Persistent malware calls itself bitdefender

[JToma]

My first few scans with MBAM returned roughly 30+ Trojan:SCS files mainly located in my Windows/SysWOW64 folder and my User/Appdata/Roaming folders. Attempts to remove them were unsuccessful including Safe Mode AV scanning. Now MBAM doesn't even recognize the files as threats. RKill still stops the processes, but not entirely.

In my Task Manager window, there are multiple processes running calling themselves Bitdefender Antivirus scanner, and they quickly ramp up to taking 200,00K+ of my memory. As of right now I just keep playing Whack-a-mole closing these processes once they get that large but it would be nice to get rid of the cause of the issue. I also tried the MalwareBytes Rootkit program in hopes that it would help. Unfortunately it didn't.

I've been Googling and searching Forums and have been unable to find anything that helps. Unfortunately, most searches for Bitdefender labelled viruses are for scareware, whereas this one is different. Any help you can provide would be very much appreciated. Thanks in advance.

 

dds.txt

attach.txt

[kevinf80]

Hello and

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

There are two security systems with AV components that is counterproductive, you must UNinstall one of them, your choice. MSE or Trend Micro...

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

 

Post both logs...

[JToma]

I uninstalled Trend Micro. It was pre-installed and I never got around to removing it. After a restart, I downloaded and ran the Scan tool.

 

I attempted to Copy and Paste the FRST.txt but this post was flagged as too long. I will try to attach it with the Addition.txt.

Thanks for the quick response.

Addition.txt

FRST.txt

[kevinf80]

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced logs

 

Kevin

 

fixlist.txt

[JToma]

Here is the Fixlog file (attached below) and here are the recent scan results:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.29.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Toma :: TOMA-MSI [administrator]

29/12/2013 5:49:42 PM
mbam-log-2013-12-29 (17-49-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 247187
Time elapsed: 1 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---

 

That being said, I still see the offending processes in the task manager. Should I restart my computer at this point?

Fixlog.txt

[kevinf80]

Run FRST again...

 

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  

 

There will be no second log this time...

[JToma]

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.29.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Toma :: TOMA-MSI [administrator]

29/12/2013 5:49:42 PM
mbam-log-2013-12-29 (17-49-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 247187
Time elapsed: 1 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

[JToma]

Oops, sorry. Wrong paste. Here is the correct file attached below

 

FRST.txt

[kevinf80]

Make sure to delete previous fixlist.txt that you d/l and save......

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Also update and run another Quick scan with Mlawarebytes, post both logs

 

fixlist.txt

[JToma]

Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-12-2013 01
Ran by Toma at 2013-12-29 18:25:47 Run:2
Running from C:\Users\Toma\Downloads
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
HKLM\...\Run: [Zyakuny] - "C:\Users\Toma\AppData\Roaming\Biivud\idewicf.exe"
C:\Users\Toma\AppData\Roaming\Biivud
HKLM\...\Run: [Eltiodad] - C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [221872 2013-12-29] (BitBefender S.R.L.)
C:\Users\Toma\AppData\Roaming\Viulxa
HKLM-x32\...\Run: [Eltiodad] - C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [221872 2013-12-29] (BitBefender S.R.L.)
C:\Users\Toma\AppData\Roaming\Viulxa
HKCU\...\Run: [Eltiodad] - C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [221872 2013-12-29] (BitBefender S.R.L.)
C:\Users\Toma\AppData\Roaming\Viulxa
C:\windows\FC161371B8B24BA797F782319C76333E.TMP
C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
End



*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Zyakuny => Value deleted successfully.
"C:\Users\Toma\AppData\Roaming\Biivud" => File/Directory not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Eltiodad => Value deleted successfully.
C:\Users\Toma\AppData\Roaming\Viulxa => Moved successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Eltiodad => Value deleted successfully.
"C:\Users\Toma\AppData\Roaming\Viulxa" => File/Directory not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Eltiodad => Value deleted successfully.
"C:\Users\Toma\AppData\Roaming\Viulxa" => File/Directory not found.
C:\windows\FC161371B8B24BA797F782319C76333E.TMP => Moved successfully.
C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job => Moved successfully.

==== End of Fixlog ====


Here is the MBAM scan log

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.29.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Toma :: TOMA-MSI [administrator]

29/12/2013 6:26:49 PM
mbam-log-2013-12-29 (18-26-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 246947
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Processes still popping up.
 

[kevinf80]

So the problem files are still regenerating, ok we obviously need to dig deeper:

 

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

 

7. The following image opens, select Update

 

 

8. When the update completes select Next.

 

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 

• 
       
• Internet access
       
• Windows Update
       
• Windows Firewall
  

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Thanks,

 

Kevin...

