Real-Time Protection Always Being Turned Off

pvs · August 7, 2016

Hi! I have been using Malwarebytes Home Premium for quite some time, and OCCASIONALLY, the following would occur. But as of my upgrade to Version 2.2.1.1043, it seems to be happening almost daily.

As you will probably be able to discern from the attached FRST.txt and Addition.txt files, I am running an aged copy of Windows XP Professional (32-bit) SP-3 on this partition. I don't know if it matters or not, but I am also running a copy of Windows 7 Professional (64-bit) on a separate partition, in a dual-boot setup on this machine. Licensed copies of Malwarebytes Anti-Malware Home (Premium) 2.2.1.1043 are installed on both partitions.

Anyway, my "symptom" is that, typically upon startup, my Real-Time Protection is turned off. To correct it, I need to:
1) Open the GUI
2) Click the Settings Tab
3) Click the Advanced Settings Tab on the left
4) Disable self-protection mode
5) Click the Detection and Protection Tab on the left
6) Re-enable both Malware Protection and Malicious Website Protection
7) Click the Advanced Settings Tab on the left again
8) Re-enable Self-Protection and Early Start

I have run Threat-scans and Hyper-Scans, but nothing turns up. I have also (several times) run the Malwarebytes Chameleon application. Again, nothing is found.

FWIW, I used to have Bitdefender installed on both partitions of this machine, but, having issues with the newest upgrade I had purchased, I have uninstalled it from this partition, and now use a free version of AVAST (12.1.2272 (build 12.1.3076.6)). At any rate, I have also run scans using these AV products, and the system always turns up clean.

So, I am not really sure I DO have an infection. I am hoping you will be able to help with the issue of the real-time protection becoming disabled, and put my mind at ease. And if we DO find something? I would be very grateful.

Thanks in advance,
-pvs

FRST.txt

Addition.txt

AdvancedSetup · August 7, 2016

Well certainly not supported doing dual boot as the meta data from control files might interfere, but for now, we'll assume that's not an issue.

The computer still has entries for Bitdefender on it on this XP partition. Though according to Bitdefender the latest update of their software has corrected the conflict they were having with MBAM.

Let's go ahead though and do some further scans and cleanup to ensure it's working as best it can.

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed, please print out these instructions.

Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
If the log is too large, then you can use attachments by clicking on the More Reply Options button.
Please enable your system to show hidden files: How to see hidden files in Windows
Make sure you're subscribed to this topic:
Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
Removing malware can be unpredictable, it is unlikely, but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
The removal of malware is not instantaneous; please be patient. Often we are also in a different Time Zone.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
You can check here if you're not sure if your computer is 32-bit or 64-bit
Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
When we are done, I'll give you instructions on how to clean up all the tools and logs
Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
Your topic will be closed if you haven't replied within 3 days
(If I have not responded within 24 hours, please send me a Private Message as a reminder)

STEP 01
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections.
When RKill runs, it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process and does not delete any files, after running it, you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill, you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1 | Link 2

On Windows XP Double-click on the Rkill desktop icon to run the tool.
On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
A black DOS box will briefly flash and then disappear, this is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer; you will need to run the application again.

STEP 02
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.

Please download ERUNT from one of the following links: Link1 | Link2 | Link3
ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
Double click on erunt-setup.exe to Install ERUNT by following the prompts.
NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
Start ERUNT either by double-clicking on the desktop icon or choosing to start the program at the end of the setup process.
Choose a location for the backup.
- Note: the default location is C:\Windows\ERDNT which is acceptable.
Make sure that at least the first two check boxes are selected.
Click on OK
Then click on YES to create the folder.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 03
Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below, please see the following:
MBAM Clean Removal Process 2x
When reinstalling the program, please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

pvs · August 8, 2016

Hi Ron, and thanks for trying to help me with this issue. I DO appreciate it! I have wondered if the dual-boot scenario was complicating my installation. I agree that I'd like to go on with some testing and try to correct my issue, regardless.

Interesting about the leftover BitDefender "crumbs". Just knowing that makes me feel it might be worthwhile seeing if BD offers a cleaning utility similar to the one Malwarebytes offers (mbam-clean-2.2.2.7). Thanks for that info. Also, with regard to mbam-clean-2.2.2.7, I am sorry that I had forgotten to mention in my initial post that I also tried running THAT utility on June 18, 2016, unfortunately with no effect on my issue.

Anyway, here is my log file from this Threat Scan:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/8/2016
Scan Time: 12:24:32 PM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.08.08.07
Rootkit Database: v2016.05.27.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: pvs

Scan Type: Threat Scan
Result: Cancelled
Objects Scanned: 0
(No malicious items detected)
Time Elapsed: 2 min, 2 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

I see that a bunch (69) of PUPs were found, which I typically do not get when I run the scan without RKill being run first. I have saved the results, and have NOT chosen to "Remove Selected" as you have not said to do so. If you need to see that list, please let me know.

FWIW, last night, I also had a window pop up: "Malwarebytes was unable to load the Anti-Rootkit DDA Driver...". I had forgotten to include in my initial post that this used to be an issue a couple of years ago, but I was always able to fix it by doing a clean install of Malwarebytes. With regard to this particular Anti-Rootkit DDA failure, my reboot this morning did not show any issues, and the rootkit scan for the attached log seemed to work okay, but I just wanted to let you know this happened. For whatever reason, I could not successfully attach my JPG screen shot of the error window.

Anyway, please let me know if you see anything

Thanks again!

-pvs

AdvancedSetup · August 8, 2016

Where is the log for these PUPs ? Generally speaking (my own personal thoughts, I don't like or want any PUPs on my computer, period).

Let's have you go through the following scans. Let it remove what it finds unless you know for sure it's a False Positive.

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 04
Please download Junkware Removal Tool to your desktop.

Shutdown your antivirus to avoid any conflicts.
Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next reply message
When completed make sure to re-enable your antivirus

STEP 05
Let's clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
When it's done, you'll see: Pending: Please uncheck elements you don't want to be removed.
Now click on the Report button and a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
Look at the log especially under Files/Folders for any program you want to save.
If there's a program you may want to save, just uncheck it from AdwCleaner.
If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
If you're ready to clean it all up, click the Clean button.
After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
To restore an item that has been deleted:
Go to Tools > Quarantine Manager > check what you want to be restored > now click on Restore.

STEP 06
Download Sophos Free Virus Removal Tool and save it to your desktop.

