CLB Rootkit infection aka WinNT-Alureon Unremovable files with the following prefix's denotes it presence upon an infected computer. TDSS Seneka GAOPDX UAC ovsft kungsf Skynet MSIVX hjgrui wzszx ESQUL geyekr vsfoce Some of the symptoms of the infection that may be seen to be occuring. 1)MBAM will not install or run if already installed. 2)Other security tools also will not install or run if already installed. 3)Some installed security softwares that are still able to run no longer are able to update. 4)Some well known security/vendor sites are inaccesible as they are being blocked. 5)MBAM or other tools keep detecting file(s) or registry keys but failing to permamently remove. 6)Hijacked search results. In order to get the MBAM to operate to its full potential the rootkit driver at the heart of the infection has to be located and nuked. No small feat when it is intentionally being hidden by design and not viewable by traditional method/tools but it can be done Here is my quick fix guide to locating,identifying and killing the CLB driver(.sys) file that is underpinning the infection and blocking the cleanup tools from running. Download the following tool and only use as directed! Download here Install RootRepeal and select *Files* then scan only. When the scan has completed there will be a list of files generated.Some will be ok(legitimate files) but some will be related to the Rootkit and it's hidden payload of files. You will need to identify which is the CLB driver only and here's how. This is not as difficult as it appears because it will be 1 of files listed with a .sys extension. It will also carry one of the following prefix's in its filename +random letters+ .sys extension. TDSS Seneka GAOPDX UAC ovfst kungsf SKYNET MSIVX hjgrui wzszx ESQUL geyekr vsfoce *letters can appear in either upper case or lower case. ** the number of random letters vary so could be only a couple or upto 32 which has been seen so far. ***in my screenshot it is the file UACewsflctd.sys that is the Rootkit driver. UAC prefix + random characters in this case= ewsflctd and .sys extension Since there is a level of randomization in the file naming protocol there are many computations of how the file will be named and the list will be exhaustive. But here are some examples so hopefully you can see the pattern forming. TDSSspax.sys TDSSServ.sys GAOPDXserv.sys gaopdxohocrlokojvgccmieiquramguxlachqk.sys UACmxegjtve.sys UACd.sys Senekarstpqyy.sys ovfsthxkwpjtxfk.sys kungsfxwrtceey.sys SKYNEToyfjtpeo.sys MSIVXwfjwbpbivasavbfjmtkibegxvnftiqxt.sys hjgruisaroylnf.sys wzszxthydgteuirn.sys ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys geyekrhfgdvswdstsak.sys vsfocebhwohxcl.sys Once you have identified the CLB driver then use your mouse to highlight it in the Rootrepeal window after *Files* scan. Next right mouse click on it and select *wipe file* option only then immediately reboot the computer!!!! You will only need to attack the CLB driver as the rest once no longer being protected are easy pickings for MBAM Next install and update MBAM and run a quick scan! Allow it to delete what it detects and reboot immediately.