Multiple Viruses Running

[Psychotic]

We don´t need another MBAM log yet. Please do the replace fix with FRST in Recovery Environment and post the log.

[redallover]

I have a problem as my work policy means that anything connected needs to be bitlocker encrypted for me to copy data to. It also means if I do copy anything to a bitlocker encrypted drive, it _{can't accessed via the CMD during system recovery.}

_{Do you know if there is an alternative approach?}

[Psychotic]

If your IT decided to lock the machines so restrictive, then we shouldn´t get any deeper.

I wanted to replace those system files because they looked a bit weird - now it seems they were changed by microsoft.

Let´s check:

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.exe and save it to your desktop

• Execute TDSSKiller.exe by doubleclicking on it.
  
• Press Start Scan
  
• If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
  
• Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
  

Please post the contents of that log in your next reply.

[redallover]

Since I have run the activities you have suggested, I don't think I've had any recurrance of the problems I had initially and my browser seems faster!!

contents of TDS posted below but I have run this program a few times lately and has never picked up a problem:

17:32:46.0759 3648 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42

17:32:47.0071 3648 ============================================================

17:32:47.0071 3648 Current date / time: 2013/06/17 17:32:47.0071

17:32:47.0071 3648 SystemInfo:

17:32:47.0071 3648

17:32:47.0071 3648 OS Version: 6.1.7601 ServicePack: 1.0

17:32:47.0071 3648 Product type: Workstation

17:32:47.0071 3648 ComputerName: MW7HJCMY132WQS

17:32:47.0071 3648 UserName: elliot.james

17:32:47.0071 3648 Windows directory: C:\Windows

17:32:47.0071 3648 System windows directory: C:\Windows

17:32:47.0071 3648 Running under WOW64

17:32:47.0071 3648 Processor architecture: Intel x64

17:32:47.0071 3648 Number of processors: 4

17:32:47.0071 3648 Page size: 0x1000

17:32:47.0071 3648 Boot type: Normal boot

17:32:47.0071 3648 ============================================================

17:32:48.0896 3648 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

17:32:48.0911 3648 ============================================================

17:32:48.0911 3648 \Device\Harddisk0\DR0:

17:32:48.0911 3648 MBR partitions:

17:32:48.0911 3648 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x25392000

17:32:48.0911 3648 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x25392800, BlocksNum 0x96000

17:32:48.0911 3648 ============================================================

17:32:48.0927 3648 C: <-> \Device\Harddisk0\DR0\Partition1

17:32:48.0927 3648 ============================================================

17:32:48.0927 3648 Initialize success

17:32:48.0927 3648 ============================================================

17:33:05.0571 5984 ============================================================

17:33:05.0571 5984 Scan started

17:33:05.0571 5984 Mode: Manual; SigCheck; TDLFS;