Double click the icon and select Run
Click Next
Select I accept the terms in this license agreement, then click Next twice
Click Install
Click Finish to launch the program
Once the virus database has been updated click Start Scanning
If any threats are found click Details, then View Log file (bottom left-hand corner)
Copy and paste the results in your reply
Close the Notepad document, close the Threat Details screen, then click Start cleanup
Click Exit to close the program
If no threats were found, please confirm that result.

STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

Double-click to run it. When the tool opens, click Yes to disclaimer.
Press the Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
Please attach the Additions.txt log to your reply as well.

Thanks

pvs · August 8, 2016

I agree, Ron, I do not want and PUPs either. But please forgive me. I thought when I clicked "Save Results" at the bottom right of the Scan Tab, that it would make a list of the found items. I just looked at it, though, and it seems it's just the same LOG file I already sent. I cannot figure out a way to save the result set outside of doing a few Screen Shots to create JPG images. I have attached those screen shots here. (Note: #3 has several at the top that are also found on #2).

I will now proceed with the rest of your instructions, beginning with a reboot, and post the results you are requesting from those procedures.

pvs · August 8, 2016

Hi again, Ron. Okay, I'm currently performing Step 6 (Sophos). As it appears Sophos is checking ALL of the drives in this machine, this is probably going to take a very long time (the PC has five 2TB drives in addition to a 500GB System HDD). So, let me attach the logs from Steps 4 (JRT) and 5 (Adw) now, and I'll get back to you once Sophos finishes up.

STEP 04 First, JRT (there wasn't very much):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Microsoft Windows XP x64
Ran by pvs (Administrator) on Mon 08/08/2016 at 14:39:48.11
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 20

Successfully deleted: C:\Documents and Settings\pvs\Application Data\download manager (Folder)
Successfully deleted: C:\Documents and Settings\pvs\Application Data\getrighttogo (Folder)
Successfully deleted: C:\Program Files\mozilla firefox\defaults\pref\itms.js (File)
Successfully deleted: C:\WINDOWS\wininit.ini (File)
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\03I8NQZ4 (Temporary Internet Files Folder)
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8IV9VIG3 (Temporary Internet Files Folder)
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9KGDUN65 (Temporary Internet Files Folder)
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G0GT7Q4J (Temporary Internet Files Folder)
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTWQ08SF (Temporary Internet Files Folder)
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NRRZABT8 (Temporary Internet Files Folder)
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WGLBL7PF (Temporary Internet Files Folder)
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z8ZSJPDQ (Temporary Internet Files Folder)
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\03I8NQZ4 (Temporary Internet Files Folder)
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8IV9VIG3 (Temporary Internet Files Folder)
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\9KGDUN65 (Temporary Internet Files Folder)
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G0GT7Q4J (Temporary Internet Files Folder)
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\JTWQ08SF (Temporary Internet Files Folder)
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NRRZABT8 (Temporary Internet Files Folder)
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WGLBL7PF (Temporary Internet Files Folder)
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Z8ZSJPDQ (Temporary Internet Files Folder)

Registry: 6

Successfully deleted: HKLM\Software\MozillaPlugins\@viewpoint.com/vmp (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} (Registry Value)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{708CA9C9-C5F7-44D8-ADEA-649528C99A4F} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Toolbar\\{10921475-03CE-4E04-90CE-E2E7EF20C814} (Registry Value)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 08/08/2016 at 14:48:22.00
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

STEP 05 And next, Adware Cleaner after reboot (several Reg Entries and three folders):

# AdwCleaner v5.201 - Logfile created 08/08/2016 at 15:01:42
# Updated 30/06/2016 by ToolsLib
# Database : 2016-08-08.2 [Server]
# Operating system : Microsoft Windows XP Service Pack 3 (X86)
# Username : pvs - GRAPHIXXT
# Running from : C:\Documents and Settings\pvs\Desktop\MBAM Real-Time Protection\AdwCleaner.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\Documents and Settings\All Users\Application Data\Ask
[-] Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
[-] Folder Deleted : C:\DOCUME~1\pvs\LOCALS~1\Temp\Video Converter

***** [ Files ] *****

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCompress3.DLL
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
[-] Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
[-] Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{F54A0D21-6A53-460C-8301-C694EC9E1033}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F14321-8FED-4CBC-B01A-4B57FC199062}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4C58EB04-7B72-4D3D-A36E-66167A99BC31}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{090ACFA1-1580-11D1-8AC0-00C0F00910F9}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{84B9B044-17C0-48FB-A300-C9747D5DF29C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B4E90801-B83C-11D0-8B40-00C0F00AE35A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{81CA8FCD-1420-4A07-B47D-B30F3DDA79E1}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[-] Key Deleted : HKCU\Software\Burn4Free
[-] Key Deleted : HKCU\Software\Yahoo\Companion
[-] Key Deleted : HKCU\Software\Yahoo\YFriendsBar
[-] Key Deleted : HKCU\Software\YahooPartnerToolbar
[-] Key Deleted : HKLM\SOFTWARE\Description
[-] Key Deleted : HKLM\SOFTWARE\MetaStream
[-] Key Deleted : HKLM\SOFTWARE\Yahoo\Companion
[-] Key Deleted : HKU\.DEFAULT\Software\Yahoo\Companion

***** [ Web browsers ] *****

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [4533 bytes] - [08/08/2016 15:01:42]
C:\AdwCleaner\AdwCleaner[S1].txt - [4731 bytes] - [08/08/2016 14:55:20]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [4679 bytes] ##########

Please note that I have not disabled my AVAST AntiVirus for the Sophos Scan. Please let me know if I was supposed to do that.

Thanks once again for your help with this. I really appreciate it a lot!

-pvs

AdvancedSetup · August 9, 2016

Yes, generally speaking you need to disable other real-time security software so that it does not interfere with the Sophos scan.

pvs · August 9, 2016

Hi Ron. Hmm, okay, I guess I'll run it again after disabling AVAST, but I wanted to report back here and give you the log file that was created, especially since it found two little buggers: Mal/BredoZp-B and Mal/Mdrop-CE.

These bugs were both in a set of "kitchens" I used to use to build my own ROMS for an old cellphone. I knew about them at the time, and it was reported that they were false positives. But I am going to allow them to be clenaed, as I no longer use these kitchens, nor have I toyed with building ROMs in about a decade. If I in fact NEED these files back, I have copies on other HDDs that have since been retired (and are in a desk drawer nearby).

