Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes won't open, other programs won't install, possibly related to csrss


  • This topic is locked This topic is locked
15 replies to this topic

#1 Causley

Causley

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 26 January 2016 - 03:03 PM

Thanks for looking at this.

 

Running XP on a computer that is used as a checkout in my shop. It seemed slower than it should the other day and with my limited knowledge I found a csrss.exe file, actually 2 of them, in "Application Data" folder of "All Users" in "Documents and Settings". One of the files was 0bytes, the other I cannot remember.

 

I deleted both after a little research, and went to run Malwarebytes which won't open. I've uninstalled it and tried again. I only receive the following message

 

mbam.exe - Application Error

The application failed to initialize properly (0xc000001d). Click on OK to terminate the application.

 

And it won't run.

 

I then downloaded SUPERAntiSpyware Free Edition. But double clicking the installer does nothing. I see nothing load or attempt to load. No error message.

 

I have managed to get Spybot S&D to run. But it doesn't seem to find anything worth cleaning.

 

As per your guide I have run FRST and I'll attach the logs.

 

Any help would be appreciated. Many thanks

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:25-01-2016
Ran by POS (administrator) on 1POS03 (27-01-2016 06:18:37)
Running from C:\Documents and Settings\POS\Desktop
Loaded Profiles: POS (Available Profiles: POS & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 6 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\Program Files\Unlocker\UnlockerAssistant.exe
(S3 Graphics, Inc.) C:\WINDOWS\system32\S3hotkey.exe
(S3 Graphics, Inc.) C:\WINDOWS\system32\VTTimer.exe
(Symantec Corporation) C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
(Fujitsu Component Ltd.) C:\FIDTSERV\Fidtserv.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Fujitsu Component Ltd.) C:\FIDTSERV\RButton.exe
(National POS System) C:\Program Files\NatPOS\OnlineManagerAgent\NatPOS.Term.OnlineManagerClient.exe
(Symantec Corporation) C:\Program Files\Symantec\pcAnywhere\awhost32.exe
(PC-EFTPOS Pty Ltd) C:\PC_EFT\EftClnt.exe
(PC-EFTPOS) C:\PC_EFT\emsclt.exe
(Firebird Project) C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
(Symantec Corporation) C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
(PC-EFTPOS Pty Ltd) C:\PC_EFT\Eftsrv.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(RealVNC Ltd) C:\Program Files\RealVNC\VNC4\vncserver.exe
(Firebird Project) C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(RealVNC Ltd) C:\Program Files\RealVNC\VNC4\vncagent.exe
(RealVNC Ltd) C:\Program Files\RealVNC\VNC4\vncserverui.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [UnlockerAssistant] => C:\Program Files\Unlocker\UnlockerAssistant.exe [15872 2006-09-07] ()
HKLM\...\Run: [S3hotkey] => C:\WINDOWS\system32\S3hotkey.exe [159792 2003-05-27] (S3 Graphics, Inc.)
HKLM\...\Run: [VTTimer] => C:\WINDOWS\system32\VTTimer.exe [53248 2004-09-01] (S3 Graphics, Inc.)
HKLM\...\Run: [GhostStartTrayApp] => C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe [94208 2003-12-17] (Symantec Corporation)
HKLM\...\Run: [Fidtserv] => C:\\FIDTSERV\Fidtserv.exe [90285 2005-05-24] (Fujitsu Component Ltd.)
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\PCANotify: C:\WINDOWS\system32\PCANotify.dll [2003-10-31] (Symantec Corporation)
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-21-1715567821-790525478-1801674531-1003\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
Startup: C:\Documents and Settings\POS\Start Menu\Programs\Startup\NatPOS Online Manager Agent.lnk [2016-01-26]
ShortcutTarget: NatPOS Online Manager Agent.lnk -> C:\Documents and Settings\POS\Application Data\Microsoft\Installer\{C34E066B-6EA5-4370-B9C0-69C3147C1FC4}\_FAF1EB8BF1872502DEF39A.exe ()
Startup: C:\Documents and Settings\POS\Start Menu\Programs\Startup\NatPOS Terminal.lnk [2016-01-26]
ShortcutTarget: NatPOS Terminal.lnk -> C:\Documents and Settings\POS\Application Data\Microsoft\Installer\{CA8BD22F-4DE1-4B69-870E-6AB5D53D67CF}\_7C05CFB1014946E1C775F2.exe ()
BootExecute: autocheck autochk * sdnclean.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [S-1-5-21-1715567821-790525478-1801674531-1003] => Proxy is enabled.
ProxyServer: [S-1-5-21-1715567821-790525478-1801674531-1003] => localhost:21320
AutoConfigURL: [S-1-5-21-1715567821-790525478-1801674531-1003] => localhost:21320
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{80BD685C-AA4B-4023-BA92-C634D82F2C0A}: [NameServer] 192.168.1.99

Internet Explorer:
==================
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1715567821-790525478-1801674531-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-1715567821-790525478-1801674531-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKU\S-1-5-21-1715567821-790525478-1801674531-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-1715567821-790525478-1801674531-1003 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing

FireFox:
========
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-07-07] [not signed]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 awhost32; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [106496 2003-10-31] (Symantec Corporation) [File not signed]
R2 CSDEftposClient; C:\PC_EFT\EftClnt.exe [884736 2010-12-01] (PC-EFTPOS Pty Ltd) [File not signed]
R2 EMSClientService; C:\PC_EFT\EMSCLT.exe [1940480 2009-12-11] (PC-EFTPOS) [File not signed]
R2 FirebirdGuardianDefaultInstance; C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe [81920 2009-07-22] (Firebird Project) [File not signed]
R3 FirebirdServerDefaultInstance; C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe [2736128 2009-07-22] (Firebird Project) [File not signed]
R2 GhostStartService; C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe [200704 2003-12-17] (Symantec Corporation) [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 RemedyEFTPOSServer; C:\PC_EFT\Eftsrv.exe [1331290 2010-11-23] (PC-EFTPOS Pty Ltd) [File not signed]
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 vncserver; C:\Program Files\RealVNC\VNC4\vncserver.exe [3487976 2015-12-07] (RealVNC Ltd)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [17801 2007-06-01] (Meetinghouse Data Communications) [File not signed]
R2 Aspi32; C:\WINDOWS\system32\Drivers\Aspi32.sys [17005 2003-12-17] (Adaptec)
R1 awlegacy; C:\WINDOWS\System32\Drivers\awlegacy.sys [10901 2003-04-21] (Symantec Corporation) [File not signed]
R1 AW_HOST; C:\WINDOWS\System32\drivers\aw_host5.sys [16984 2003-10-23] (Symantec Corporation) [File not signed]
S3 DNINDIS5; C:\WINDOWS\system32\DNINDIS5.SYS [17149 2003-07-24] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R3 DRVDRW; C:\WINDOWS\System32\DRIVERS\DRVDRW.SYS [6144 2003-07-10] () [File not signed]
R3 Esdpdx01; C:\WINDOWS\system32\Drivers\ESDPDX01.SYS [58058 2002-07-02] (MK Systems CO., LTD.) [File not signed]
R3 FETNDISB; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [42496 2004-07-22] (VIA Technologies, Inc.              )
R0 Gernuwa; C:\WINDOWS\system32\Drivers\Gernuwa.sys [13898 2003-04-21] (Symantec Corporation) [File not signed]
R1 GhPciScan; C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [5632 2003-12-17] (Symantec Corporation) [File not signed]
S1 i8042prt; C:\WINDOWS\System32\DRIVERS\ti8042prt.sys [57344 2004-05-28] (TOSHIBA TEC Corporation) [File not signed]
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
S3 NTSIM; C:\WINDOWS\system32\ntsim.sys [7040 2003-07-17] (VIA Networking Technologies, Inc.       ) [File not signed]
R1 P3; C:\WINDOWS\System32\DRIVERS\p3.sys [42496 2006-11-22] (Microsoft Corporation)
R2 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [163644 2006-11-22] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [File not signed]
S3 SymEvent; C:\Program Files\Symantec\SYMEVENT.SYS [73496 2007-05-29] (Symantec Corporation)
R3 TECUSBD; C:\WINDOWS\System32\Drivers\Tecusbd.sys [18176 2004-11-25] (TOSHIBA TEC) [File not signed]
R0 viaagp1; C:\WINDOWS\System32\DRIVERS\viaagp1.sys [27904 2003-07-02] (VIA Technologies, Inc.)
R3 viagfx; C:\WINDOWS\System32\DRIVERS\vtmini.sys [173312 2004-09-23] (Copyright © VIA/S3 Graphics Co, Ltd.)
R3 vncmirror; C:\WINDOWS\System32\DRIVERS\vncmirror.sys [4608 2015-12-07] (RealVNC Ltd.)
S3 AR5523; system32\DRIVERS\WG11TND5.sys [X]
S3 ATHFMWDL; System32\Drivers\ATHFMWDL.sys [X]
S3 DMusic; system32\drivers\DMusic.sys [X]
S4 IntelIde; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-27 06:18 - 2016-01-27 06:19 - 00011337 _____ C:\Documents and Settings\POS\Desktop\FRST.txt
2016-01-27 06:18 - 2016-01-27 06:18 - 00000000 ____D C:\FRST
2016-01-27 06:17 - 2016-01-27 06:17 - 01721856 _____ (Farbar) C:\Documents and Settings\POS\Desktop\FRST.exe
2016-01-26 15:20 - 2016-01-26 15:20 - 00000000 ____D C:\WINDOWS\pss
2016-01-26 15:19 - 2016-01-26 15:19 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-01-26 15:19 - 2016-01-26 15:19 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-01-26 15:19 - 2015-06-18 08:41 - 00121560 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-01-26 15:19 - 2015-06-18 08:41 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2016-01-26 15:06 - 2016-01-26 15:09 - 00000000 ____D C:\Program Files\HiJackThis
2016-01-26 14:47 - 2016-01-26 14:48 - 00000000 ___SD C:\ComboFix
2016-01-26 14:34 - 2016-01-26 14:34 - 24502184 _____ (SUPERAntiSpyware) C:\ReNamedSUPERAntiSpy.exe
2016-01-26 14:19 - 2016-01-26 14:19 - 00000000 ____D C:\Documents and Settings\POS\My Documents\ProcAlyzer Dumps
2016-01-26 14:15 - 2016-01-24 12:48 - 00450713 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160126-141542.backup
2016-01-26 12:19 - 2016-01-26 12:24 - 00000000 ____D C:\CCE_Quarantine
2016-01-26 12:19 - 2016-01-24 12:48 - 00450713 ____R C:\WINDOWS\system32\Drivers\etc\hosts.ccebak
2016-01-26 05:18 - 2016-01-26 05:18 - 00000000 ____D C:\cce_2.5.242177.201_x32
2016-01-24 17:29 - 2016-01-24 17:29 - 00000000 ____D C:\Documents and Settings\POS\Desktop\mbam-chameleon-3.1.28.0
2016-01-24 17:28 - 2016-01-24 17:28 - 06392130 _____ C:\mbam-chameleon-3.1.28.0.zip