17:33:05.0571 5984 ============================================================

17:33:05.0821 5984 ================ Scan system memory ========================

17:33:05.0821 5984 System memory - ok

17:33:05.0821 5984 ================ Scan services =============================

17:33:05.0899 5984 1394ohci - ok

17:33:05.0914 5984 Acceler - ok

17:33:05.0914 5984 Accenture Mobile Media Reminder Service - ok

17:33:05.0930 5984 ACPI - ok

17:33:05.0945 5984 AcpiPmi - ok

17:33:05.0945 5984 AdobeARMservice - ok

17:33:06.0008 5984 AdobeFlashPlayerUpdateSvc - ok

17:33:06.0008 5984 adp94xx - ok

17:33:06.0023 5984 adpahci - ok

17:33:06.0023 5984 adpu320 - ok

17:33:06.0039 5984 AeLookupSvc - ok

17:33:06.0055 5984 AESTFilters - ok

17:33:06.0086 5984 AFD - ok

17:33:06.0101 5984 agp440 - ok

17:33:06.0117 5984 ALG - ok

17:33:06.0117 5984 aliide - ok

17:33:06.0133 5984 amdide - ok

17:33:06.0133 5984 AmdK8 - ok

17:33:06.0148 5984 AmdPPM - ok

17:33:06.0164 5984 amdsata - ok

17:33:06.0164 5984 amdsbs - ok

17:33:06.0179 5984 amdxata - ok

17:33:06.0195 5984 ApfiltrService - ok

17:33:06.0195 5984 AppID - ok

17:33:06.0211 5984 AppIDSvc - ok

17:33:06.0226 5984 Appinfo - ok

17:33:06.0242 5984 AppMgmt - ok

17:33:06.0242 5984 arc - ok

17:33:06.0257 5984 arcsas - ok

17:33:06.0273 5984 aspnet_state - ok

17:33:06.0289 5984 AsyncMac - ok

17:33:06.0289 5984 atapi - ok

17:33:06.0304 5984 AudioEndpointBuilder - ok

17:33:06.0320 5984 AudioSrv - ok

17:33:06.0335 5984 AxInstSV - ok

17:33:06.0351 5984 b06bdrv - ok

17:33:06.0351 5984 b57nd60a - ok

17:33:06.0367 5984 BCM42RLY - ok

17:33:06.0382 5984 BCM43XX - ok

17:33:06.0398 5984 BDESVC - ok

17:33:06.0413 5984 Beep - ok

17:33:06.0445 5984 BFE - ok

17:33:06.0460 5984 BHDrvx64 - ok

17:33:06.0476 5984 BITS - ok

17:33:06.0476 5984 blbdrive - ok

17:33:06.0491 5984 bowser - ok

17:33:06.0491 5984 BrFiltLo - ok

17:33:06.0507 5984 BrFiltUp - ok

17:33:06.0523 5984 Browser - ok

17:33:06.0523 5984 Brserid - ok

17:33:06.0538 5984 BrSerWdm - ok

17:33:06.0538 5984 BrUsbMdm - ok

17:33:06.0554 5984 BrUsbSer - ok

17:33:06.0569 5984 BthEnum - ok

17:33:06.0585 5984 BTHMODEM - ok

17:33:06.0585 5984 BthPan - ok

17:33:06.0616 5984 BTHPORT - ok

17:33:06.0616 5984 bthserv - ok

17:33:06.0632 5984 BTHUSB - ok

17:33:06.0632 5984 CcmExec - ok

17:33:06.0663 5984 ccSettings_{3771A34D-2132-48EA-A486-D62ECDF9D553} - ok

17:33:06.0663 5984 cdfs - ok

17:33:06.0679 5984 cdrom - ok

17:33:06.0694 5984 CertPropSvc - ok

17:33:06.0710 5984 circlass - ok

17:33:06.0710 5984 CLFS - ok

17:33:06.0725 5984 clr_optimization_v2.0.50727_32 - ok

17:33:06.0741 5984 clr_optimization_v2.0.50727_64 - ok

17:33:06.0741 5984 clr_optimization_v4.0.30319_32 - ok

17:33:06.0757 5984 clr_optimization_v4.0.30319_64 - ok

17:33:06.0772 5984 CmBatt - ok

17:33:06.0772 5984 cmdide - ok

17:33:06.0788 5984 CNG - ok

17:33:06.0803 5984 Compbatt - ok

17:33:06.0803 5984 CompositeBus - ok

17:33:06.0819 5984 COMSysApp - ok

17:33:06.0835 5984 crcdisk - ok

17:33:06.0835 5984 Credential Vault Host Control Service - ok

17:33:06.0850 5984 Credential Vault Host Storage - ok

17:33:06.0866 5984 CryptSvc - ok

17:33:06.0881 5984 CSC - ok

17:33:06.0881 5984 CscService - ok