Here is the log:

2016-08-08 19:19:15.875 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-08-08 19:19:15.875   Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
2016-08-08 19:19:15.875   Checking for updates...
2016-08-08 19:19:16.453   Update progress: proxy server not available
2016-08-08 19:19:38.968   Option all = no
2016-08-08 19:19:38.968   Option recurse = yes
2016-08-08 19:19:38.968   Option archive = no
2016-08-08 19:19:38.968   Option service = yes
2016-08-08 19:19:38.968   Option confirm = yes
2016-08-08 19:19:38.968   Option sxl = yes
2016-08-08 19:19:38.968   Option max-data-age = 35
2016-08-08 19:19:38.968   Option EnableSafeClean = yes
2016-08-08 19:19:40.468   Option vdl-logging = yes
2016-08-08 19:19:40.484   Customer ID:   094260ca9b3af99f9d4a3909fc47a743
2016-08-08 19:19:40.484   Machine ID:   f5b7a50d709447afb131bb00bff316f6
2016-08-08 19:19:40.531   Component SVRTcli.exe version 2.5.5
2016-08-08 19:19:40.531   Component control.dll version 2.5.5
2016-08-08 19:19:40.531   Component SVRTservice.exe version 2.5.5
2016-08-08 19:19:40.531   Component engine\osdp.dll version 1.44.1.2250
2016-08-08 19:19:40.531   Component engine\veex.dll version 3.65.0.2250
2016-08-08 19:19:40.531   Component engine\savi.dll version 9.0.1.2250
2016-08-08 19:19:40.546   Component rkdisk.dll version 1.5.30.0
2016-08-08 19:19:40.546   Version info:   Product version   2.5.5
2016-08-08 19:19:40.546   Version info:   Detection engine   3.65.0
2016-08-08 19:19:40.546   Version info:   Detection data   5.26
2016-08-08 19:19:40.546   Version info:   Build date   4/5/2016
2016-08-08 19:19:40.546   Version info:   Data files added   756
2016-08-08 19:19:40.546   Version info:   Last successful update   (not yet updated)
2016-08-08 19:20:09.796   Downloading updates...
2016-08-08 19:20:09.812   Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement SAVIW32 LATEST
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement IDE527 LATEST
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement IDE528 LATEST
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement IDE529 LATEST
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement IDE530 LATEST
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement IDE531 LATEST
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement IDE532 LATEST
2016-08-08 19:20:09.812   Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2016-08-08 19:20:09.812   Update progress: [I19463] Syncing product SAVIW32 70
2016-08-08 19:20:21.984   Update progress: [I19463] Syncing product IDE527 142
2016-08-08 19:20:32.875   Installing updates...
2016-08-08 19:20:36.281   Error level 1
2016-08-08 19:20:36.328   Update progress: [I19463] Syncing product IDE528 127
2016-08-08 19:20:36.328   Update progress: [I19463] Syncing product IDE529 135
2016-08-08 19:20:36.328   Update progress: [I19463] Syncing product IDE530 214
2016-08-08 19:20:36.328   Update progress: [I19463] Syncing product IDE531 145
2016-08-08 19:20:36.328   Update progress: [I19463] Syncing product IDE532 1
2016-08-08 19:21:04.156   Update successful
2016-08-08 19:21:30.562   Option all = no
2016-08-08 19:21:30.562   Option recurse = yes
2016-08-08 19:21:30.562   Option archive = no
2016-08-08 19:21:30.562   Option service = yes
2016-08-08 19:21:30.562   Option confirm = yes
2016-08-08 19:21:30.562   Option sxl = yes
2016-08-08 19:21:30.562   Option max-data-age = 35
2016-08-08 19:21:30.562   Option EnableSafeClean = yes
2016-08-08 19:21:30.671   Option vdl-logging = yes
2016-08-08 19:21:30.671   Customer ID:   094260ca9b3af99f9d4a3909fc47a743
2016-08-08 19:21:30.671   Machine ID:   f5b7a50d709447afb131bb00bff316f6
2016-08-08 19:21:30.687   Component SVRTcli.exe version 2.5.5
2016-08-08 19:21:30.687   Component control.dll version 2.5.5
2016-08-08 19:21:30.687   Component SVRTservice.exe version 2.5.5
2016-08-08 19:21:30.687   Component engine\osdp.dll version 1.44.1.2250
2016-08-08 19:21:30.687   Component engine\veex.dll version 3.65.0.2250
2016-08-08 19:21:30.687   Component engine\savi.dll version 9.0.1.2250
2016-08-08 19:21:30.703   Component rkdisk.dll version 1.5.30.0
2016-08-08 19:21:30.703   Version info:   Product version   2.5.5
2016-08-08 19:21:30.703   Version info:   Detection engine   3.65.0
2016-08-08 19:21:30.703   Version info:   Detection data   5.26
2016-08-08 19:21:30.703   Version info:   Build date   4/5/2016
2016-08-08 19:21:30.703   Version info:   Data files added   756
2016-08-08 19:21:30.703   Version info:   Last successful update   8/8/2016 3:21:04 PM

2016-08-08 22:06:56.096 SafeClean bin directory is empty.
2016-08-08 22:06:56.143 Error level 0

