DR_Smith

Hi Ron, I really want to thank you, I work in computer/network security, but not as a malware expert. PC and laptops get compromised and they are just re-imaged. It's the quick way to an end, but you never find root cause or how these little devils operate. I try to run an image of my machines once a week and keep scanning. Linux is my main laptop's OS, but I need MS for a few things. I'll install uBlock as you recommended. Thank you!!!!!!!!!!!!!!!!!!!

Kaspersky did not find anything. I think we are clean. Let me know if we need to check further. Thanks!!!!!!!!

Hi Ron, I did a manual check of the registry and I didn't find what we were looking for. I ran Kaspersky and it did find anything. I think we are clean. Let me know if we need to check further. Thanks!!!!!!!!

Hi Ron, Maybe I do need some help with the registry search. I did a find in HK Local Machine and I can't fine SDFILES.exe. Let me know and I'll get you the info. Thanks!!!

Hi Ron, I have scanned the laptop again after remove it and rebooted a couple of times in between each scan. I think there are 2 factor that contribute to this: 1. I have installed the advanced version (auto detect version of Malwarebytes). 2, I think it;s related to me running Spybot. I can prove this out because I have a couple of clean scans and reboots and all looks well. I believe if I run Spybot, Ill get a detection and if I scan with Malwarebytes will pick up another set of reg. keys. I can get you a snapshot of those reg. keys so you can see. I'll also run Spybot to see if there is a problem after or during the run. Now that I have the paid version of Malwarebytes, I might de-install the other anti-virus/malware software. I do like that Spybot blackholes bad sites ad IP's by including the them in the hosts file and directing them to 127.0.0.1. Thanks!!!!

Hi Ron, Ran Farbar and I have attached the FRST.txt and Addition.txt. Let me know if you see anything. I took a quick look nothing obvious, but I'll look again. Looks like there may be a problem because first the problem was with SuperAntiSpyware and now with Spybot. It would be nice if this were a false positive, but I think not. Let me know what you need. Thank you!!!! Addition.txt FRST.txt

Hi Ron, Maybe I spoke too soon. Looks like Spybot got tagged as bad. I saw a post from last year as a false positive, but this may be different. I can run Farbar again and attach the results. Thanks!!!!

Hi Ron, Uninstalled SuperAntiSpyware rebooted and reinstalled. Scanned using SuperAntiSpyware, reported clean. So far so good. Ran Malwarebytes again showed clean. Anything else you would like me to try. Thanks!!!!!

Hi Ron, I ran the scan and I get "congratulations no malware found". I tried to run the update for SuperAntiSpyware and the update still doesn't work. There are 2 types of updates just like Malwarebytes, the usual one that happens everytime I run a scan and then the periodic update that happens occasionally. It is the latter that fails to update. So I get the usual signatures, but when the periodic update tries to update the version, that fails. Is it possible the Malwarebytes cleanup of the initial problem could have damaged something with SuperAntispyware code? I was going to uninstall SuperAntispyware and try to reinstall and see what happens, but I'm waiting for the ok that things look good as far as eradicating the initial infection. Thank you for your help in resolving this problem!!!!

Hi Exile360, Thanks again for your assistance!!!

Hi All, Attached are the output files from Farbar. Let me know if you see anything. I'm reading through the Farbar instuctions/explanation. Thanks again!! Addition.txt FRST.txt

Ran FarBar and attached the output logs. Thanks!!!! Addition.txt FRST.txt

Just checked a Windows 7 machine on a separate isolated by a firewall segment running both Malwarebytes and SuperAntiSpyware. No troubles. So it looks like it not related to the 2 applications clashing. I did notice that an update to SuperAntiSpyware failed. (maybe unrelated. Ran Malwarebytes and removed the problem. Rebooted and ran Malwarebytes again. No trouble found. Now running Farbar tool. Again thanks for the troubleshooting info. At work we just re-image, but you never learn too much by doing that.

Thank you exile360. I have never had a problem with Malwarebytes detecting SuperAntiSpyware. Both are running passive. I will follow through with your advice and keep the forum in the loop. Thanks!!!

Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/4/19 Scan Time: 12:31 PM Log File: 63edaf15-3ea3-11e9-beb2-a01d4868da35.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9536 License: Free -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Andy-HP\Andy -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 384266 Threats Detected: 12 Threats Quarantined: 0 Time Elapsed: 20 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Warn PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 6 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNSAS.EXE, No Action By User, [6433], [249733],1.0.9536 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNSAS.EXE, No Action By User, [6433], [249733],1.0.9536 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDFILES.EXE, No Action By User, [6433], [249769],1.0.9536 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDFILES.EXE, No Action By User, [6433], [249769],1.0.9536 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE, No Action By User, [6433], [249843],1.0.9536 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE, No Action By User, [6433], [249843],1.0.9536 Registry Value: 6 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNSAS.EXE|DEBUGGER, No Action By User, [6433], [249733],1.0.9536 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNSAS.EXE|DEBUGGER, No Action By User, [6433], [249733],1.0.9536 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDFILES.EXE|DEBUGGER, No Action By User, [6433], [249769],1.0.9536 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDFILES.EXE|DEBUGGER, No Action By User, [6433], [249769],1.0.9536 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE|DEBUGGER, No Action By User, [6433], [249843],1.0.9536 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE|DEBUGGER, No Action By User, [6433], [249843],1.0.9536 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)