17:33:06.0897 5984 cvusbdrv - ok

17:33:06.0897 5984 d554gps - ok

17:33:06.0913 5984 dc21x4vm - ok

17:33:06.0928 5984 DcomLaunch - ok

17:33:06.0928 5984 defragsvc - ok

17:33:06.0944 5984 DFEPService - ok

17:33:06.0959 5984 DfsC - ok

17:33:06.0959 5984 Dhcp - ok

17:33:06.0975 5984 discache - ok

17:33:07.0006 5984 Disk - ok

17:33:07.0006 5984 dmvsc - ok

17:33:07.0022 5984 Dnscache - ok

17:33:07.0037 5984 dot3svc - ok

17:33:07.0037 5984 Dot4 - ok

17:33:07.0053 5984 Dot4Print - ok

17:33:07.0069 5984 dot4usb - ok

17:33:07.0084 5984 DPS - ok

17:33:07.0100 5984 drmkaud - ok

17:33:07.0100 5984 dsiasrv - ok

17:33:07.0115 5984 DXGKrnl - ok

17:33:07.0131 5984 e1cexpress - ok

17:33:07.0131 5984 EapHost - ok

17:33:07.0147 5984 ebdrv - ok

17:33:07.0162 5984 ecnssndis - ok

17:33:07.0178 5984 ecnssndisfltr - ok

17:33:07.0209 5984 EDPA - ok

17:33:07.0225 5984 eeCtrl - ok

17:33:07.0240 5984 EFS - ok

17:33:07.0240 5984 ehRecvr - ok

17:33:07.0256 5984 ehSched - ok

17:33:07.0256 5984 elxstor - ok

17:33:07.0303 5984 EraserUtilRebootDrv - ok

17:33:07.0303 5984 ErrDev - ok

17:33:07.0334 5984 EventSystem - ok

17:33:07.0349 5984 exfat - ok

17:33:07.0365 5984 fastfat - ok

17:33:07.0381 5984 Fax - ok

17:33:07.0396 5984 fdc - ok

17:33:07.0396 5984 fdPHost - ok

17:33:07.0412 5984 FDResPub - ok

17:33:07.0427 5984 FileInfo - ok

17:33:07.0427 5984 Filetrace - ok

17:33:07.0443 5984 FIMPasswordReset - ok

17:33:07.0459 5984 flpydisk - ok

17:33:07.0459 5984 FltMgr - ok

17:33:07.0474 5984 FontCache - ok

17:33:07.0474 5984 FontCache3.0.0.0 - ok

17:33:07.0490 5984 FsDepends - ok

17:33:07.0505 5984 Fs_Rec - ok

17:33:07.0521 5984 fvevol - ok

17:33:07.0521 5984 gagp30kx - ok

17:33:07.0537 5984 gpsvc - ok

17:33:07.0537 5984 hcw85cir - ok

17:33:07.0552 5984 HDAudBus - ok

17:33:07.0568 5984 HidBatt - ok

17:33:07.0568 5984 HidBth - ok

17:33:07.0583 5984 HidIr - ok

17:33:07.0599 5984 hidserv - ok

17:33:07.0615 5984 HidUsb - ok

17:33:07.0630 5984 hkmsvc - ok

17:33:07.0630 5984 HomeGroupListener - ok

17:33:07.0646 5984 HomeGroupProvider - ok

17:33:07.0661 5984 HpSAMD - ok

17:33:07.0661 5984 HTTP - ok

17:33:07.0677 5984 hwdatacard - ok

17:33:07.0693 5984 hwpolicy - ok

17:33:07.0708 5984 i8042prt - ok

17:33:07.0708 5984 Iap - ok

17:33:07.0724 5984 iaStor - ok

17:33:07.0739 5984 iaStorV - ok

17:33:07.0739 5984 idsvc - ok

17:33:07.0755 5984 IDSVia64 - ok

17:33:07.0771 5984 igfx - ok

17:33:07.0771 5984 iirsp - ok

17:33:07.0786 5984 IKEEXT - ok

17:33:07.0802 5984 Impcd - ok

17:33:07.0817 5984 IntcDAud - ok

17:33:07.0817 5984 intelide - ok

17:33:07.0833 5984 intelppm - ok

17:33:07.0833 5984 IPBusEnum - ok

17:33:07.0848 5984 IpFilterDriver - ok

17:33:07.0864 5984 iphlpsvc - ok

17:33:07.0864 5984 IPMIDRV - ok

17:33:07.0880 5984 IPNAT - ok

17:33:07.0895 5984 IRENUM - ok

17:33:07.0895 5984 isapnp - ok

17:33:07.0911 5984 iScsiPrt - ok

17:33:07.0911 5984 kbdclass - ok

17:33:07.0926 5984 kbdhid - ok

17:33:07.0942 5984 KeyIso - ok

17:33:07.0942 5984 KSecDD - ok

17:33:07.0958 5984 KSecPkg - ok

17:33:07.0958 5984 ksthunk - ok

17:33:07.0973 5984 KtmRm - ok

17:33:07.0989 5984 LanmanServer - ok

17:33:07.0989 5984 LanmanWorkstation - ok

