`.~..t 0x00000060 26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00 &fh....f.v.h..h. 0x00000070 7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13 |h..h..´B.V..ôÍ. 0x00000080 9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00 ..Ä..ë.¸..».|.V. 0x00000090 8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1E FE .v..N..n.Í.fas.þ 0x000000A0 4E 11 0F 85 0C 00 80 7E 00 80 0F 84 8A 00 B2 80 N......~......². 0x000000B0 EB 82 55 32 E4 8A 56 00 CD 13 5D EB 9C 81 3E FE ë.U2ä.V.Í.]ë..>þ 0x000000C0 7D 55 AA 75 6E FF 76 00 E8 8A 00 0F 85 15 00 B0 }Uªun.v.è......° 0x000000D0 D1 E6 64 E8 7F 00 B0 DF E6 60 E8 78 00 B0 FF E6 Ñædè..°ßæ`èx.°.æ 0x000000E0 64 E8 71 00 B8 00 BB CD 1A 66 23 C0 75 3B 66 81 dèq.¸.»Í.f#Àu;f. 0x000000F0 FB 54 43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 ûTCPAu2.ù..r,fh. 0x00000100 BB 00 00 66 68 00 02 00 00 66 68 08 00 00 00 66 »..fh....fh....f 0x00000110 53 66 53 66 55 66 68 00 00 00 00 66 68 00 7C 00 SfSfUfh....fh.|. 0x00000120 00 66 61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 .fah...Í.Z2öê.|. 0x00000130 00 CD 18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 .Í..·.ë..¶.ë..µ. 0x00000140 32 E4 05 00 07 8B F0 AC 3C 00 74 FC BB 07 00 B4 2ä....ð¬<.tü»..´ 0x00000150 0E CD 10 EB F2 2B C9 E4 64 EB 00 24 02 E0 F8 24 .Í.ëò+Éädë.$.àø$ 0x00000160 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 74 .ÃInvalid partit 0x00000170 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72 20 ion table.Error 0x00000180 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 6E loading operatin 0x00000190 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E 67 g system.Missing 0x000001A0 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 operating syste 0x000001B0 6D 00 00 00 00 62 7A 99 00 00 00 60 00 00 00 01 m....bz....`.... 0x000001C0 01 00 DE FE 3F 0A 3F 00 00 00 0C B2 02 00 00 17 ..Þþ?.?....².... 0x000001D0 0D 0B 07 FE FF FF 00 B8 02 00 00 00 E0 01 80 FE ...þ...¸....à..þ 0x000001E0 FF FF 07 FE FF FF 00 B8 E2 01 00 28 60 23 00 00 ...þ...¸â..(`#.. 0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª --------------------------------------------------------------------------------------------------------------------------------------------------------------------

Log 1, aswMBR: aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software Run date: 2013-04-16 13:45:24 ----------------------------- 13:45:24.065 OS Version: Windows 6.0.6002 Service Pack 2 13:45:24.065 Number of processors: 2 586 0x1706 13:45:24.065 ComputerName: PUSSYCAT-PC UserName: Pussycat 13:45:26.108 Initialize success 13:46:29.631 AVAST engine defs: 13041600 13:46:56.754 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 13:46:56.754 Disk 0 Vendor: SAMSUNG_HD322HJ 1AC01113 Size: 305245MB BusType: 3 13:46:56.785 Disk 0 MBR read successfully 13:46:56.785 Disk 0 MBR scan 13:46:56.785 Disk 0 Windows VISTA default MBR code found via API 13:46:56.785 Disk 0 unknown MBR code 13:46:56.785 Disk 0 MBR hidden 13:46:56.785 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 86 MB offset 63 13:46:56.863 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 178176 13:46:56.878 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 289797 MB offset 31635456 13:46:56.894 Disk 0 scanning sectors +625139712 13:46:56.910 Disk 0 MBR [possible unknown bootkit@MBR] **ROOTKIT** 13:46:56.925 Scan finished successfully 13:47:37.086 Disk 0 MBR has been saved successfully to "C:\Users\Pussycat\Desktop\MBR.dat" 13:47:37.086 The log file has been saved successfully to "C:\Users\Pussycat\Desktop\aswMBR.txt" ----------------------------------------------------------------------------------------------------------------------------------------------------- Log 2, Listparts: ListParts by Farbar Version: 15-04-2013 Ran by Pussycat (administrator) on 16-04-2013 at 13:48:20 Windows Vista (X86) Running From: C:\Users\Pussycat\Desktop Language: 0409 ************************************************************ ========================= Memory info ====================== Percentage of memory in use: 34% Total physical RAM: 3070.45 MB Available physical RAM: 2009.75 MB Total Pagefile: 7187.48 MB Available Pagefile: 6091.93 MB Total Virtual: 2047.88 MB Available Virtual: 1956.97 MB ======================= Partitions ========================= 1 Drive c: (OS) (Fixed) (Total:283 GB) (Free:104.73 GB) NTFS ==>[Drive with boot components (obtained from BCD)] 2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:5.57 GB) NTFS Disk ### Status Size Free Dyn Gpt -------- ---------- ------- ------- --- --- Disk 0 Online 298 GB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 OEM 86 MB 32 KB Partition 2 Primary 15 GB 87 MB Partition 3 Primary 283 GB 15 GB ====================================================================================================== Disk: 0 Partition 1 Type : DE Hidden: Yes Active: No There is no volume associated with this partition. ====================================================================================================== Disk: 0 Partition 2 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 D RECOVERY NTFS Partition 15 GB Healthy ====================================================================================================== Disk: 0 Partition 3 Type : 07 Hidden: No Active: Yes