2016-08-08 22:07:01.690 Scan cancelled by user.
2016-08-08 22:07:01.690

------------------------------------------------------------

2016-08-08 22:07:11.893 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-08-08 22:07:11.893   Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
2016-08-08 22:07:11.893   Checking for updates...
2016-08-08 22:07:13.112   Update progress: proxy server not available
2016-08-08 22:08:34.786   Downloading updates...
2016-08-08 22:08:34.786   Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement SAVIW32 LATEST
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement IDE527 LATEST
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement IDE528 LATEST
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement IDE529 LATEST
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement IDE530 LATEST
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement IDE531 LATEST
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement IDE532 LATEST
2016-08-08 22:08:34.786   Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2016-08-08 22:08:34.786   Update progress: [I19463] Syncing product SAVIW32 70
2016-08-08 22:08:34.786   Update progress: [I19463] Syncing product IDE527 142
2016-08-08 22:08:35.661   Option all = no
2016-08-08 22:08:35.661   Option recurse = yes
2016-08-08 22:08:35.661   Option archive = no
2016-08-08 22:08:35.661   Option service = yes
2016-08-08 22:08:35.661   Option confirm = yes
2016-08-08 22:08:35.661   Option sxl = yes
2016-08-08 22:08:35.661   Option max-data-age = 35
2016-08-08 22:08:35.661   Option EnableSafeClean = yes
2016-08-08 22:08:35.786   Option vdl-logging = yes
2016-08-08 22:08:35.818   Customer ID:   094260ca9b3af99f9d4a3909fc47a743
2016-08-08 22:08:35.818   Machine ID:   f5b7a50d709447afb131bb00bff316f6
2016-08-08 22:08:35.943   Component SVRTcli.exe version 2.5.5
2016-08-08 22:08:35.943   Component control.dll version 2.5.5
2016-08-08 22:08:35.943   Component SVRTservice.exe version 2.5.5
2016-08-08 22:08:35.943   Component engine\osdp.dll version 1.44.1.2250
2016-08-08 22:08:35.943   Component engine\veex.dll version 3.65.0.2250
2016-08-08 22:08:35.943   Component engine\savi.dll version 9.0.1.2250
2016-08-08 22:08:36.255   Component rkdisk.dll version 1.5.30.0
2016-08-08 22:08:36.255   Version info:   Product version   2.5.5
2016-08-08 22:08:36.255   Version info:   Detection engine   3.65.0
2016-08-08 22:08:36.255   Version info:   Detection data   5.26
2016-08-08 22:08:36.255   Version info:   Build date   4/5/2016
2016-08-08 22:08:36.255   Version info:   Data files added   756
2016-08-08 22:08:36.255   Version info:   Last successful update   8/8/2016 3:21:04 PM
2016-08-08 22:08:46.021   Update progress: [I19463] Syncing product IDE528 127
2016-08-08 22:08:46.021   Update progress: [I19463] Syncing product IDE529 135
2016-08-08 22:08:46.052   Update progress: [I19463] Syncing product IDE530 214
2016-08-08 22:08:46.052   Update progress: [I19463] Syncing product IDE531 146
2016-08-08 22:08:46.787   Installing updates...
2016-08-08 22:08:48.584   Error level 1
2016-08-08 22:08:50.068   Update progress: [I19463] Syncing product IDE532 1
2016-08-08 22:08:50.412   Update successful
2016-08-08 22:09:09.584   Option all = no
2016-08-08 22:09:09.584   Option recurse = yes
2016-08-08 22:09:09.584   Option archive = no
2016-08-08 22:09:09.584   Option service = yes
2016-08-08 22:09:09.584   Option confirm = yes
2016-08-08 22:09:09.584   Option sxl = yes
2016-08-08 22:09:09.584   Option max-data-age = 35
2016-08-08 22:09:09.584   Option EnableSafeClean = yes
2016-08-08 22:09:09.647   Option vdl-logging = yes
2016-08-08 22:09:09.662   Customer ID:   094260ca9b3af99f9d4a3909fc47a743
2016-08-08 22:09:09.662   Machine ID:   f5b7a50d709447afb131bb00bff316f6
2016-08-08 22:09:09.662   Component SVRTcli.exe version 2.5.5
2016-08-08 22:09:09.662   Component control.dll version 2.5.5
2016-08-08 22:09:09.662   Component SVRTservice.exe version 2.5.5
2016-08-08 22:09:09.662   Component engine\osdp.dll version 1.44.1.2250
2016-08-08 22:09:09.662   Component engine\veex.dll version 3.65.0.2250
2016-08-08 22:09:09.662   Component engine\savi.dll version 9.0.1.2250
2016-08-08 22:09:09.678   Component rkdisk.dll version 1.5.30.0
2016-08-08 22:09:09.678   Version info:   Product version   2.5.5
2016-08-08 22:09:09.678   Version info:   Detection engine   3.65.0
2016-08-08 22:09:09.678   Version info:   Detection data   5.26
2016-08-08 22:09:09.678   Version info:   Build date   4/5/2016
2016-08-08 22:09:09.678   Version info:   Data files added   757
2016-08-08 22:09:09.678   Version info:   Last successful update   8/8/2016 6:08:50 PM

2016-08-09 04:36:13.899   Could not open C:\Boot\BCD
2016-08-09 05:00:04.641   Could not open C:\hiberfil.sys
2016-08-09 10:17:13.259   >>> Virus 'Mal/BredoZp-B' found in file E:\ROM Kitchen\Raph\«Unlocking and Cooking»\Kitchen\buildos+package_tools-4.2b3.zip
2016-08-09 10:17:13.275   >>> Virus 'Mal/BredoZp-B' found in file HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
2016-08-09 10:17:13.275   >>> Virus 'Mal/BredoZp-B' found in file HKU\S-1-5-21-1844237615-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
2016-08-09 10:17:13.275   >>> Virus 'Mal/BredoZp-B' found in file HKU\S-1-5-21-1844237615-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1209
2016-08-09 10:17:44.650   >>> Virus 'Mal/Mdrop-CE' found in file E:\ROM Kitchen\Raph\«Unlocking and Cooking»\« Unlocking »\RaphaelUnlocker.exe
2016-08-09 10:17:44.650   >>> Virus 'Mal/Mdrop-CE' found in file HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
2016-08-09 10:17:44.650   >>> Virus 'Mal/Mdrop-CE' found in file HKU\S-1-5-21-1844237615-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
2016-08-09 10:17:44.650   >>> Virus 'Mal/Mdrop-CE' found in file HKU\S-1-5-21-1844237615-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1209
2016-08-09 10:43:53.574   Could not open LOGICAL:000E:00000000
2016-08-09 10:43:53.574   Could not open O:\
2016-08-09 10:44:59.600   Could not open LOGICAL:0012:00000000
2016-08-09 10:44:59.600   Could not open S:\
2016-08-09 10:44:59.600   Could not open LOGICAL:0015:00000000
2016-08-09 10:44:59.616   Could not open V:\
2016-08-09 14:05:17.164   Could not open PHYSICAL:0086:0000:0000:0001
2016-08-09 14:05:17.211   Could not open PHYSICAL:0087:0000:0000:0001
2016-08-09 14:05:17.211   Could not open PHYSICAL:0088:0000:0000:0001
2016-08-09 14:05:17.336   The following items will be cleaned up:
2016-08-09 14:05:17.336   Mal/BredoZp-B
2016-08-09 14:05:17.336   Mal/Mdrop-CE

I see that another Malwarebytes Threat Scan also occurred overnight, and identified the same 69 threats it had found yesterday (I had not Cleaned them). Here it the log from THAT Scan:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/9/2016
Scan Time: 10:09:34 AM
Logfile:
Administrator: Yes

Version: 0.0.0.0000
Malware Database: v2016.08.09.07
Rootkit Database: v2016.08.09.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: pvs

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 442637
Time Elapsed: 43 min, 17 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

So, Ron, I am going to run he Sophos Scan again, after first Cleaning the two bugs, and then rebooting and disabling AVAST. Should I also exit Malwarebytes prior to running the new Sophos Scan?

