Dave__

A little clean up to do.... - all sorted ! Many thanks for the assistance & persistence. Dave.

Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box... A Notepad document should open automatically called checkup.txt. Please Post the contents of that document. - below Results of screen317's Security Check version 0.99.87 Windows 7 Service Pack 1 x64 (UAC is disabled!) Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` Windows Security Center service is not running! This report may not be accurate! Windows Firewall Enabled! ThreatTrack Security VIPRE Antivirus out of date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Adobe Flash Player 14.0.0.179 Mozilla Firefox (31.0) ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbam.exe Computer Software AntiVirus SecurityCheck.exe Malwarebytes Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 2% ````````````````````End of Log`````````````````````` Dave. PS FYI Post-infection @12:38 27 Aug 2014, several suspicious Firefox profiles and caches etc. appeared in C:\Users\ Local & Roaming 'G001' folders and remain (but nothing comparable since 15:12 same day): iqnr7q7m.default d------ [11:38 27/08/2014] vdkbpzs5.default d------ [11:54 27/08/2014] hqyoko1x.default d------ [12:10 27/08/2014] cngxe5fj.default d------ [12:16 27/08/2014] w7kk057u.default d------ [14:06 27/08/2014] Presumably the 'G001' folders should be deleted ?

AdwCleaner.exe found a few things (inconsequential ?), but nothing with Junkware Removal Tool or MAM Double click on AdwCleaner.exe to run the tool... After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically. - Uploaded Please download Junkware Removal Tool to your desktop... Post the contents of JRT.txt into your next message. - Uploaded Please run a Threat Scan ... - Done: MAM reports no items detected/quarantined Dave. AdwCleanerS0.txt JRT.txt

Many thanks, I'll progress the suggestions tomorrow. Dave.

Run OTL by double clicking on the icon ... Then click the Run Fix button at the top - Log uploaded Success ?! (all 3 versions of csrss.exe are now the same, 14/07/2009 02:39 7,680 bytes) Dave. OTL - 08292014_193438.log

See if you can end up with: C:\Windows\System32\csrss.exe C:\Windows\SysWOW64\csrss.exe.old - sorry, no, Win7 won't allow that ... now have - C:\Windows\System32\csrss.exe - C:\Windows\SysWOW64\csrss.exe Dave.

C:\Windows\SysWOW64\csrss.exe - is now C:\Windows\SysWOW64\csrss.exe.old (Windows automatically renamed its counterpart to C:\Windows\System32\csrss.exe.old) Also tried: C:\Windows\System32>sfc /scannow - But "Windows Resource Protection did not find any integrity violations." Dave.

Can you actually see this file: C:\Windows\SysWOW64\csrss.exe - Yes (now that I've changed the folder view settings) Dave.

Download the attached fixlist.txt ... Run FRST.exe/FRST64.exe and click Fix only ... - Fixlog2.txt uploaded Reboot and run another scan with SystemLook for csrss.exe as before. - Rebooted, SystemLook3.txt uploaded Dave. Fixlog2.txt SystemLook3.txt

C:\Windows\System32\csrss.exe a variant of Win32/Injector.BKUC trojan - https://www.virustotal.com/en/file/c5f6626c7dd9f15b64e6634a5e1779fd392e9444b1288d1fd0a29c1e83632b5c/analysis/1409251028/ - Detection ratio: 28 / 55 - Analysis date: 2014-08-28 18:37:08 UTC C:\Windows\SysWOW64\csrss.exe a variant of Win32/Injector.BKUC trojan - https://www.virustotal.com/en/file/c5f6626c7dd9f15b64e6634a5e1779fd392e9444b1288d1fd0a29c1e83632b5c/analysis/1409251028/ - Detection ratio: 28 / 55 - Analysis date: 2014-08-28 18:37:08 UTC ( 2 minutes ago ) Dave.

Can you rename this file to csrss.exe.old C:\Windows\SysWOW64\csrss.exe - Apparently not ? Can't locate SysWOW64\csrss.exe, e.g., in Win Explorer - also, Cmd DIR finds only 2 versions of csrss.exe on system: C:\>dir csrss.exe /s Directory of C:\Windows\System32 14/07/2009 02:39 7,680 csrss.exe 1 File(s) 7,680 bytes Directory of C:\Windows\winsxs\amd64_microsoft-window.1.7600.16385_none_b4d8d57efdc6b4f3 14/07/2009 02:39 7,680 csrss.exe 1 File(s) 7,680 bytes Total Files Listed: 2 File(s) 15,360 bytes But Karen's Directory Printer says: 108,158 csrss.exe C:27/08/2014 12:25 C:\Windows\SysWOW64\ RHSA---X EC354A3477E1543905B0C2B769CDDB66 [MD5#] 108,158 csrss.exe C:27/08/2014 12:25 C:\Windows\System32\ RHSA---X EC354A3477E1543905B0C2B769CDDB66 [MD5#] Please run a free online scan with the ESET Online Scanner (it may take a while to run)... If threats were found:... Click on "export to text file" and save it as ESET SCAN and save to the desktop Put a checkmark in "Uninstall application on close" Click on finish - File uploaded - No finish option offered: only free trial or purchase = still installed ? Dave. ESET scan.txt

Please run the system file checker: (use OPTION TWO) - C:\Windows\System32>sfc /scannow - "Windows Resource Protection did not find any integrity violations." Dave

Please download SystemLook from the link below and save it to your Desktop... Note: The log can also be found on your Desktop entitled SystemLook.txt - uploaded Regards, Dave. SystemLook.txt

I decided to run ComboFix ... Make sure you run ComboFix from your desktop. Give it at least 30-45 minutes to finish if needed. Please include the C:\ComboFix.txt in your next reply for further review. - uploaded Regards, Dave. ComboFix.txt