17:33:08.0020 5984 lltdio - ok

17:33:08.0020 5984 lltdsvc - ok

17:33:08.0036 5984 lmhosts - ok

17:33:08.0051 5984 LMS - ok

17:33:08.0067 5984 LSI_FC - ok

17:33:08.0082 5984 LSI_SAS - ok

17:33:08.0098 5984 LSI_SAS2 - ok

17:33:08.0098 5984 LSI_SCSI - ok

17:33:08.0114 5984 luafv - ok

17:33:08.0145 5984 MBAMProtector - ok

17:33:08.0160 5984 MBAMScheduler - ok

17:33:08.0176 5984 MBAMService - ok

17:33:08.0192 5984 Mbm3CBus - ok

17:33:08.0192 5984 Mbm3DevMt - ok

17:33:08.0207 5984 Mcx2Svc - ok

17:33:08.0223 5984 megasas - ok

17:33:08.0238 5984 MegaSR - ok

17:33:08.0238 5984 MEIx64 - ok

17:33:08.0254 5984 Microsoft SharePoint Workspace Audit Service - ok

17:33:08.0254 5984 MMCSS - ok

17:33:08.0270 5984 Modem - ok

17:33:08.0285 5984 monitor - ok

17:33:08.0285 5984 mouclass - ok

17:33:08.0301 5984 mouhid - ok

17:33:08.0316 5984 mountmgr - ok

17:33:08.0332 5984 MpFilter - ok

17:33:08.0332 5984 mpio - ok

17:33:08.0348 5984 mpsdrv - ok

17:33:08.0348 5984 MpsSvc - ok

17:33:08.0363 5984 MRxDAV - ok

17:33:08.0363 5984 mrxsmb - ok

17:33:08.0379 5984 mrxsmb10 - ok

17:33:08.0394 5984 mrxsmb20 - ok

17:33:08.0394 5984 msahci - ok

17:33:08.0410 5984 msdsm - ok

17:33:08.0426 5984 MSDTC - ok

17:33:08.0441 5984 Msfs - ok

17:33:08.0441 5984 mshidkmdf - ok

17:33:08.0457 5984 msisadrv - ok

17:33:08.0472 5984 MSiSCSI - ok

17:33:08.0472 5984 msiserver - ok

17:33:08.0488 5984 MSKSSRV - ok

17:33:08.0504 5984 MsMpSvc - ok

17:33:08.0519 5984 MSPCLOCK - ok

17:33:08.0535 5984 MSPQM - ok

17:33:08.0535 5984 MsRPC - ok

17:33:08.0550 5984 mssmbios - ok

17:33:08.0566 5984 MSTEE - ok

17:33:08.0566 5984 MTConfig - ok

17:33:08.0582 5984 Mup - ok

17:33:08.0597 5984 napagent - ok

17:33:08.0597 5984 NativeWifiP - ok

17:33:08.0613 5984 NAVENG - ok

17:33:08.0613 5984 NAVEX15 - ok

17:33:08.0628 5984 NDIS - ok

17:33:08.0644 5984 NdisCap - ok

17:33:08.0644 5984 NdisTapi - ok

17:33:08.0660 5984 Ndisuio - ok

17:33:08.0675 5984 NdisWan - ok

17:33:08.0675 5984 NDProxy - ok

17:33:08.0691 5984 NetBIOS - ok

17:33:08.0691 5984 NetBT - ok

17:33:08.0706 5984 Netlogon - ok

17:33:08.0722 5984 Netman - ok

17:33:08.0722 5984 NetMsmqActivator - ok

17:33:08.0738 5984 NetPipeActivator - ok

17:33:08.0753 5984 netprofm - ok

17:33:08.0753 5984 NetTcpActivator - ok

17:33:08.0769 5984 NetTcpPortSharing - ok

17:33:08.0784 5984 nfrd960 - ok

17:33:08.0784 5984 NisDrv - ok

17:33:08.0800 5984 NisSrv - ok

17:33:08.0816 5984 NlaSvc - ok

17:33:08.0816 5984 Npfs - ok

17:33:08.0831 5984 nsi - ok

17:33:08.0831 5984 nsiproxy - ok

17:33:08.0847 5984 Ntfs - ok

17:33:08.0862 5984 Null - ok

17:33:08.0862 5984 nvraid - ok

17:33:08.0878 5984 nvstor - ok

17:33:08.0878 5984 nv_agp - ok

17:33:08.0894 5984 O2FLASH - ok

17:33:08.0909 5984 O2MDFRDR - ok

17:33:08.0909 5984 O2MDRRDR - ok

17:33:08.0925 5984 O2SDJRDR - ok

17:33:08.0940 5984 odserv - ok

17:33:08.0940 5984 ohci1394 - ok

17:33:08.0956 5984 omci - ok

17:33:08.0972 5984 ose - ok

17:33:08.0987 5984 osppsvc - ok

17:33:09.0003 5984 p2pimsvc - ok

17:33:09.0003 5984 p2psvc - ok

17:33:09.0018 5984 Parport - ok

17:33:09.0018 5984 partmgr - ok

17:33:09.0034 5984 PcaSvc - ok

17:33:09.0050 5984 pci - ok

17:33:09.0050 5984 pciide - ok