AdvancedSetup · August 10, 2016

This log from MBAM shows no threats.

This is a bit odd in the log too.

Version: 0.0.0.0000

We may want to try doing a clean removal and reinstall of MBAM. Make sure you deactivate before removal though.

Please uninstall your current version of MBAM and reinstall the latest version using the following guide. MBAM Clean Removal Process 2x

Then get me a new scan and log from MBAM.

Thanks

pvs · August 10, 2016

Okay, Ron. I think I've caught up with you. Boy, the Sophos Scans take a Looong time on this machine.

Anyway, I ran the Sophos again, this time with my AV deactivated. It wound up, indeed, finding another copy of Mal/Mdrop-CE, this time, in a restore_ volume. I cleaned it up, as you will see in the log, here:

========================================================================

2016-08-08 19:19:15.875 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-08-08 19:19:15.875   Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
2016-08-08 19:19:15.875   Checking for updates...
2016-08-08 19:19:16.453   Update progress: proxy server not available
2016-08-08 19:19:38.968   Option all = no
2016-08-08 19:19:38.968   Option recurse = yes
2016-08-08 19:19:38.968   Option archive = no
2016-08-08 19:19:38.968   Option service = yes
2016-08-08 19:19:38.968   Option confirm = yes
2016-08-08 19:19:38.968   Option sxl = yes
2016-08-08 19:19:38.968   Option max-data-age = 35
2016-08-08 19:19:38.968   Option EnableSafeClean = yes
2016-08-08 19:19:40.468   Option vdl-logging = yes
2016-08-08 19:19:40.484   Customer ID:   094260ca9b3af99f9d4a3909fc47a743
2016-08-08 19:19:40.484   Machine ID:   f5b7a50d709447afb131bb00bff316f6
2016-08-08 19:19:40.531   Component SVRTcli.exe version 2.5.5
2016-08-08 19:19:40.531   Component control.dll version 2.5.5
2016-08-08 19:19:40.531   Component SVRTservice.exe version 2.5.5
2016-08-08 19:19:40.531   Component engine\osdp.dll version 1.44.1.2250
2016-08-08 19:19:40.531   Component engine\veex.dll version 3.65.0.2250
2016-08-08 19:19:40.531   Component engine\savi.dll version 9.0.1.2250
2016-08-08 19:19:40.546   Component rkdisk.dll version 1.5.30.0
2016-08-08 19:19:40.546   Version info:   Product version   2.5.5
2016-08-08 19:19:40.546   Version info:   Detection engine   3.65.0
2016-08-08 19:19:40.546   Version info:   Detection data   5.26
2016-08-08 19:19:40.546   Version info:   Build date   4/5/2016
2016-08-08 19:19:40.546   Version info:   Data files added   756
2016-08-08 19:19:40.546   Version info:   Last successful update   (not yet updated)
2016-08-08 19:20:09.796   Downloading updates...
2016-08-08 19:20:09.812   Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement SAVIW32 LATEST
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement IDE527 LATEST
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement IDE528 LATEST
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement IDE529 LATEST
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement IDE530 LATEST
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement IDE531 LATEST
2016-08-08 19:20:09.812   Update progress: [I49502] Found supplement IDE532 LATEST
2016-08-08 19:20:09.812   Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2016-08-08 19:20:09.812   Update progress: [I19463] Syncing product SAVIW32 70
2016-08-08 19:20:21.984   Update progress: [I19463] Syncing product IDE527 142
2016-08-08 19:20:32.875   Installing updates...
2016-08-08 19:20:36.281   Error level 1
2016-08-08 19:20:36.328   Update progress: [I19463] Syncing product IDE528 127
2016-08-08 19:20:36.328   Update progress: [I19463] Syncing product IDE529 135
2016-08-08 19:20:36.328   Update progress: [I19463] Syncing product IDE530 214
2016-08-08 19:20:36.328   Update progress: [I19463] Syncing product IDE531 145
2016-08-08 19:20:36.328   Update progress: [I19463] Syncing product IDE532 1
2016-08-08 19:21:04.156   Update successful
2016-08-08 19:21:30.562   Option all = no
2016-08-08 19:21:30.562   Option recurse = yes
2016-08-08 19:21:30.562   Option archive = no
2016-08-08 19:21:30.562   Option service = yes
2016-08-08 19:21:30.562   Option confirm = yes
2016-08-08 19:21:30.562   Option sxl = yes
2016-08-08 19:21:30.562   Option max-data-age = 35
2016-08-08 19:21:30.562   Option EnableSafeClean = yes
2016-08-08 19:21:30.671   Option vdl-logging = yes
2016-08-08 19:21:30.671   Customer ID:   094260ca9b3af99f9d4a3909fc47a743
2016-08-08 19:21:30.671   Machine ID:   f5b7a50d709447afb131bb00bff316f6
2016-08-08 19:21:30.687   Component SVRTcli.exe version 2.5.5
2016-08-08 19:21:30.687   Component control.dll version 2.5.5
2016-08-08 19:21:30.687   Component SVRTservice.exe version 2.5.5
2016-08-08 19:21:30.687   Component engine\osdp.dll version 1.44.1.2250
2016-08-08 19:21:30.687   Component engine\veex.dll version 3.65.0.2250
2016-08-08 19:21:30.687   Component engine\savi.dll version 9.0.1.2250
2016-08-08 19:21:30.703   Component rkdisk.dll version 1.5.30.0
2016-08-08 19:21:30.703   Version info:   Product version   2.5.5
2016-08-08 19:21:30.703   Version info:   Detection engine   3.65.0
2016-08-08 19:21:30.703   Version info:   Detection data   5.26
2016-08-08 19:21:30.703   Version info:   Build date   4/5/2016
2016-08-08 19:21:30.703   Version info:   Data files added   756
2016-08-08 19:21:30.703   Version info:   Last successful update   8/8/2016 3:21:04 PM