2016-01-24 17:28 - 2016-01-24 17:28 - 06392130 _____ C:\Documents and Settings\POS\Desktop\mbam-chameleon-3.1.28.0.zip
2016-01-24 17:23 - 2016-01-24 17:23 - 45698520 _____ C:\Firefox Setup 43.0.4.exe
2016-01-24 17:19 - 2016-01-22 08:21 - 22908888 _____ (Malwarebytes ) C:\Documents and Settings\POS\Desktop\mbam-setup-2.2.0.1024.exe
2016-01-24 14:59 - 2016-01-24 14:59 - 00000000 ____D C:\Program Files\Common Files\AV
2016-01-24 14:59 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Documents and Settings\All Users\Desktop\Post Win10 Spybot-install.exe
2016-01-24 14:54 - 2016-01-27 00:30 - 00000616 _____ C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2016-01-24 14:54 - 2016-01-26 15:12 - 00000644 _____ C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job
2016-01-24 14:54 - 2016-01-24 14:54 - 00001876 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Spybot-S&D Start Center.lnk
2016-01-24 14:54 - 2016-01-24 14:54 - 00001870 _____ C:\Documents and Settings\All Users\Desktop\Spybot-S&D Start Center.lnk
2016-01-24 14:54 - 2016-01-24 14:54 - 00000446 _____ C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job
2016-01-24 14:54 - 2016-01-24 14:54 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy 2
2016-01-24 14:54 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean.exe
2016-01-24 14:39 - 2016-01-24 14:39 - 00000079 _____ C:\WINDOWS\wininit.ini
2016-01-24 13:02 - 2016-01-24 13:02 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\RealVNC-Service
2016-01-24 13:02 - 2015-12-07 09:35 - 00033096 _____ (RealVNC Ltd) C:\WINDOWS\system32\VNCpm.dll
2016-01-24 13:02 - 2015-12-07 09:35 - 00020992 _____ (RealVNC Ltd.) C:\WINDOWS\system32\vncmirror.dll
2016-01-24 13:02 - 2015-12-07 09:35 - 00004608 _____ (RealVNC Ltd.) C:\WINDOWS\system32\Drivers\vncmirror.sys
2016-01-24 13:01 - 2016-01-24 13:16 - 00000000 ____D C:\Documents and Settings\POS\Local Settings\Application Data\RealVNC
2016-01-24 12:48 - 2016-01-24 12:45 - 00450713 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160124-124837.backup
2016-01-24 12:45 - 2007-05-29 12:10 - 00000854 _____ C:\WINDOWS\system32\Drivers\etc\hosts.20160124-124557.backup
2016-01-22 09:20 - 2016-01-26 12:47 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2016-01-22 09:20 - 2016-01-23 05:00 - 00065536 _____ C:\WINDOWS\system32\config\SpybotSD.evt
2016-01-22 09:19 - 2016-01-26 12:46 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy 2
2016-01-22 08:24 - 2016-01-22 08:24 - 00000000 _RSHD C:\cmdcons
2016-01-22 08:24 - 2006-11-27 12:55 - 00000211 _____ C:\Boot.bak
2016-01-22 08:24 - 2004-08-03 23:00 - 00260272 __RSH C:\cmldr
2016-01-22 08:23 - 2016-01-22 08:23 - 00000000 ___RD C:\Documents and Settings\POS\My  Documents\My Videos
2016-01-22 08:23 - 2016-01-22 08:23 - 00000000 ____D C:\WINDOWS\erdnt
2016-01-22 08:23 - 2016-01-22 08:23 - 00000000 ____D C:\Qoobox
2016-01-22 08:23 - 2011-06-26 17:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2016-01-22 08:23 - 2010-11-08 04:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2016-01-22 08:23 - 2009-04-20 15:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2016-01-22 08:23 - 2000-08-31 11:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2016-01-22 08:23 - 2000-08-31 11:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2016-01-22 08:23 - 2000-08-31 11:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2016-01-22 08:23 - 2000-08-31 11:00 - 00098816 _____ C:\WINDOWS\sed.exe
2016-01-22 08:23 - 2000-08-31 11:00 - 00080412 _____ C:\WINDOWS\grep.exe
2016-01-22 08:23 - 2000-08-31 11:00 - 00068096 _____ C:\WINDOWS\zip.exe
2016-01-22 08:21 - 2016-01-22 08:21 - 22908888 _____ (Malwarebytes ) C:\MalwInstall.exe
2016-01-22 08:19 - 2016-01-24 18:15 - 05652316 ____R (Swearware) C:\Documents and Settings\POS\Desktop\ComboFix.exe
2016-01-22 08:19 - 2016-01-19 07:39 - 46525608 _____ (Safer-Networking Ltd. ) C:\spybot-2.4.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-27 06:19 - 2007-05-28 15:45 - 00000000 ____D C:\Documents and Settings\POS\Local Settings\Temp
2016-01-27 06:18 - 2007-05-28 15:45 - 00000000 ____D C:\Documents and Settings\POS
2016-01-27 06:18 - 2006-11-27 23:23 - 00000000 ____D C:\WINDOWS
2016-01-26 15:22 - 2006-11-27 23:28 - 00000360 __RSH C:\boot.ini
2016-01-26 15:12 - 2006-11-27 13:31 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-01-26 15:10 - 2007-05-28 15:45 - 00000178 ___SH C:\Documents and Settings\POS\ntuser.ini
2016-01-26 14:19 - 2007-05-28 15:45 - 00000000 ___RD C:\Documents and Settings\POS\My Documents
2016-01-26 13:44 - 2006-11-27 13:31 - 00032536 _____ C:\WINDOWS\SchedLgU.Txt
2016-01-26 05:02 - 2001-08-24 00:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2016-01-25 08:04 - 2007-05-28 16:05 - 00000000 ____D C:\PC_EFT
2016-01-25 06:48 - 2010-08-10 16:46 - 00002445 _____ C:\Documents and Settings\POS\Desktop\NatPOS Terminal.lnk
2016-01-24 14:59 - 2006-11-27 13:30 - 00000000 __SHD C:\Documents and Settings\LocalService
2016-01-24 13:02 - 2008-09-19 14:06 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\RealVNC
2016-01-24 13:02 - 2006-11-27 23:23 - 00000000 ___HD C:\WINDOWS\inf