17:33:09.0065 5984 pcmcia - ok

17:33:09.0065 5984 pcw - ok

17:33:09.0081 5984 PEAUTH - ok

17:33:09.0096 5984 PeerDistSvc - ok

17:33:09.0112 5984 PerfHost - ok

17:33:09.0128 5984 pla - ok

17:33:09.0143 5984 PlugPlay - ok

17:33:09.0159 5984 PNRPAutoReg - ok

17:33:09.0174 5984 PNRPsvc - ok

17:33:09.0174 5984 PolicyAgent - ok

17:33:09.0190 5984 Power - ok

17:33:09.0206 5984 PptpMiniport - ok

17:33:09.0206 5984 prepdrvr - ok

17:33:09.0221 5984 Processor - ok

17:33:09.0237 5984 ProfSvc - ok

17:33:09.0237 5984 ProtectedStorage - ok

17:33:09.0252 5984 Psched - ok

17:33:09.0252 5984 ql2300 - ok

17:33:09.0268 5984 ql40xx - ok

17:33:09.0284 5984 QWAVE - ok

17:33:09.0299 5984 QWAVEdrv - ok

17:33:09.0299 5984 RasAcd - ok

17:33:09.0315 5984 RasAgileVpn - ok

17:33:09.0315 5984 RasAuto - ok

17:33:09.0330 5984 Rasl2tp - ok

17:33:09.0346 5984 RasMan - ok

17:33:09.0346 5984 RasPppoe - ok

17:33:09.0362 5984 RasSstp - ok

17:33:09.0362 5984 rdbss - ok

17:33:09.0377 5984 rdpbus - ok

17:33:09.0393 5984 RDPCDD - ok

17:33:09.0393 5984 RDPDR - ok

17:33:09.0408 5984 RDPENCDD - ok

17:33:09.0424 5984 RDPREFMP - ok

17:33:09.0440 5984 RdpVideoMiniport - ok

17:33:09.0455 5984 RDPWD - ok

17:33:09.0455 5984 rdyboost - ok

17:33:09.0471 5984 RemoteAccess - ok

17:33:09.0486 5984 RemoteRegistry - ok

17:33:09.0486 5984 RFCOMM - ok

17:33:09.0502 5984 RpcEptMapper - ok

17:33:09.0518 5984 RpcLocator - ok

17:33:09.0518 5984 RpcSs - ok

17:33:09.0533 5984 rspndr - ok

17:33:09.0533 5984 s3cap - ok

17:33:09.0549 5984 SamSs - ok

17:33:09.0549 5984 sbp2port - ok

17:33:09.0564 5984 SCardSvr - ok

17:33:09.0580 5984 scfilter - ok

17:33:09.0580 5984 Schedule - ok

17:33:09.0596 5984 SCPolicySvc - ok

17:33:09.0611 5984 SDRSVC - ok

17:33:09.0611 5984 secdrv - ok

17:33:09.0627 5984 seclogon - ok

17:33:09.0642 5984 SENS - ok

17:33:09.0642 5984 SensrSvc - ok

17:33:09.0674 5984 SepMasterService - ok

17:33:09.0689 5984 Serenum - ok

17:33:09.0689 5984 Serial - ok

17:33:09.0705 5984 sermouse - ok

17:33:09.0736 5984 SessionEnv - ok

17:33:09.0736 5984 sffdisk - ok

17:33:09.0752 5984 sffp_mmc - ok

17:33:09.0752 5984 sffp_sd - ok

17:33:09.0767 5984 sfloppy - ok

17:33:09.0783 5984 SFsCtrx1161 - ok

17:33:09.0798 5984 SharedAccess - ok

17:33:09.0814 5984 ShellHWDetection - ok

17:33:09.0814 5984 SiSRaid2 - ok

17:33:09.0830 5984 SiSRaid4 - ok

17:33:09.0861 5984 Skype C2C Service - ok

17:33:09.0876 5984 SkypeUpdate - ok

17:33:09.0892 5984 Smb - ok

17:33:09.0908 5984 SmcService - ok

17:33:09.0923 5984 smstsmgr - ok

17:33:09.0939 5984 SNAC - ok

17:33:09.0970 5984 SNMPTRAP - ok

17:33:09.0986 5984 spldr - ok

17:33:09.0986 5984 Spooler - ok

17:33:10.0001 5984 sppsvc - ok

17:33:10.0017 5984 sppuinotify - ok

17:33:10.0048 5984 SRTSP - ok

17:33:10.0048 5984 SRTSPX - ok

17:33:10.0064 5984 srv - ok

17:33:10.0064 5984 srv2 - ok

17:33:10.0079 5984 srvnet - ok

17:33:10.0095 5984 SSDPSRV - ok

17:33:10.0110 5984 SstpSvc - ok

17:33:10.0110 5984 STacSV - ok

17:33:10.0126 5984 stdcfltn - ok

17:33:10.0142 5984 stexstor - ok

17:33:10.0157 5984 STHDA - ok

17:33:10.0157 5984 stisvc - ok

17:33:10.0173 5984 StorSvc - ok

17:33:10.0173 5984 storvsc - ok

17:33:10.0188 5984 swenum - ok

