Lsas.Blaster.Keylogger

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.

Page 1 of 1

You cannot start a new topic
You cannot reply to this topic

Lsas.Blaster.Keylogger VIRUSSS!!!

#1 deanoman1969

New Member

Group: Members
Posts: 4
Joined: 04-November 09
Gender:Male
Location:Rampaging on the internetz

Posted 04 November 2009 - 03:32 PM

First I would like to say Hi to you all. Next: I have a problem.
This morning I was playing Barbarian Invasion offline when I got an audio cue from the computer that something was wrong. Lo and behold a program called "Security Tool" had installed itself and made itself at home. The virus itself is called Lsas.Blaster.Keylogger I have tried to download fixes, but the virus tells me falsely that the programs I download are all infected. I know this is a load of B.S.
The virus took away my desktop and all of the shortcuts. I have a black screen to look at.
It won't allow me to run any programs such as AVG or Malware Bytes (it tells me that these too are infected)
I cannot access the task manager. (infected) :thumbsup:

, ya right.
I cannot boot in Safe Mode.
I cannot access my register editor. ("infected")
Is there any way I can eradicate this annoyance manually without destroying my computer?

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We've created life in our own image. --Stephen Hawking

#2 boopme

To Insanity and Beyond

Group: Global Moderator
Posts: 48,761
Joined: 10-September 04
Gender:Male
Location:NJ USA

Posted 04 November 2009 - 05:15 PM

Hello, let's try getting this way. You may need to put this in the Task manager folder..

Please download Rkill by Grinler and save it to your desktop.

Link 2

Link 3

Link 4

Double-click on the Rkill desktop icon to run the tool.
If using Vista, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.

If you reboot the PC you will have to rerun this if still needed.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook

#3 deanoman1969

New Member

Group: Members
Posts: 4
Joined: 04-November 09
Gender:Male
Location:Rampaging on the internetz

Posted 04 November 2009 - 05:22 PM

I did all of that, but it wouldn't let me run anything. I ended up holding down alt, ctrl, and delete with one hand while cutting any process with a ten digit number. I learned from several hours researching on google that a ten digit number in processes is something of a calling card for the virus.
After cutting all of those processes with those numbers, I was able to run malware bytes and my AVG software. So far, no problems.

#4 MeadowMuffin

New Member

Group: Members
Posts: 5
Joined: 16-April 09
Gender:Male

Posted 04 November 2009 - 05:38 PM

This is CP & I'm glad you found a way into Task Manager.

This post has been edited by MeadowMuffin: 04 November 2009 - 05:41 PM

The pain is back, but this time lower. It feels like someone stuck an ice pick in my belly button. BUT, I did have one good thought on this procedure. If I ate that much toilet paper, and eventually it will come out when I doo-doo, will I need to wipe?
I mean shouldn't eating the toilet paper cut out the middle man. I think I'm on to something here. Wipeless doo-doo by eating toilet paper. Dig up Edison ,we got something to tell him.
5:25 pm: It's going to be a long night.
Sunday, I passed the screw. It caused less damage than I thought it would, and after carefully sifting through my own stool, I have found zero evidence of the toilet paper ever existing.

#5 deanoman1969

New Member

Group: Members
Posts: 4
Joined: 04-November 09
Gender:Male
Location:Rampaging on the internetz

Posted 04 November 2009 - 05:46 PM

Thanks for your help CP. I'm just glad that my solution worked. Hopefully it'll work for others dealing with this kind of crap on the WWW. :thumbsup:

#6 MeadowMuffin

New Member

Group: Members
Posts: 5
Joined: 16-April 09
Gender:Male

Posted 04 November 2009 - 05:51 PM

You're not done. Keep boopme updated & follow his instructions.

boopme, I'm just a friend who was trying to help him on the side is all & recommend him coming here. I appreciate the advice & am just following this is all. You're the pro, not me. There will be no clashes on my part.