2016-08-08 22:06:56.096 SafeClean bin directory is empty.
2016-08-08 22:06:56.143 Error level 0

2016-08-08 22:07:01.690 Scan cancelled by user.
2016-08-08 22:07:01.690

------------------------------------------------------------

2016-08-08 22:07:11.893 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-08-08 22:07:11.893   Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
2016-08-08 22:07:11.893   Checking for updates...
2016-08-08 22:07:13.112   Update progress: proxy server not available
2016-08-08 22:08:34.786   Downloading updates...
2016-08-08 22:08:34.786   Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement SAVIW32 LATEST
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement IDE527 LATEST
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement IDE528 LATEST
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement IDE529 LATEST
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement IDE530 LATEST
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement IDE531 LATEST
2016-08-08 22:08:34.786   Update progress: [I49502] Found supplement IDE532 LATEST
2016-08-08 22:08:34.786   Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2016-08-08 22:08:34.786   Update progress: [I19463] Syncing product SAVIW32 70
2016-08-08 22:08:34.786   Update progress: [I19463] Syncing product IDE527 142
2016-08-08 22:08:35.661   Option all = no
2016-08-08 22:08:35.661   Option recurse = yes
2016-08-08 22:08:35.661   Option archive = no
2016-08-08 22:08:35.661   Option service = yes
2016-08-08 22:08:35.661   Option confirm = yes
2016-08-08 22:08:35.661   Option sxl = yes
2016-08-08 22:08:35.661   Option max-data-age = 35
2016-08-08 22:08:35.661   Option EnableSafeClean = yes
2016-08-08 22:08:35.786   Option vdl-logging = yes
2016-08-08 22:08:35.818   Customer ID:   094260ca9b3af99f9d4a3909fc47a743
2016-08-08 22:08:35.818   Machine ID:   f5b7a50d709447afb131bb00bff316f6
2016-08-08 22:08:35.943   Component SVRTcli.exe version 2.5.5
2016-08-08 22:08:35.943   Component control.dll version 2.5.5
2016-08-08 22:08:35.943   Component SVRTservice.exe version 2.5.5
2016-08-08 22:08:35.943   Component engine\osdp.dll version 1.44.1.2250
2016-08-08 22:08:35.943   Component engine\veex.dll version 3.65.0.2250
2016-08-08 22:08:35.943   Component engine\savi.dll version 9.0.1.2250
2016-08-08 22:08:36.255   Component rkdisk.dll version 1.5.30.0
2016-08-08 22:08:36.255   Version info:   Product version   2.5.5
2016-08-08 22:08:36.255   Version info:   Detection engine   3.65.0
2016-08-08 22:08:36.255   Version info:   Detection data   5.26
2016-08-08 22:08:36.255   Version info:   Build date   4/5/2016
2016-08-08 22:08:36.255   Version info:   Data files added   756
2016-08-08 22:08:36.255   Version info:   Last successful update   8/8/2016 3:21:04 PM
2016-08-08 22:08:46.021   Update progress: [I19463] Syncing product IDE528 127
2016-08-08 22:08:46.021   Update progress: [I19463] Syncing product IDE529 135
2016-08-08 22:08:46.052   Update progress: [I19463] Syncing product IDE530 214
2016-08-08 22:08:46.052   Update progress: [I19463] Syncing product IDE531 146
2016-08-08 22:08:46.787   Installing updates...
2016-08-08 22:08:48.584   Error level 1
2016-08-08 22:08:50.068   Update progress: [I19463] Syncing product IDE532 1
2016-08-08 22:08:50.412   Update successful
2016-08-08 22:09:09.584   Option all = no
2016-08-08 22:09:09.584   Option recurse = yes
2016-08-08 22:09:09.584   Option archive = no
2016-08-08 22:09:09.584   Option service = yes
2016-08-08 22:09:09.584   Option confirm = yes
2016-08-08 22:09:09.584   Option sxl = yes
2016-08-08 22:09:09.584   Option max-data-age = 35
2016-08-08 22:09:09.584   Option EnableSafeClean = yes
2016-08-08 22:09:09.647   Option vdl-logging = yes
2016-08-08 22:09:09.662   Customer ID:   094260ca9b3af99f9d4a3909fc47a743
2016-08-08 22:09:09.662   Machine ID:   f5b7a50d709447afb131bb00bff316f6
2016-08-08 22:09:09.662   Component SVRTcli.exe version 2.5.5
2016-08-08 22:09:09.662   Component control.dll version 2.5.5
2016-08-08 22:09:09.662   Component SVRTservice.exe version 2.5.5
2016-08-08 22:09:09.662   Component engine\osdp.dll version 1.44.1.2250
2016-08-08 22:09:09.662   Component engine\veex.dll version 3.65.0.2250
2016-08-08 22:09:09.662   Component engine\savi.dll version 9.0.1.2250
2016-08-08 22:09:09.678   Component rkdisk.dll version 1.5.30.0
2016-08-08 22:09:09.678   Version info:   Product version   2.5.5
2016-08-08 22:09:09.678   Version info:   Detection engine   3.65.0
2016-08-08 22:09:09.678   Version info:   Detection data   5.26
2016-08-08 22:09:09.678   Version info:   Build date   4/5/2016
2016-08-08 22:09:09.678   Version info:   Data files added   757
2016-08-08 22:09:09.678   Version info:   Last successful update   8/8/2016 6:08:50 PM