17:33:10.0204 5984 swprv - ok

17:33:10.0204 5984 SyDvCtrl - ok

17:33:10.0220 5984 SymDS - ok

17:33:10.0235 5984 SymEFA - ok

17:33:10.0251 5984 SymEvent - ok

17:33:10.0251 5984 SymIRON - ok

17:33:10.0266 5984 SYMNETS - ok

17:33:10.0282 5984 Synth3dVsc - ok

17:33:10.0282 5984 SynthVid - ok

17:33:10.0298 5984 SysMain - ok

17:33:10.0313 5984 SysPlant - ok

17:33:10.0313 5984 TabletInputService - ok

17:33:10.0329 5984 TapiSrv - ok

17:33:10.0344 5984 TBS - ok

17:33:10.0344 5984 Tcpip - ok

17:33:10.0376 5984 TCPIP6 - ok

17:33:10.0391 5984 tcpipreg - ok

17:33:10.0407 5984 tdifd1161 - ok

17:33:10.0407 5984 TDPIPE - ok

17:33:10.0422 5984 TDTCP - ok

17:33:10.0438 5984 tdx - ok

17:33:10.0454 5984 TermDD - ok

17:33:10.0454 5984 terminpt - ok

17:33:10.0469 5984 TermService - ok

17:33:10.0485 5984 Themes - ok

17:33:10.0485 5984 THREADORDER - ok

17:33:10.0500 5984 TPM - ok

17:33:10.0516 5984 TrkWks - ok

17:33:10.0516 5984 TrustedInstaller - ok

17:33:10.0532 5984 tssecsrv - ok

17:33:10.0547 5984 TsUsbFlt - ok

17:33:10.0563 5984 TsUsbGD - ok

17:33:10.0563 5984 tsusbhub - ok

17:33:10.0594 5984 tunnel - ok

17:33:10.0594 5984 uagp35 - ok

17:33:10.0610 5984 udfs - ok

17:33:10.0625 5984 UI0Detect - ok

17:33:10.0641 5984 uliagpkx - ok

17:33:10.0641 5984 umbus - ok

17:33:10.0656 5984 UmPass - ok

17:33:10.0656 5984 UmRdpService - ok

17:33:10.0672 5984 UNS - ok

17:33:10.0687 5984 upnphost - ok

17:33:10.0687 5984 usbccgp - ok

17:33:10.0703 5984 usbcir - ok

17:33:10.0703 5984 usbehci - ok

17:33:10.0719 5984 usbhub - ok

17:33:10.0719 5984 usbohci - ok

17:33:10.0734 5984 usbprint - ok

17:33:10.0734 5984 usbser - ok

17:33:10.0750 5984 USBSTOR - ok

17:33:10.0765 5984 usbuhci - ok

17:33:10.0781 5984 usbvideo - ok

17:33:10.0781 5984 UxSms - ok

17:33:10.0797 5984 VaultSvc - ok

17:33:10.0797 5984 vdrvroot - ok

17:33:10.0812 5984 vds - ok

17:33:10.0828 5984 vfsmfd - ok

17:33:10.0828 5984 vga - ok

17:33:10.0843 5984 VgaSave - ok

17:33:10.0843 5984 VGPU - ok

17:33:10.0859 5984 vhdmp - ok

17:33:10.0875 5984 viaide - ok

17:33:10.0875 5984 VMBusHID - ok

17:33:10.0890 5984 VMCService - ok

17:33:10.0906 5984 volmgr - ok

17:33:10.0906 5984 volmgrx - ok

17:33:10.0921 5984 volsnap - ok

17:33:10.0937 5984 vrtam - ok

17:33:10.0953 5984 vsmraid - ok

17:33:10.0968 5984 VSS - ok

17:33:10.0968 5984 vwifibus - ok

17:33:10.0984 5984 vwififlt - ok

17:33:10.0984 5984 W32Time - ok

17:33:10.0999 5984 WacomPen - ok

17:33:11.0015 5984 WANARP - ok

17:33:11.0031 5984 Wanarpv6 - ok

17:33:11.0046 5984 WatAdminSvc - ok

17:33:11.0046 5984 wbengine - ok

17:33:11.0062 5984 WbioSrvc - ok

17:33:11.0062 5984 wcncsvc - ok

17:33:11.0077 5984 WcsPlugInService - ok

17:33:11.0077 5984 Wd - ok

17:33:11.0093 5984 Wdf01000 - ok

17:33:11.0109 5984 WdiServiceHost - ok

17:33:11.0109 5984 WdiSystemHost - ok

17:33:11.0124 5984 WDP - ok

17:33:11.0140 5984 WebClient - ok

17:33:11.0140 5984 Wecsvc - ok

17:33:11.0155 5984 wercplsupport - ok

17:33:11.0171 5984 WerSvc - ok

17:33:11.0171 5984 WfpLwf - ok

17:33:11.0187 5984 WIMMount - ok

17:33:11.0187 5984 WinDefend - ok

17:33:11.0218 5984 WinHttpAutoProxySvc - ok

17:33:11.0218 5984 Winmgmt - ok