[JToma]

Still having the same problems. Here is my System Log:
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.16476

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 2.294000 GHz
Memory total: 8481886208, free: 5248794624

=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.16476

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 2.294000 GHz
Memory total: 8481886208, free: 5229625344

Downloaded database version: v2013.12.29.06
Downloaded database version: v2013.12.18.01
=======================================
Initializing...
------------ Kernel report ------------
     12/29/2013 18:52:25
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\iusb3hcs.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\compbatt.sys
\SystemRoot\system32\drivers\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\system32\DRIVERS\nvpciflt.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\dtsoftbus01.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\system32\drivers\iusb3xhc.sys
\SystemRoot\system32\drivers\USBD.SYS
\SystemRoot\system32\drivers\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\RtsPStor.sys
\SystemRoot\system32\DRIVERS\sdbus.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\Netwsw00.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\drivers\ETD.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\CmBatt.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\drivers\intelppm.sys
\SystemRoot\system32\DRIVERS\AMPPAL.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\clwvd.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\iusb3hub.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\MBfilt64.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\drivers\hidusb.sys
\SystemRoot\system32\drivers\HIDCLASS.SYS
\SystemRoot\system32\drivers\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\Sftvollh.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\DRIVERS\TurboB.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\system32\DRIVERS\Sftfslh.sys
\SystemRoot\system32\DRIVERS\Sftplaylh.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\Sftredirlh.sys
\??\C:\Program Files (x86)\MSI\Super-Charger\NTIOLib_X64.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\System32\Drivers\usbaapl64.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\??\C:\windows\system32\drivers\mbamchameleon.sys
\??\C:\windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\comdlg32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\nsi.dll
\Windows\System32\ole32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\sechost.dll
\Windows\System32\msctf.dll
\Windows\System32\shlwapi.dll
\Windows\System32\urlmon.dll
\Windows\System32\normaliz.dll
\Windows\System32\psapi.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\setupapi.dll
\Windows\System32\gdi32.dll
\Windows\System32\difxapi.dll
\Windows\System32\usp10.dll
\Windows\System32\shell32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\imm32.dll
\Windows\System32\kernel32.dll
\Windows\System32\lpk.dll
\Windows\System32\ws2_32.dll
\Windows\System32\user32.dll
\Windows\System32\iertutil.dll
\Windows\System32\wininet.dll
\Windows\System32\Wldap32.dll
\Windows\System32\clbcatq.dll
\Windows\System32\advapi32.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\comctl32.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\devobj.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\crypt32.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\wintrust.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR3
Upper Device Object: 0xfffffa800d6e5470
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a9\
Lower Device Object: 0xfffffa800ea7b7b0
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8007a90790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8007858050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8007a90790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8007a902c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8007a90790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8007859e40, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8007858050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 58609EEB

Partition information:

    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 22722560

    Partition 1 type is Other (0x27)
    Partition is ACTIVE.
    Partition starts at LBA: 22724608  Numsec = 204800
    Partition is not bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 22929408  Numsec = 1158356992

    Partition 3 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1181286400  Numsec = 772237312

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953505168-1953525168)...
Done!
Physical Sector Size: 4096
Drive: 1, DevicePointer: 0xfffffa800d6e5470, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800d9de970, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800d6e5470, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800ea7b7b0, DeviceName: \Device\000000a9\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 20202020

Partition information:

    Partition 0 type is Other (0xb)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 946561

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 3877376000 bytes
Sector size: 4096 bytes

Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_1_22724608_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.16476

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 2.294000 GHz
Memory total: 8481886208, free: 5844287488

----

And here is the Mbar - log:

Malwarebytes Anti-Rootkit BETA 1.07.0.1008
www.malwarebytes.org

Database version: v2013.12.29.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Toma :: TOMA-MSI [administrator]

29/12/2013 6:52:28 PM
mbar-log-2013-12-29 (18-52-28).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 262211
Time elapsed: 20 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

Unfortunately I am still having multiple processes running in the background even after rebooting. I just want to thank you for your continued help Kevin. I appreciate it.

[kevinf80]

Obviously we have a rootkit or rogue service that we do not find,

 

Please download the latest version of TDSSKiller from here:

http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop.

 

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
   
   
  
   
   
  
• Put a checkmark beside loaded modules.
   
   
  
   
   
  
• A reboot will be needed to apply the changes. Do it.
  
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  
• Then click on Change parameters in TDSSKiller.
  
• Check all boxes then click OK.
   
   
  
   
   
  
• Click the Start Scan button.
   
   
  
   
   
  
• The scan will be quick.
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
   
  
   
   
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
   
   
  
   
   
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

   

  Next,

   

  Please download RogueKiller from here:

  http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe  <- 32 bit version

  http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe  <- 64 bit version

                                       

  • Make sure to get the correct version for your system.
    