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:19 PM

Posted 26 January 2016 - 04:56 PM

Hello Causley and Welcome to the BleepingComputer. :welcome:  
 My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
   
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Sincerely
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:19 PM

Posted 26 January 2016 - 06:25 PM

Hi Causley,

 

Please do the following.

Your Malwarebytes Anti-Malware is out of date.Malwarebytes Anti-Malware version 2.1.8.1057

Uninstall outdated Malwarebytes' Anti-Malware

Please download MBAM-clean and save it to your desktop.(Or:Here)

  • Right-click on mbam-clean.exe icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • It will ask you to reboot the machine - please do so.

And PC restart now

After that follow my next instructions to download & install the newset MBAM version

 

Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Install the progam and select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.
===========================================================
How is  now and any issues ? Please let me know.

 

DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002

ProxyEnable: [S-1-5-21-1715567821-790525478-1801674531-1003] => Proxy is enabled.
ProxyServer: [S-1-5-21-1715567821-790525478-1801674531-1003] => localhost:21320
AutoConfigURL: [S-1-5-21-1715567821-790525478-1801674531-1003] => localhost:21320

Are you use Profile and proxy ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 Causley

Causley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 27 January 2016 - 01:06 PM

Hi Olgan52

 

Thanks for looking at this for me.

 

I have tried the steps above.

 

I can successfully uninstall Malwarebytes.

 

But when I install it again I get the same error when the program attempts to launch.

 

"mbam.exe - Application Error

The application failed to initialize properly (0xc000001d). Click on OK to terminate the application."

 

I've tried several times as the Administrator and user.

 

As far as using a profile and proxy, I'm not sure, I'll try and find out.

 

Do you have any other steps I could take?

 

Regards / Causley



#5 Causley

Causley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 27 January 2016 - 02:00 PM

I had a bit of a look and it looks like the proxy has to do with Spybot S&D. I remember that I had to use Spybots proxy to be able to get it to update.

 

Hope that explains that.

 

I'm not sure what the "profile" is, I'll keep looking into it.

 

Thanks again.



#6 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:19 PM

Posted 27 January 2016 - 02:20 PM

Well.
Your system is a very old operating system and should consider upgrading it . This is need so you be even more at risk.
But,this is not infection related.. What it is is, an issue on older machines with CPUs that are currently incompatible with the latest version of MBAM and one of it's components - QT

Malwarebytes developers have a workaround in place that will allow you to run MBAM 2.1.8.1057
You'll first need to download and install it from here:
https://www.bleepingcomputer.com/download/malwarebytes-anti-malware//

At the final installation screen, do not click Finish. Leave that screen open, and continue below.

Next...download the file - Malwarebytes_2.1.8_SSE2_Hotfix.exe - from this link and save it to your desktop, or other easy to access location.

https://malwarebytes.box.com/s/7yxf8...qlvtevziq3ziut (Note: The file is safe)
 
Next...double click on the file to open it and follow the prompts.

A command window will open.
You should see several messages indicating files had been copied.
Click OK on the message box and press any key to close the command window which opened.

Now, click Finish on the installation screen, and MBAM should open without issue.

Let me know if that works.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 Causley

Causley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 27 January 2016 - 04:37 PM

olgun58

 

Yes, that worked.

 

It is an old system. I need to keep it going until Dec this year.

 

I'll run a Malwarebytes scan and get back to you.

 

Hey, where are you from? Your English is very good.

 

Thanks



#8 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:19 PM

Posted 27 January 2016 - 05:05 PM

Yes, that worked.

Hey, where are you from? Your English is very good.

Perfeck. I am Türkish. Thank you. But, in fact it is very bad my language.

========================================================

Step 1:
 FRST Script:
 Please download this attached Attached File  Fixlist.txt   3KB   7 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Step 2:
 Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 4:
 Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Step 5:

ComboFix run:

Please be sure to run our tools with administrator rights.

* IMPORTAN: 1   Place ComboFix.exe on your Desktop

* IMPORTAN: 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 

Have a nice day.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 Causley

Causley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 27 January 2016 - 05:31 PM

olgun58

 

Here is the log. No malicious items detected!!

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 28/01/2016
Scan Time: 8:40:57 AM
Logfile: Malwarebytes Log.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.01.27.07
Rootkit Database: v2016.01.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 2
CPU: x86
File System: NTFS
User: POS

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 322458
Time Elapsed: 18 min, 33 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



#10 Causley

Causley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 28 January 2016 - 02:28 PM

olgun58

 

Results from the Steps listed above

 

FRST Script - log

 

