To get Malwarebytes to run properly, open the folder where Malwarebytes resides, rename the .exe to explorer.exe or firefox.exe.
Now Right click, run as admin, your renamed .exe. Malwarebytes should run as normal. Some infections block specific processes by name.
Malwarebytes is a specialized scanner that doesn't look for common infections so you will need another scanner to look for other issues.
WinMHR, after your Malwarebytes scan would be a good choice. They supply all of the AV companies with samples, so there database is much more complete, but it doesn't clean, only detects known non rootkit malware.
After running WinMHR, you may have an MD5 to compare on a site like VirusTotal in their Hash search. This will tell you which AV companies are detecting it and so which ones can clean it.
Cheers
Noted. Malwarebytes is running fine.
If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.
Always be wary of the system in the future if you decide not to "nuke it from orbit" though.
curious here too. malwarebytes is probably not worth messing with in this situation. Be sure to boot up in safe mode and then run Combofix and Gmer. I noticed you said you tried tdsskiller. Have you tried running rootkit revealer? Do them all in safe mode first.
If you still are not getting anything, you can try running process explorer from MS. It often will allow you to detect 'unusual' entries that may not be obvious to the kit finders.
If all else fails, post us a copy of your Hijack This log.
cheers
Rootkit revealer doesn't work on Windows 7.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:04:54, on 2012-07-22
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\~\AppData\Local\Temp\Temp1_ProcessExplorer.zip\procexp.exe
C:\Users\~\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep
O4 - Startup: OpenOffice.org 3.4.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://www.w3.org
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (PowerCreator VGAPlayer Control) - http://mms.hwjyw.com/courseware///courseware/2008-2-28/pengjunjiangzuo31204167051316/VGAPlayer.cab
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D1278801-B2C0-4332-BD3E-2F64D2204EDF} (Windows Live Mesh Upload Tool) - https://www.mesh.com/0.9.4014.21/TSWeb.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
--
End of file - 6224 bytes
(edited to remove my name, which means the byte count is incorrect).
I'm wondering, is it usually good practice to move the coins to a new wallet in this situation? The wallet is encrypted with a decent passphrase.
.