  • Quit all running programs
    
  • Please disconnect any USB or external drives from the computer before you run this scan!
    
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
    
  • Wait until Prescan has finished...
    
  • The following EULA will appear, please select accept
     
    
     
    
  • Ensure MBR scan, Check faked and AntiRootkit are checked
    
  • Select Scan
     
    
     
    
  • When the scan completes select Report, copy and paste that to your reply.
     
    
     
    
  • The log should be found in RKreport[?].txt on your Desktop
    
  • Exit/Close RogueKiller
    
    
     
    Next,
     
    Please download SystemLook from the following link below and save it to your Desktop. Use the correct version 32bit or 64bit.
     
    http://jpshortstuff.247fixes.com/SystemLook_x64.exe      <<-   64 bit….
     
    http://images.malwareremoval.com/jpshortstuff/SystemLook.exe  <<-  32 bit
     
    
    • 
      
• Double-click SystemLook.exe to run it.
  

Copy the content of the following codebox into the main textfield:
 
 
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Do you have access to a spare PC where you could create an offline tool to run on sick PC, would also need blank CD or usb memory stick?

 

Kevin....

 

Kevin....

:regfindBitBefender S.R.L*BitBefender*

[JToma]

Hey Kevin, I do have a spare computer that I can use for the next steps. I ran the TDSS program and the report is as follows. Downloading and running the next one in a minute after I post and close this.

 

TDSSKiller.3.0.0.19_30.12.2013_10.48.29_log.txt

[JToma]

Here is the RogueKiller report. It found a number of red-flagged files and processes. Since it doesn't say otherwise, I'll close the RK without deleting/fixing the registry items.

RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Toma [Admin rights]
Mode : Scan -- Date : 12/30/2013 11:00:34
| ARK || FAK || MBR |

¤¤¤ Bad processes : 3 ¤¤¤
[sUSP PATH] keyphui.exe -- C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [-] -> KILLED [Tree]
[sUSP PATH] keyphui.exe -- C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [-] -> ERROR [6]
[sUSP PATH] keyphui.exe -- C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [-] -> ERROR [6]

¤¤¤ Registry Entries : 12 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : Eltiodad ("C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe" [-]) -> FOUND
[RUN][sUSP PATH] HKLM\[...]\Run : Eltiodad ("C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe" [-]) -> FOUND
[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : Eltiodad (C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [-]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD10JPVT-22A1YT0 +++++
--- User ---
[MBR] b60245cde062b77a6241008d0304d2eb
[bSP] d84f80f3538486b81349b11c437ab4fe : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 11095 Mo
1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 22724608 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 22929408 | Size: 565604 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1181286400 | Size: 377069 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_12302013_110034.txt >>




 

[JToma]

And here is the SystemLook report

SystemLook 30.07.11 by jpshortstuff
Log created at 11:05 on 30/12/2013 by Toma
Administrator - Elevation successful

========== regfind ==========

Searching for "BitBefender S.R.L"
No data found.

Searching for "*BitBefender*"
No data found.

-= EOF =-

[kevinf80]

Looks like RK has identified an extra entry we never saw when using FRST....

 

Quit all programs that you may have started.

 

• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista or Windows 7, right-click and select "Run as Administrator" to start
  
• For Windows XP, double-click to start.
  
• Wait until Prescan has finished ...
  
• Then Click on "Scan" button
  
• Wait until the Status box shows "Scan Finished"
  
• click on "delete"
  
• Wait until the Status box shows "Deleting Finished"
  
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
  
• The log should be found in RKreport[?].txt on your Desktop
  
• Exit/Close RogueKiller
  

 

Next,

 

Run FRST again and post fresh log...

 

Kevin..

[JToma]

Here is the RKReport

RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Toma [Admin rights]
Mode : Remove -- Date : 12/30/2013 14:46:05
| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤
[sUSP PATH] keyphui.exe -- C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [-] -> KILLED [TermProc]
[sUSP PATH] keyphui.exe -- C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : Eltiodad (C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [-]) -> DELETED
[RUN][sUSP PATH] HKLM\[...]\Run : Eltiodad ("C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe" [-]) -> DELETED
[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : Eltiodad (C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [-]) -> DELETED

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD10JPVT-22A1YT0 +++++
--- User ---
[MBR] b60245cde062b77a6241008d0304d2eb
[bSP] d84f80f3538486b81349b11c437ab4fe : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 11095 Mo
1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 22724608 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 22929408 | Size: 565604 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1181286400 | Size: 377069 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_12302013_144605.txt >>
RKreport[0]_D_12302013_144335.txt;RKreport[0]_S_12302013_110034.txt;RKreport[0]_S_12302013_144602.txt




And here is the FRST log

 

FRST.txt

[kevinf80]

Delete previous fixlist.txt, then continue...