Fix result of Farbar Recovery Scan Tool (x86) Version:25-01-2016
Ran by POS (2016-01-29 04:06:09) Run:1
Running from C:\Documents and Settings\POS\Desktop
Loaded Profiles: POS (Available Profiles: POS & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
C:\WINDOWS\wininit.ini
2016-01-24 12:45 - 2007-05-29 12:10 - 00000854 _____ C:\WINDOWS\system32\Drivers\etc\hosts.20160124-124557.backup
2016-01-24 12:48 - 2016-01-24 12:45 - 00450713 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160124-124837.backup
2016-01-26 12:19 - 2016-01-24 12:48 - 00450713 ____R C:\WINDOWS\system32\Drivers\etc\hosts.ccebak
2016-01-26 14:15 - 2016-01-24 12:48 - 00450713 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160126-141542.backup
S4 IntelIde; no ImagePath
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1715567821-790525478-1801674531-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
AlternateDataStreams: C:\Firefox Setup 43.0.4.exe:$CmdTcID
AlternateDataStreams: C:\Firefox Setup 43.0.4.exe:$CmdZnID
AlternateDataStreams: C:\mbam-chameleon-3.1.28.0.zip:$CmdTcID
AlternateDataStreams: C:\mbam-chameleon-3.1.28.0.zip:$CmdZnID
AlternateDataStreams: C:\ReNamedSUPERAntiSpy.exe:$CmdTcID
AlternateDataStreams: C:\ReNamedSUPERAntiSpy.exe:$CmdZnID
AlternateDataStreams: C:\Documents and Settings\POS\Desktop\FRST.exe:$CmdTcID
AlternateDataStreams: C:\Documents and Settings\POS\Desktop\FRST.exe:$CmdZnID
AlternateDataStreams: C:\Documents and Settings\POS\Desktop\mbam-chameleon-3.1.28.0.zip:$CmdTcID
AlternateDataStreams: C:\Documents and Settings\POS\Desktop\mbam-chameleon-3.1.28.0.zip:$CmdZnID
DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002
ProxyEnable: [S-1-5-21-1715567821-790525478-1801674531-1003] => Proxy is enabled.
ProxyServer: [S-1-5-21-1715567821-790525478-1801674531-1003] => localhost:21320
AutoConfigURL: [S-1-5-21-1715567821-790525478-1801674531-1003] => localhost:21320
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
RemoveProxy:
Hosts:
EmptyTemp:
*****************

Restore point was successfully created.
Processes closed successfully.
C:\WINDOWS\wininit.ini => moved successfully
C:\WINDOWS\system32\Drivers\etc\hosts.20160124-124557.backup => moved successfully
C:\WINDOWS\system32\Drivers\etc\hosts.20160124-124837.backup => moved successfully
C:\WINDOWS\system32\Drivers\etc\hosts.ccebak => moved successfully
C:\WINDOWS\system32\Drivers\etc\hosts.20160126-141542.backup => moved successfully
IntelIde => service removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\\Tabs => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-1715567821-790525478-1801674531-1003\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart" => key removed successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart" => key removed successfully.
C:\Firefox Setup 43.0.4.exe => ":$CmdTcID" ADS removed successfully..
C:\Firefox Setup 43.0.4.exe => ":$CmdZnID" ADS removed successfully..
"C:\mbam-chameleon-3.1.28.0.zip" => ":$CmdTcID" ADS not found.
"C:\mbam-chameleon-3.1.28.0.zip" => ":$CmdZnID" ADS not found.
"C:\ReNamedSUPERAntiSpy.exe" => ":$CmdTcID" ADS not found.
"C:\ReNamedSUPERAntiSpy.exe" => ":$CmdZnID" ADS not found.
C:\Documents and Settings\POS\Desktop\FRST.exe => ":$CmdTcID" ADS removed successfully..
C:\Documents and Settings\POS\Desktop\FRST.exe => ":$CmdZnID" ADS removed successfully..
"C:\Documents and Settings\POS\Desktop\mbam-chameleon-3.1.28.0.zip" => ":$CmdTcID" ADS not found.
"C:\Documents and Settings\POS\Desktop\mbam-chameleon-3.1.28.0.zip" => ":$CmdZnID" ADS not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\139:TCP => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\445:TCP => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\137:UDP => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\138:UDP => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP => value removed successfully.
HKU\S-1-5-21-1715567821-790525478-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully.
HKU\S-1-5-21-1715567821-790525478-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully.
HKU\S-1-5-21-1715567821-790525478-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value not found.

=========  ipconfig /flushdns =========



Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========= End of CMD: =========


=========  netsh winsock reset all =========


Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.


========= End of CMD: =========


=========  netsh int ipv4 reset =========

The following command was not found: int ipv4 reset.

========= End of CMD: =========


=========  netsh int ipv6 reset =========

IPv6 is not installed.


========= End of CMD: =========


========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.
HKU\S-1-5-21-1715567821-790525478-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\S-1-5-21-1715567821-790525478-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.


========= End of RemoveProxy: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 31.5 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 04:06:46 ====

 

Step 2 - AdwCleaner

 

I could not get this to install. The error message was

 

AppName: adwcleaner_5.031.exe     AppVer: 5.0.3.1     ModName: adwcleaner_5.031.exe ModVer: 5.0.3.1     Offset: 000211de

 

With a log saved as following. Not sure if you need all that but better too much info than not enough.

 