2016-08-09 04:36:13.899   Could not open C:\Boot\BCD
2016-08-09 05:00:04.641   Could not open C:\hiberfil.sys
2016-08-09 10:17:13.259   >>> Virus 'Mal/BredoZp-B' found in file E:\ROM Kitchen\Raph\«Unlocking and Cooking»\Kitchen\buildos+package_tools-4.2b3.zip
2016-08-09 10:17:13.275   >>> Virus 'Mal/BredoZp-B' found in file HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
2016-08-09 10:17:13.275   >>> Virus 'Mal/BredoZp-B' found in file HKU\S-1-5-21-1844237615-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
2016-08-09 10:17:13.275   >>> Virus 'Mal/BredoZp-B' found in file HKU\S-1-5-21-1844237615-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1209
2016-08-09 10:17:44.650   >>> Virus 'Mal/Mdrop-CE' found in file E:\ROM Kitchen\Raph\«Unlocking and Cooking»\« Unlocking »\RaphaelUnlocker.exe
2016-08-09 10:17:44.650   >>> Virus 'Mal/Mdrop-CE' found in file HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
2016-08-09 10:17:44.650   >>> Virus 'Mal/Mdrop-CE' found in file HKU\S-1-5-21-1844237615-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
2016-08-09 10:17:44.650   >>> Virus 'Mal/Mdrop-CE' found in file HKU\S-1-5-21-1844237615-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1209
2016-08-09 10:43:53.574   Could not open LOGICAL:000E:00000000
2016-08-09 10:43:53.574   Could not open O:\
2016-08-09 10:44:59.600   Could not open LOGICAL:0012:00000000
2016-08-09 10:44:59.600   Could not open S:\
2016-08-09 10:44:59.600   Could not open LOGICAL:0015:00000000
2016-08-09 10:44:59.616   Could not open V:\
2016-08-09 14:05:17.164   Could not open PHYSICAL:0086:0000:0000:0001
2016-08-09 14:05:17.211   Could not open PHYSICAL:0087:0000:0000:0001
2016-08-09 14:05:17.211   Could not open PHYSICAL:0088:0000:0000:0001
2016-08-09 14:05:17.336   The following items will be cleaned up:
2016-08-09 14:05:17.336   Mal/BredoZp-B
2016-08-09 14:05:17.336   Mal/Mdrop-CE
2016-08-09 15:10:33.293   Threat 'Mal/BredoZp-B' has been cleaned up.
2016-08-09 15:10:33.293   File "E:\ROM Kitchen\Raph\«Unlocking and Cooking»\Kitchen\buildos+package_tools-4.2b3.zip" belongs to malware 'Mal/BredoZp-B'.
2016-08-09 15:10:33.293   File "E:\ROM Kitchen\Raph\«Unlocking and Cooking»\Kitchen\buildos+package_tools-4.2b3.zip" has been cleaned up.
2016-08-09 15:10:33.293   Registry value "HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify" belongs to malware 'Mal/BredoZp-B'.
2016-08-09 15:10:33.293   Registry value "HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify" has been cleaned up.
2016-08-09 15:10:33.293   Registry value "HKU\S-1-5-21-1844237615-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet" belongs to malware 'Mal/BredoZp-B'.
2016-08-09 15:10:33.293   Registry value "HKU\S-1-5-21-1844237615-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet" has been cleaned up.
2016-08-09 15:10:33.293   Registry value "HKU\S-1-5-21-1844237615-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1209" belongs to malware 'Mal/BredoZp-B'.
2016-08-09 15:10:33.293   Registry value "HKU\S-1-5-21-1844237615-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1209" has been cleaned up.
2016-08-09 15:10:33.293   Removal successful
2016-08-09 15:10:42.441   Threat 'Mal/Mdrop-CE' has been cleaned up.
2016-08-09 15:10:42.441   File "E:\ROM Kitchen\Raph\«Unlocking and Cooking»\« Unlocking »\RaphaelUnlocker.exe" belongs to malware 'Mal/Mdrop-CE'.
2016-08-09 15:10:42.441   File "E:\ROM Kitchen\Raph\«Unlocking and Cooking»\« Unlocking »\RaphaelUnlocker.exe" has been cleaned up.
2016-08-09 15:10:42.441   Removal successful
2016-08-09 15:10:42.472   Contents of SafeClean bin directory:
2016-08-09 15:10:42.660   {
2016-08-09 15:10:42.660        RecordID   : "0000000000000001",
2016-08-09 15:10:42.660        ItemType   : "1",
2016-08-09 15:10:42.660        Location   : "E:\ROM Kitchen\Raph\«Unlocking and Cooking»\Kitchen\",
2016-08-09 15:10:42.660        FileName   : "buildos+package_tools-4.2b3.zip",
2016-08-09 15:10:42.660        ThreatName : "Mal/BredoZp-B",
2016-08-09 15:10:42.660        Checksum   : "fffe68ae79d0986d358789b256def43af80cadacbb654637903383a4b1bf1867",
2016-08-09 15:10:42.660        TimeStamp : "Tue Aug 09 11:10:19 2016"
2016-08-09 15:10:42.660   }
2016-08-09 15:10:42.660   {
2016-08-09 15:10:42.660        RecordID   : "0000000000000002",
2016-08-09 15:10:42.660        ItemType   : "1",
2016-08-09 15:10:42.660        Location   : "E:\ROM Kitchen\Raph\«Unlocking and Cooking»\« Unlocking »\",
2016-08-09 15:10:42.660        FileName   : "RaphaelUnlocker.exe",
2016-08-09 15:10:42.660        ThreatName : "Mal/Mdrop-CE",
2016-08-09 15:10:42.660        Checksum   : "c80ee04e23d7b853899f72bca4fba0d655d76d87e37133a19245a25b5616b5ab",
2016-08-09 15:10:42.660        TimeStamp : "Tue Aug 09 11:10:33 2016"
2016-08-09 15:10:42.660   }
2016-08-09 15:10:46.184   Error level 0