17:33:11.0233 5984 WinRM - ok

17:33:11.0249 5984 WinUsb - ok

17:33:11.0249 5984 Wlansvc - ok

17:33:11.0265 5984 wltrysvc - ok

17:33:11.0280 5984 WmiAcpi - ok

17:33:11.0280 5984 wmiApSrv - ok

17:33:11.0296 5984 WMPNetworkSvc - ok

17:33:11.0311 5984 WPCSvc - ok

17:33:11.0311 5984 WPDBusEnum - ok

17:33:11.0327 5984 ws2ifsl - ok

17:33:11.0327 5984 wscsvc - ok

17:33:11.0343 5984 WSearch - ok

17:33:11.0358 5984 wuauserv - ok

17:33:11.0358 5984 WudfPf - ok

17:33:11.0374 5984 WUDFRd - ok

17:33:11.0374 5984 wudfsvc - ok

17:33:11.0389 5984 WwanSvc - ok

17:33:11.0421 5984 ================ Scan global ===============================

17:33:11.0421 5984 [Global] - ok

17:33:11.0421 5984 ================ Scan MBR ==================================

17:33:11.0436 5984 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0

17:33:12.0107 5984 \Device\Harddisk0\DR0 - ok

17:33:12.0107 5984 ================ Scan VBR ==================================

17:33:12.0154 5984 [ C1A43909BECF5FB5476710985DAB1014 ] \Device\Harddisk0\DR0\Partition1

17:33:12.0154 5984 \Device\Harddisk0\DR0\Partition1 - ok

17:33:12.0154 5984 [ 93AA497A2E073175DF5ABB58004BE1A0 ] \Device\Harddisk0\DR0\Partition2

17:33:12.0169 5984 \Device\Harddisk0\DR0\Partition2 - ok

17:33:12.0169 5984 ============================================================

17:33:12.0169 5984 Scan finished

17:33:12.0169 5984 ============================================================

17:33:12.0185 2492 Detected object count: 0

17:33:12.0185 2492 Actual detected object count: 0

[Psychotic]

Looks good. Let´s ensure the malware is gone, then we can clean up:

Please go to here to run the online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
  
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

[redallover]

It seems to have picked up 4 issues:

C:\$Recycle.Bin\S-1-5-21-329068152-1454471165-1417001333-347895\$RAPPQZP.exe Win32/Toolbar.SearchSuite application

C:\Users\elliot.james\AppData\Roaming\btapro.dll a variant of Win32/Medfos.QK trojan

C:\Users\elliot.james\AppData\Roaming\hidfg.dll a variant of Win32/Medfos.QK trojan

C:\Users\elliot.james\Documents\ApnStub.exe a variant of Win32/Bundled.Toolbar.Ask application

[Psychotic]

Two of them aren´t malware, but contain security risks so we´d take them out as well:

 

 

Fix with FRST
 

• Open notepad (Start =>All Programs => Accessories => Notepad).
• Please copy the entire contents of the code box below.
  (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
• Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.
  
  

  C:\$Recycle.Bin\S-1-5-21-329068152-1454471165-1417001333-347895\$RAPPQZP.exeC:\Users\elliot.james\AppData\Roaming\btapro.dllC:\Users\elliot.james\AppData\Roaming\hidfg.dllC:\Users\elliot.james\Documents\ApnStub.exe

• NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
• Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
• The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Scan with adwCleaner


Please download AdwCleaner to your desktop.

 

• Run adwcleaner.exe.
• Hit delete.
• When the run is finished, it will open up a text file.
• Please post its contents within your next reply.
• You´ll find the log file at C:\AdwCleaner[s1].txt also.