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Run scan with RK and post fresh log...

 

 

fixlist.txt

[JToma]

Here is the FRST log:

Running from C:\Users\Toma\Downloads
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
HKLM\...\Run: [Eltiodad] - C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [221872 2013-12-29] (BitBefender S.R.L.)
C:\Users\Toma\AppData\Roaming\Viulxa
HKLM-x32\...\Run: [Eltiodad] - C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [221872 2013-12-29] (BitBefender S.R.L.)
HKCU\...\Run: [Eltiodad] - C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [221872 2013-12-29] (BitBefender S.R.L.)
C:\Users\Toma\AppData\Local\Temp\ntdll_dump.dll
C:\Users\Toma\AppData\Local\Temp\{6CC1A357-5982-4BF6-A6F8-02AE858512CE}.exe
End



*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Eltiodad => Value deleted successfully.
C:\Users\Toma\AppData\Roaming\Viulxa => Moved successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Eltiodad => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Eltiodad => Value deleted successfully.
C:\Users\Toma\AppData\Local\Temp\ntdll_dump.dll => Moved successfully.
C:\Users\Toma\AppData\Local\Temp\{6CC1A357-5982-4BF6-A6F8-02AE858512CE}.exe => Moved successfully.

==== End of Fixlog ====

And here is the fresh RK log

RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Toma [Admin rights]
Mode : Remove -- Date : 12/30/2013 15:10:40
| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤
[sUSP PATH] keyphui.exe -- C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [-] -> KILLED [Tree]
[sUSP PATH] keyphui.exe -- C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [-] -> ERROR [6]

¤¤¤ Registry Entries : 7 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : Eltiodad (C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [-]) -> DELETED
[RUN][sUSP PATH] HKLM\[...]\Run : Eltiodad ("C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe" [-]) -> DELETED
[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : Eltiodad (C:\Users\Toma\AppData\Roaming\Viulxa\keyphui.exe [-]) -> DELETED
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD10JPVT-22A1YT0 +++++
--- User ---
[MBR] b60245cde062b77a6241008d0304d2eb
[bSP] d84f80f3538486b81349b11c437ab4fe : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 11095 Mo
1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 22724608 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 22929408 | Size: 565604 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1181286400 | Size: 377069 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_12302013_151040.txt >>
RKreport[0]_D_12302013_144335.txt;RKreport[0]_D_12302013_144605.txt;RKreport[0]_S_12302013_110034.txt
RKreport[0]_S_12302013_144602.txt;RKreport[0]_S_12302013_151031.txt



Still getting the same processes popping up.
Also, I am definitely going to donate to your paypal as this doesn't seem to be a quick and easy fix. :s

 

[kevinf80]

Yes I see the same issue returning, obviously we are not finding either a protective rootkit or a rogue service...

 

Can you use another PC to create the Widows Defender Offline Tool, I give the instructions to load to a USB flash drive.

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.

You will have to select the correct version for your system, either 32 or 64 bit
Run the tool, Windows 7 or Vista user right click and select "Run as Administrator"
Read the instructions in the new window and select "Next"



In the new window accept the agreement:



In the new window select your USB Flash Drive, then select "Next"



In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"



In the new window accept the formatting alert by selecting "Next"



Files will be Downloaded:



Files will be processed and created



Flash drive will be formatted and prepared



Files will be added to the Flash Drive and the tool will be created.



The procedure is finished and the Tool created, click on "Finish" to complete.



Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required,  Use F12 as it boots, change options...
As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.
When complete do a full scan, deal with what it finds.
When finished, remove the USB stick then press the Esc key to boot into regular windows.
Navigate to the following file:
"C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt"
Open with notepad and copy and paste it into a reply.
 

[JToma]

Hey David, hope we can find the solution for the both of us. Seems to be more active with the internet connected.

After a lengthy scan, the Offline tool found something... but after fixing it I still get the same processes. *Sigh* report is attached

 

MPLog-12302013-192048.log

[kevinf80]

This is frustrating for sure, we still are not finding the root cause of infection return. What I want now is to start your PC in a clean boot state, that means to boot up with all none MS services disabled.

 

In that mode we run FRST and produce a log, I give you the fixlist to run. After the fix is done you re-boot but still in a "Clean Boot" state, we see if infection returns.

 

Go to following link: http://support.microsoft.com/kb/929135 expand the section relevant to your OS (Windows 7) follow the instructions to set up a "Clean Boot" state.

 

Re-boot to that state, run FRST and post that log. Leave in clean boot state and we see what happens after the next fix is done.....

 

Kevin...

[JToma]

Here is the FRST Log.

 

FRST.txt

[kevinf80]

Remove the previous fixlist.txt....

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Reboot and see if the issue still returns in Clean boot mode...

 

fixlist.txt