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="adwcleaner_5.031.exe" FILTER="GRABMI_FILTER_PRIVACY">
    <MATCHING_FILE NAME="adwcleaner_5.031.exe" SIZE="1507840" CHECKSUM="0x7B731A92" BIN_FILE_VERSION="5.0.3.1" BIN_PRODUCT_VERSION="3.3.14.2" PRODUCT_VERSION="3.3.14.2" FILE_DESCRIPTION="AdwCleaner" FILE_VERSION="5.0.3.1" LEGAL_COPYRIGHT="Xplode" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x0" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="5.0.3.1" UPTO_BIN_PRODUCT_VERSION="3.3.14.2" LINK_DATE="01/25/2016 16:57:06" UPTO_LINK_DATE="01/25/2016 16:57:06" VER_LANGUAGE="French (France) [0x40c]" />
    <MATCHING_FILE NAME="ComboFix.exe" SIZE="5653508" CHECKSUM="0xE2B725F5" BIN_FILE_VERSION="16.1.24.1" BIN_PRODUCT_VERSION="16.1.24.1" FILE_DESCRIPTION="ComboFix NSIS Installer" COMPANY_NAME="Swearware" PRODUCT_NAME="ComboFix" FILE_VERSION="16.01.24.01" ORIGINAL_FILENAME="ComboFix.exe" INTERNAL_NAME="ComboFix.exe" LEGAL_COPYRIGHT="sUBs" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x5645A4" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="16.1.24.1" UPTO_BIN_PRODUCT_VERSION="16.1.24.1" LINK_DATE="05/11/2014 20:03:36" UPTO_LINK_DATE="05/11/2014 20:03:36" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="FRST.exe" SIZE="1721856" CHECKSUM="0x7EB6B93" BIN_FILE_VERSION="3.3.14.2" BIN_PRODUCT_VERSION="3.3.14.2" PRODUCT_VERSION="3.3.14.2" FILE_DESCRIPTION="Farbar Recovery Scan Tool" COMPANY_NAME="Farbar" FILE_VERSION="3.3.14.2" LEGAL_COPYRIGHT="©1999-2015 Jonathan Bennett &amp; AutoIt Team" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x0" MODULE_TYPE="WIN32" PE_CHECKSUM="0x1A5491" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.3.14.2" UPTO_BIN_PRODUCT_VERSION="3.3.14.2" LINK_DATE="01/25/2016 19:07:02" UPTO_LINK_DATE="01/25/2016 19:07:02" VER_LANGUAGE="English (United Kingdom) [0x809]" />
    <MATCHING_FILE NAME="JRT.exe" SIZE="1609032" CHECKSUM="0x92BF0723" BIN_FILE_VERSION="8.0.2.0" BIN_PRODUCT_VERSION="8.0.2.0" PRODUCT_VERSION="8.0.2" FILE_DESCRIPTION="Junkware Removal Tool" COMPANY_NAME="Malwarebytes" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x196B99" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="8.0.2.0" UPTO_BIN_PRODUCT_VERSION="8.0.2.0" LINK_DATE="06/27/2010 07:06:38" UPTO_LINK_DATE="06/27/2010 07:06:38" VER_LANGUAGE="Language Neutral [0x0]" />
    <MATCHING_FILE NAME="Malwarebytes_2.1.8_SSE2_Hotfix.exe" SIZE="4896104" CHECKSUM="0x68C557FF" BIN_FILE_VERSION="1.5.0.2712" BIN_PRODUCT_VERSION="1.5.0.2712" PRODUCT_VERSION="1.5.0.2712" FILE_DESCRIPTION="7z Setup SFX (x86)" COMPANY_NAME="Oleg N. Scherbakov" PRODUCT_NAME="7-Zip SFX" FILE_VERSION="1.5.0.2712" ORIGINAL_FILENAME="7ZSfxMod_x86.exe" INTERNAL_NAME="7ZSfxMod" LEGAL_COPYRIGHT="Copyright © 2005-2012 Oleg N. Scherbakov" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x4AB61C" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.5.0.2712" UPTO_BIN_PRODUCT_VERSION="1.5.0.2712" LINK_DATE="12/30/2012 08:49:43" UPTO_LINK_DATE="12/30/2012 08:49:43" VER_LANGUAGE="Language Neutral [0x0]" />
    <MATCHING_FILE NAME="mbam-clean-2.1.1.1001.exe" SIZE="321848" CHECKSUM="0x47260D7F" BIN_FILE_VERSION="2.1.1.1001" BIN_PRODUCT_VERSION="2.1.1.1001" PRODUCT_VERSION="2.1.1.1001" FILE_DESCRIPTION="Malwarebytes Anti-Malware" COMPANY_NAME="Malwarebytes Corporation" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="2.1.1.1001" ORIGINAL_FILENAME="mbam-clean.exe" INTERNAL_NAME="mbam-clean.exe" LEGAL_COPYRIGHT="© Malwarebytes Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x0" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x5CC5D" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.1.1.1001" UPTO_BIN_PRODUCT_VERSION="2.1.1.1001" LINK_DATE="06/30/2014 21:32:30" UPTO_LINK_DATE="06/30/2014 21:32:30" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="mbam-setup-2.2.0.1024.exe" SIZE="22908888" CHECKSUM="0xD4E78A2A" BIN_FILE_VERSION="2.2.0.1024" BIN_PRODUCT_VERSION="2.2.0.1024" PRODUCT_VERSION="2.2.0.1024                                        " FILE_DESCRIPTION="Malwarebytes Anti-Malware                                   " COMPANY_NAME="Malwarebytes                                                " PRODUCT_NAME="Malwarebytes Anti-Malware                                   " FILE_VERSION="2.2.0.1024          " LEGAL_COPYRIGHT="© Malwarebytes. All rights reserved.                                                              " VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x15E27B6" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="2.2.0.1024" UPTO_BIN_PRODUCT_VERSION="2.2.0.1024" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="Language Neutral [0x0]" />
    <MATCHING_FILE NAME="OPOSCHK.exe" SIZE="65536" CHECKSUM="0xEE80CA37" BIN_FILE_VERSION="1.0.0.2" BIN_PRODUCT_VERSION="1.0.0.2" PRODUCT_VERSION="1, 0, 0, 2" FILE_DESCRIPTION="OPOSCHK MFC アプリケーション" COMPANY_NAME="" PRODUCT_NAME="OPOSCHK アプリケーション" FILE_VERSION="1, 0, 0, 2" ORIGINAL_FILENAME="OPOSCHK.EXE" INTERNAL_NAME="OPOSCHK" LEGAL_COPYRIGHT="Copyright © 1901" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.0.2" UPTO_BIN_PRODUCT_VERSION="1.0.0.2" LINK_DATE="03/05/2007 05:53:42" UPTO_LINK_DATE="03/05/2007 05:53:42" VER_LANGUAGE="Japanese [0x411]" />