SecurityCheck

Please download SecurityCheck: LINK1 LINK2

• Save it to your desktop, start it and follow the instructions in the window.
• After the scan finished the (checkup.txt) will open. Copy its content to your thread.

[redallover]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-06-2013 01
Ran by elliot.james at 2013-06-18 08:25:38 Run:2
Running from C:\Users\elliot.james\Desktop
Boot Mode: Normal
==============================================

C:\$Recycle.Bin\S-1-5-21-329068152-1454471165-1417001333-347895\$RAPPQZP.exeC:\Users\elliot.james\AppData\Roaming\btapro.dllC:\Users\elliot.james\AppData\Roaming\hidfg.dllC:\Users\elliot.james\Documents\ApnStub.exe => File/Directory not found.

==== End of Fixlog ====

[redallover]

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\Users\ELLIOT~1.JAM\AppData\Local\Temp\AskSearch

***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\PIP
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASMANCS
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16490

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [1222 octets] - [18/06/2013 08:28:25]
AdwCleaner[s1].txt - [1171 octets] - [18/06/2013 08:29:00]

########## EOF - C:\AdwCleaner[s1].txt - [1231 octets] ##########

[Psychotic]

There is something not right with the forum´s software...

Please try again with this code:

C:\$Recycle.Bin\S-1-5-21-329068152-1454471165-1417001333-347895\$RAPPQZP.exeC:\Users\elliot.james\AppData\Roaming\btapro.dllC:\Users\elliot.james\AppData\Roaming\hidfg.dllC:\Users\elliot.james\Documents\ApnStub.exe

Ensure there are four separate lines.

 

 

[redallover]

Results of screen317's Security Check version 0.99.64 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
Symantec Endpoint Protection   
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 6 Update 33 
 Java version out of Date!
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Microsoft Forefront Identity Manager 2010 Password Reset Client Service PwdMgmtProxy.exe
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 2%
````````````````````End of Log``````````````````````
 

[Psychotic]

Please see my last reply:

 

http://forums.malwarebytes.org/index.php?showtopic=127730&page=2#entry692567

[redallover]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-06-2013 01
Ran by elliot.james at 2013-06-18 08:52:21 Run:3
Running from C:\Users\elliot.james\Desktop
Boot Mode: Normal
==============================================

C:\$Recycle.Bin\S-1-5-21-329068152-1454471165-1417001333-347895\$RAPPQZP.exe => Moved successfully.
C:\Users\elliot.james\AppData\Roaming\btapro.dll => Moved successfully.
C:\Users\elliot.james\AppData\Roaming\hidfg.dll => Moved successfully.
C:\Users\elliot.james\Documents\ApnStub.exe => Moved successfully.

==== End of Fixlog ====

[redallover]

Thanks Psychotic, have replied with the revised fixlog above.

[Psychotic]

Now that looks good!

Your system is all clean now!

 

 

Java update update


Your Java runtime environment is outdated. We will fix this.

• Get the actual JRE from here
• Save jxpiinstall.exe to your desktop
• Close all running programs, especially your browser(s)
• Run jxpiinstall.exe. This will download the newest JRE installer ( Java 7 Update 4 ) and install the software
• when finished, go to
  Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
• When finished, reboot your computer.

After the reboot

• Open control panel again and click the java symbol.
• Click Settings under Temporary Internet Files.
  The Temporary Files Settings dialog box appears.
• Click Delete Files.
  The Delete Temporary Files dialog box appears
• Click OK on Delete Temporary Files window.
• Click OK again.

 

 

 

Uninstall our tools.
Please follow these steps in order:

1. In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
2. In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
3. In any case please download delfix to your desktop.
   
   • Close all other programms and start delfix.
   • Please check all the boxes and run the tool.
   • delfix will now delete all found traces of our removal process
     

[*] If there is still something left please delete it manualy.

 

 

 

 

Reading Material
How to protect yourself

• System Updates
  Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
  Windows XP | Windows Vista |
  Windows 7 | windows 8
• Protection
  What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
  Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
• Up to date Software
  Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  
  • Secunia Online Software Inspector - Checks if your software has updates available.
  • Filehippo Update Checkere - This tool also scans your computer for outdated software.
  • Mozilla: Check your plugins - The webpage will tell you if you have outdated plugins in your Firefox browser.
    

  [*] Backups
  There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice. [*] Brains
  It's no joke! You really need one of those things. It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.
  

[redallover]

Thanks mate for your help, it's greatly appreciated. My laptop is working great now, I've made a little donation also - thanks!

[Psychotic]

That´s nice - thank you, too!

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!