First of all: apologies for absence but I have various family commitments to attend to at the moment -- inconvenient, but unavoidable. Here's a summary of the situation as it now stands at 20:50 UK time: 1) Before leaving home this morning, I re-ran the Malwarebytes Anti Rootkit scanner. It yet again identified the same four threats as it did yesterday. I again asked it to institute the clean up process and it again seemed to hang for at least 10 minutes before reporting, again, that the cleanup had failed. 2) As I wasn't happy with the performance of the Kaspersky TDSS scanner, I went back to basics and ran the DDS scan again. Its report concluded the same way as it did originally: that an MBR rootkit infection had been detected. (See attached screenshot 1). 3) As will be seen, the DDS report recommends using "mbr.exe -f to fix". I am not about to "fix" anything but was curious to see what a search would bring up in regard to that specific executable. The search led me -- not surprisingly -- to Gmer. 4) After reading through the Gmer documentatioin, I DL'd the Gmer scanner and ran it in default mode. It very soon reported the following: WARNING !!!! GMER has found system modification, which might have been caused by ROOTKIT activity. Do you want to fully scan your system? I agreed. As it seemed to me that the scan would very probably take several hours, I left it to run and went out. 5) I have been able to pop back several times during the day. The Gmer scan was still methodically working its way through this computer. 6) I am not sure at what time the scan actually completed but at its conclusion a rootkit confirmation alert was flashed up (See attached screenshot 2). 7) I have not "fixed", changed, or deleted anything but have instead saved the GMER log file. This has turned out to be a fairly massive document running to innumerable pages. The key conclusions, it would seem (but my assumption could easily be incorrect) appear at the end of the report. However. . . Such is GMER's text lay-out that its analysis of lengthy registry keys means that the log finishes up with a vast acreage of white space between probable cause and actual diagnosis, as a result of which it's anything but easy to reconcile the one with the other. 8) I have, therefore, spent some time tonight, carefully deleting the white space separation in the concluding log text so as to be able to get all the information into accessible guise ((See attached screenshot 3). This is as far as I have gone, and am going no further until your own counsel is provided. Hopefully the screenshots will enable you to see at-a-glance the state of play; the different scanners do seem to be coming up with the same suspect entries -- though quite why Malwarebytes itself repeatedly turns up here is one of the more bewildering aspects. But then, I'm easily bewildered. If you wish, I can post again with both the DDS and GMER log files attached. Again, apologies for the absence today, and, again, thank you for your assistance here.

Back again. Do let me know if this is causing any inconvenience at your end, we could always resume this. . . diagnostic processing at a later time / date? Your help so far is greatly appreciated but c'mon, it's Sunday after all and (hopefully) a glorious New Jersey afternoon for you.

MrC: no panic here, all's well (just in case you might think I'm prone to paranoia.) Unfortunately, Mrs Nooby is insisting I go down for dinner so I'll be away for a little while sampling the latest from her range of chemical warfare offerings. (Good thing she isn't reading this thread.) Back soon.

MBAM Rootkit scan finished. The results screen displays: "Detected Malware Items". They're the four System32 files that have repeatedly come up in other scans: C:\Windows\system32\drivers\eubakup.sys (Unknown Rootkit Driver Infection) C:\Windows\system32\drivers\EUBKMON.sys (Unknown Rootkit Driver Infection) C:\Windows\system32\drivers\eudskacs.sys (Unknown Rootkit Driver Infection) C:\Windows\system32\drivers\mbam.sys (Unknown Rootkit Driver Infection) I have run a snap shot of the computer and this has been saved successfully. I then clicked 'cleanup' and waited while MBAM scanner was reporting 'Scheduling cleanup. . .' Unfortunately, that's all the scanner has done. After 10 minutes of 'scheduling' it is now reporting: 'Cleanup Failed.'