    <MATCHING_FILE NAME="SUPERAntiSpyware.exe" SIZE="24502184" CHECKSUM="0x99D5FB65" BIN_FILE_VERSION="6.0.0.1212" BIN_PRODUCT_VERSION="6.0.0.1212" FILE_DESCRIPTION="SUPERAntiSpyware Free Edition Setup" COMPANY_NAME="SUPERAntiSpyware" PRODUCT_NAME="SUPERAntiSpyware Free Edition Setup" FILE_VERSION="6, 0, 0, 1212" ORIGINAL_FILENAME="SUPERAntiSpyware.exe" INTERNAL_NAME="SUPERAntiSpyware Free Edition Setup" LEGAL_COPYRIGHT="Copyright © 2005-2013 by SUPERAntiSpyware" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x1769627" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="6.0.0.1212" UPTO_BIN_PRODUCT_VERSION="6.0.0.1212" LINK_DATE="03/02/2015 20:28:56" UPTO_LINK_DATE="03/02/2015 20:28:56" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="mbam-chameleon-3.1.28.0\Chameleon\Windows\firefox.exe" SIZE="894776" CHECKSUM="0x733FAF17" BIN_FILE_VERSION="3.1.28.0" BIN_PRODUCT_VERSION="3.1.28.0" PRODUCT_VERSION="3.1.28.0" FILE_DESCRIPTION="Chameleon" COMPANY_NAME="MalwareBytes" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="3.1.28.0" ORIGINAL_FILENAME="mbam-chameleon.exe" INTERNAL_NAME="mbam-chameleon.exe" LEGAL_COPYRIGHT="Copyright © 2013" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xDE3F7" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.1.28.0" UPTO_BIN_PRODUCT_VERSION="3.1.28.0" LINK_DATE="10/19/2015 21:59:04" UPTO_LINK_DATE="10/19/2015 21:59:04" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="mbam-chameleon-3.1.28.0\Chameleon\Windows\iexplore.exe" SIZE="894776" CHECKSUM="0x733FAF17" BIN_FILE_VERSION="3.1.28.0" BIN_PRODUCT_VERSION="3.1.28.0" PRODUCT_VERSION="3.1.28.0" FILE_DESCRIPTION="Chameleon" COMPANY_NAME="MalwareBytes" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="3.1.28.0" ORIGINAL_FILENAME="mbam-chameleon.exe" INTERNAL_NAME="mbam-chameleon.exe" LEGAL_COPYRIGHT="Copyright © 2013" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xDE3F7" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.1.28.0" UPTO_BIN_PRODUCT_VERSION="3.1.28.0" LINK_DATE="10/19/2015 21:59:04" UPTO_LINK_DATE="10/19/2015 21:59:04" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="mbam-chameleon-3.1.28.0\Chameleon\Windows\mbam-chameleon.exe" SIZE="894776" CHECKSUM="0x733FAF17" BIN_FILE_VERSION="3.1.28.0" BIN_PRODUCT_VERSION="3.1.28.0" PRODUCT_VERSION="3.1.28.0" FILE_DESCRIPTION="Chameleon" COMPANY_NAME="MalwareBytes" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="3.1.28.0" ORIGINAL_FILENAME="mbam-chameleon.exe" INTERNAL_NAME="mbam-chameleon.exe" LEGAL_COPYRIGHT="Copyright © 2013" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xDE3F7" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.1.28.0" UPTO_BIN_PRODUCT_VERSION="3.1.28.0" LINK_DATE="10/19/2015 21:59:04" UPTO_LINK_DATE="10/19/2015 21:59:04" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="mbam-chameleon-3.1.28.0\Chameleon\Windows\mbam-killer.exe" SIZE="1503544" CHECKSUM="0x9566FE43" BIN_FILE_VERSION="3.0.15.0" BIN_PRODUCT_VERSION="3.0.15.0" PRODUCT_VERSION="3.0.15.0" FILE_DESCRIPTION="Mbam-killer" COMPANY_NAME="MalwareBytes" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="3.0.15.0" ORIGINAL_FILENAME="mbam-killer.exe" INTERNAL_NAME="mbam-killer.exe" LEGAL_COPYRIGHT="Copyright © 2014" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x175E9B" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.0.15.0" UPTO_BIN_PRODUCT_VERSION="3.0.15.0" LINK_DATE="09/03/2015 13:29:03" UPTO_LINK_DATE="09/03/2015 13:29:03" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="mbam-chameleon-3.1.28.0\Chameleon\Windows\rundll32.exe" SIZE="894776" CHECKSUM="0x733FAF17" BIN_FILE_VERSION="3.1.28.0" BIN_PRODUCT_VERSION="3.1.28.0" PRODUCT_VERSION="3.1.28.0" FILE_DESCRIPTION="Chameleon" COMPANY_NAME="MalwareBytes" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="3.1.28.0" ORIGINAL_FILENAME="mbam-chameleon.exe" INTERNAL_NAME="mbam-chameleon.exe" LEGAL_COPYRIGHT="Copyright © 2013" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xDE3F7" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.1.28.0" UPTO_BIN_PRODUCT_VERSION="3.1.28.0" LINK_DATE="10/19/2015 21:59:04" UPTO_LINK_DATE="10/19/2015 21:59:04" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="mbam-chameleon-3.1.28.0\Chameleon\Windows\svchost.exe" SIZE="894776" CHECKSUM="0x733FAF17" BIN_FILE_VERSION="3.1.28.0" BIN_PRODUCT_VERSION="3.1.28.0" PRODUCT_VERSION="3.1.28.0" FILE_DESCRIPTION="Chameleon" COMPANY_NAME="MalwareBytes" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="3.1.28.0" ORIGINAL_FILENAME="mbam-chameleon.exe" INTERNAL_NAME="mbam-chameleon.exe" LEGAL_COPYRIGHT="Copyright © 2013" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xDE3F7" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.1.28.0" UPTO_BIN_PRODUCT_VERSION="3.1.28.0" LINK_DATE="10/19/2015 21:59:04" UPTO_LINK_DATE="10/19/2015 21:59:04" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="mbam-chameleon-3.1.28.0\Chameleon\Windows\windows.exe" SIZE="894776" CHECKSUM="0x733FAF17" BIN_FILE_VERSION="3.1.28.0" BIN_PRODUCT_VERSION="3.1.28.0" PRODUCT_VERSION="3.1.28.0" FILE_DESCRIPTION="Chameleon" COMPANY_NAME="MalwareBytes" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="3.1.28.0" ORIGINAL_FILENAME="mbam-chameleon.exe" INTERNAL_NAME="mbam-chameleon.exe" LEGAL_COPYRIGHT="Copyright © 2013" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xDE3F7" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.1.28.0" UPTO_BIN_PRODUCT_VERSION="3.1.28.0" LINK_DATE="10/19/2015 21:59:04" UPTO_LINK_DATE="10/19/2015 21:59:04" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="mbam-chameleon-3.1.28.0\Chameleon\Windows\winlogon.exe" SIZE="894776" CHECKSUM="0x733FAF17" BIN_FILE_VERSION="3.1.28.0" BIN_PRODUCT_VERSION="3.1.28.0" PRODUCT_VERSION="3.1.28.0" FILE_DESCRIPTION="Chameleon" COMPANY_NAME="MalwareBytes" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="3.1.28.0" ORIGINAL_FILENAME="mbam-chameleon.exe" INTERNAL_NAME="mbam-chameleon.exe" LEGAL_COPYRIGHT="Copyright © 2013" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xDE3F7" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.1.28.0" UPTO_BIN_PRODUCT_VERSION="3.1.28.0" LINK_DATE="10/19/2015 21:59:04" UPTO_LINK_DATE="10/19/2015 21:59:04" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
    <MATCHING_FILE NAME="kernel32.dll" SIZE="985600" CHECKSUM="0xE7E1F9DC" BIN_FILE_VERSION="5.1.2600.2991" BIN_PRODUCT_VERSION="5.1.2600.2991" PRODUCT_VERSION="5.1.2600.2991" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.2991 (xpsp.060907-0105)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xF39C9" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2991" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2991" LINK_DATE="09/07/2006 11:59:20" UPTO_LINK_DATE="09/07/2006 11:59:20" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>
 