#7 deanoman1969

New Member

Group: Members
Posts: 4
Joined: 04-November 09
Gender:Male
Location:Rampaging on the internetz

Posted 04 November 2009 - 05:59 PM

My Malware Bytes log after I was finally able to run the program.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/4/2009 4:07:50 PM
mbam-log-2009-11-04 (16-07-50).txt

Scan type: Quick Scan
Objects scanned: 155633
Time elapsed: 24 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 14
Files Infected: 93

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9e724cdd-fc88-a1a9-5f9b-1ff680dd5d1b (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ylxdtnfcdtiqvtmm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Refog Software (Refog.Keylogger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\44900017 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Refog.Keylogger) -> Data: c:\windows\system32\mpk\mpk.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Refog.Keylogger) -> Data: system32\mpk\mpk.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Refog.Keylogger) -> Bad: (c:\windows\system32\userinit.exe,C:\WINDOWS\system32\MPK\MPK.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users.WINDOWS\Application Data\44900017 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\1 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\2 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\3 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\CPDA (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\CPDM (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\REFOG Free Keylogger (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Images (Refog.Keylogger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users.WINDOWS\Application Data\44900017\44900017.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9e724cdd-fc88-a1a9-5f9b-1ff680dd5d1b.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ylxdtnfcdtiqvtmm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\qobe.tmp (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\WINDOWS\jrqdn1023.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\M0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\1\D0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\1\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\2\D0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\2\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\3\D0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\3\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\CPDM\cpfm.bin (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\REFOG Free Keylogger\Get discount!.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\REFOG Free Keylogger\Order now!.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\REFOG Free Keylogger\REFOG Free Keylogger on the Web.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\REFOG Free Keylogger\REFOG Free Keylogger.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\MPK\REFOG Free Keylogger\Uninstall REFOG Free Keylogger.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\French.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\German.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\icon.ico (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\icon_1.ico (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Mpk.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\MPK.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Mpk64.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\MPK64.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\MPKView.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Romanian.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Spanish.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\sqlite3.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\unins000.dat (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\unins000.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\alarms.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\clipboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\computer.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\delivery.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\file.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\filters.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\imhelp.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\internet.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\invisible.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\keyboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\logging.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\log_size.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\need_update_net.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\password.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\programs.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\screenshot.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\settings_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\update.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\users_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\alarms.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\clipboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\computer.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\delivery.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\file.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\filters.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\imhelp.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\internet.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\invisible.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\keyboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\logging.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\log_size.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\need_update_net.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\password.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\programs.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\screenshot.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\settings_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\German\users_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\alarms.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\clipboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\computer.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\delivery.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\filters.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\internet.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\invisible.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\keyboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\logging.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\log_size.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\password.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\programs.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\screenshot.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\settings_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\users_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Images\english.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Images\german.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Images\russian.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Images\vista_hide.bmp (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Images\xp_hide.bmp (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\kdiue732.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

My second scan follows.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/4/2009 4:38:28 PM
mbam-log-2009-11-04 (16-38-28).txt

Scan type: Quick Scan
Objects scanned: 155580
Time elapsed: 22 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
:thumbsup:

I also ran Cclean and cleaned up the registry.

This post has been edited by deanoman1969: 04 November 2009 - 06:01 PM

#8 boopme

To Insanity and Beyond

Group: Global Moderator
Posts: 48,761
Joined: 10-September 04
Gender:Male
Location:NJ USA

Posted 04 November 2009 - 09:18 PM

Hello,no problem CP.
OK is this an office Comp? as thr Keylogger found was an installed type. If so you IT dept will be at your desk soon and maybe the boss.

Quote

REFOG Personal Monitor takes complete surveillance yet another step higher. Adding instant security alerts delivered right to your PC, REFOG Personal Monitor will alert you if anything happens at home or at work

That said .. either way the logger has grabbed your passwords by now and they should be changed.

We should definately run a couple more things.

Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Rerun MBAM (MalwareBytes) like this:.. You need to update

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post 2 logs and Let us know how the PC is running now.