 

 

 

Step 3 JRT log

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Microsoft Windows XP x86
Ran by POS (Administrator) on Fri 29/01/2016 at  4:22:15.85
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 1

Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 29/01/2016 at  4:23:51.59
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

Step 4 Malwarebytes log

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 29/01/2016
Scan Time: 4:29:42 AM
Logfile: Malwarebytes Log 29th Jan.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.01.28.04
Rootkit Database: v2016.01.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 2
CPU: x86
File System: NTFS
User: POS

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 322175
Time Elapsed: 12 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

Step 5 ComboFix

 

I ran ComboFix and left it on the screen that says "Scanning for infected files...This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double"  for nearly 2 hours with no result.

 

I closed the program. Should I have left it?

 

Thanks olgun52



#11 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:19 PM

Posted 28 January 2016 - 03:17 PM

olgun58

 

Step 5 ComboFix

 

I ran ComboFix and left it on the screen that says "Scanning for infected files...This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double"  for nearly 2 hours with no result.

 

I closed the program. Should I have left it?

 

Thanks olgun52

Please try run again.

  • Disable all antivirus and antispyware programs. Get help here
  • Close all open windows

If needed, try run Safe mode.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 Causley

Causley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 31 January 2016 - 12:54 AM

olgun52

 

I have tried to run ComboFix a number of times the past few days. I've not been able to get it to run to completion. I'm not sure what to do.

 

I've gone into task manager and closed as many processes as possible to ensure nothing would conflict with ComboFix. No luck.

 

I then tried to run it in safe mode. I closed ComboFix after about 2 hours of no activity.

 

I'm happy to report that some other error messages I was getting I no longer have. And the computer seems to be running as well as it was before I had issues.

 

Any suggestions?

 

Regards Causley



#13 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:19 PM

Posted 31 January 2016 - 05:21 PM

Open a command prompt. (Run a command prompt as Administrator in Windows vista/7/8)
Copy red command line and Paste.

sc stop "PEVSystemStart"
sc config "PEVSystemStart" start= disabled

How to delete this service.
sc delete "PEVSystemStart"


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#14 Causley

Causley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 02 February 2016 - 03:49 PM

olgun52

 

Sorry, I don't really understand the instructions.

 

Do you want me to copy and paste each of the lines (sc stop "PEVSystemStart", sc config "PEVSystemStart" start= disabled and sc delete "PEVSystemStart") into the command prompt and run them??

 

Anyhow, that's what I have done. Hope that was right.

 

If so what is the next step?

 

Kind Regards / Causley



#15 olgun52

olgun52

  • Malware Response Team
  • 3,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:19 PM

Posted 03 February 2016 - 12:35 PM

Hi,

 

If run, you run try Combofix again.

If not run it;

 

Step 1:

Zoek scann:

  • Temporarily disable your Antivirus protection - if you don't know how to do that, please consult the article below.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

  • Please download ZOEK and save it to your desktop (preferred version is the *.exe one - upper left corner).

http://hijackthis.nl/smeenk/

  • Attached to this message you will find a file called zoekscript

txt.gif  zoekscript.txt   188bytes   19 downloads

  • Download it too and save to your desktop - _it needs to be in the same location as the ZOEK tool
  • Drag zoekscript file and drop it onto ZOEK icon - this should launch the program:
  • The scan may take a while and may need a reboot.
  • Upon completion a file zoek-results should appear.
  • Attach it for my review.

Step 2:

RogueKiller by Tigzy

  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • Right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • The program will conduct a prescan and when finished you wlll see Prescan Finished. Please hit the scan button
  • Click Scan
  • If, during the scan, you receive a request to upload a file to Virustotal please click Yes
  • A report should open and a copy of the report will be placed on your desktop. If not, hit the Report button.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users