2016-08-09 15:11:49.781 Scan completed.
2016-08-09 15:11:49.781

------------------------------------------------------------

2016-08-09 15:20:54.953 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-08-09 15:20:54.953   Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
2016-08-09 15:20:54.953   Checking for updates...
2016-08-09 15:20:55.093   Update progress: proxy server not available
2016-08-09 15:21:21.375   Downloading updates...
2016-08-09 15:21:21.375   Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0
2016-08-09 15:21:21.375   Update progress: [I49502] Found supplement SAVIW32 LATEST
2016-08-09 15:21:21.375   Update progress: [I49502] Found supplement IDE527 LATEST
2016-08-09 15:21:21.375   Update progress: [I49502] Found supplement IDE528 LATEST
2016-08-09 15:21:21.375   Update progress: [I49502] Found supplement IDE529 LATEST
2016-08-09 15:21:21.375   Update progress: [I49502] Found supplement IDE530 LATEST
2016-08-09 15:21:21.375   Update progress: [I49502] Found supplement IDE531 LATEST
2016-08-09 15:21:21.375   Update progress: [I49502] Found supplement IDE532 LATEST
2016-08-09 15:21:21.375   Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2016-08-09 15:21:21.375   Update progress: [I19463] Syncing product SAVIW32 70
2016-08-09 15:21:21.375   Update progress: [I19463] Syncing product IDE527 142
2016-08-09 15:21:22.265   Update progress: [I19463] Syncing product IDE528 127
2016-08-09 15:21:22.265   Update progress: [I19463] Syncing product IDE529 135
2016-08-09 15:21:22.265   Update progress: [I19463] Syncing product IDE530 214
2016-08-09 15:21:22.265   Update progress: [I19463] Syncing product IDE531 149
2016-08-09 15:21:22.812   Installing updates...
2016-08-09 15:21:54.109   Update progress: [I19463] Syncing product IDE532 1
2016-08-09 15:21:54.453   Update successful
2016-08-09 15:21:57.453   Option all = no
2016-08-09 15:21:57.453   Option recurse = yes
2016-08-09 15:21:57.453   Option archive = no
2016-08-09 15:21:57.453   Option service = yes
2016-08-09 15:21:57.453   Option confirm = yes
2016-08-09 15:21:57.453   Option sxl = yes
2016-08-09 15:21:57.453   Option max-data-age = 35
2016-08-09 15:21:57.453   Option EnableSafeClean = yes
2016-08-09 15:21:57.656   Option vdl-logging = yes
2016-08-09 15:21:57.718   Customer ID:   094260ca9b3af99f9d4a3909fc47a743
2016-08-09 15:21:57.718   Machine ID:   f5b7a50d709447afb131bb00bff316f6
2016-08-09 15:21:57.750   Component SVRTcli.exe version 2.5.5
2016-08-09 15:21:57.750   Component control.dll version 2.5.5
2016-08-09 15:21:57.750   Component SVRTservice.exe version 2.5.5
2016-08-09 15:21:57.750   Component engine\osdp.dll version 1.44.1.2250
2016-08-09 15:21:57.750   Component engine\veex.dll version 3.65.0.2250
2016-08-09 15:21:57.750   Component engine\savi.dll version 9.0.1.2250
2016-08-09 15:21:57.781   Component rkdisk.dll version 1.5.30.0
2016-08-09 15:21:57.781   Version info:   Product version   2.5.5
2016-08-09 15:21:57.781   Version info:   Detection engine   3.65.0
2016-08-09 15:21:57.781   Version info:   Detection data   5.26
2016-08-09 15:21:57.781   Version info:   Build date   4/5/2016
2016-08-09 15:21:57.781   Version info:   Data files added   757
2016-08-09 15:21:57.781   Version info:   Last successful update   8/9/2016 11:21:54 AM
2016-08-09 15:21:58.453   Error: an instance of this application is already running.
2016-08-09 15:21:59.453   Error level 1

2016-08-09 15:23:50.062 Scan failed due to fatal error.
2016-08-09 15:23:50.062

------------------------------------------------------------

2016-08-09 15:24:06.656 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-08-09 15:24:06.656   Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
2016-08-09 15:24:06.656   Checking for updates...
2016-08-09 15:24:06.796   Update progress: proxy server not available
2016-08-09 15:24:11.984   Update not required
2016-08-09 15:24:26.500   Option all = no
2016-08-09 15:24:26.500   Option recurse = yes
2016-08-09 15:24:26.500   Option archive = no
2016-08-09 15:24:26.500   Option service = yes
2016-08-09 15:24:26.500   Option confirm = yes
2016-08-09 15:24:26.500   Option sxl = yes
2016-08-09 15:24:26.500   Option max-data-age = 35
2016-08-09 15:24:26.500   Option EnableSafeClean = yes
2016-08-09 15:24:26.546   Option vdl-logging = yes
2016-08-09 15:24:26.562   Customer ID:   094260ca9b3af99f9d4a3909fc47a743
2016-08-09 15:24:26.562   Machine ID:   f5b7a50d709447afb131bb00bff316f6
2016-08-09 15:24:26.562   Component SVRTcli.exe version 2.5.5
2016-08-09 15:24:26.562   Component control.dll version 2.5.5
2016-08-09 15:24:26.562   Component SVRTservice.exe version 2.5.5
2016-08-09 15:24:26.562   Component engine\osdp.dll version 1.44.1.2250
2016-08-09 15:24:26.562   Component engine\veex.dll version 3.65.0.2250
2016-08-09 15:24:26.562   Component engine\savi.dll version 9.0.1.2250
2016-08-09 15:24:26.562   Component rkdisk.dll version 1.5.30.0
2016-08-09 15:24:26.562   Version info:   Product version   2.5.5
2016-08-09 15:24:26.578   Version info:   Detection engine   3.65.0
2016-08-09 15:24:26.578   Version info:   Detection data   5.26
2016-08-09 15:24:26.578   Version info:   Build date   4/5/2016
2016-08-09 15:24:26.578   Version info:   Data files added   760
2016-08-09 15:24:26.578   Version info:   Last successful update   8/9/2016 11:21:54 AM

2016-08-09 16:56:45.634   Could not open C:\Boot\BCD
2016-08-09 17:18:11.415   Could not open C:\hiberfil.sys
2016-08-09 21:44:21.794   >>> Virus 'Mal/Mdrop-CE' found in file E:\System Volume Information\_restore{F12267EB-4139-410B-A5CA-39ACA65FED85}\RP2012\A0678310.exe
2016-08-09 22:27:37.919   Could not open LOGICAL:000E:00000000
2016-08-09 22:27:37.919   Could not open O:\
2016-08-09 22:28:19.888   Could not open LOGICAL:0012:00000000
2016-08-09 22:28:19.904   Could not open S:\
2016-08-09 22:28:19.904   Could not open LOGICAL:0015:00000000
2016-08-09 22:28:19.904   Could not open V:\
2016-08-10 01:14:45.531   Could not open PHYSICAL:0086:0000:0000:0001
2016-08-10 01:14:45.578   Could not open PHYSICAL:0087:0000:0000:0001
2016-08-10 01:14:45.578   Could not open PHYSICAL:0088:0000:0000:0001
2016-08-10 01:14:45.625   The following items will be cleaned up:
2016-08-10 01:14:45.625   Mal/Mdrop-CE
2016-08-10 02:55:19.714   Threat 'Mal/Mdrop-CE' has been cleaned up.
2016-08-10 02:55:19.714   File "E:\System Volume Information\_restore{F12267EB-4139-410B-A5CA-39ACA65FED85}\RP2012\A0678310.exe" belongs to malware 'Mal/Mdrop-CE'.
2016-08-10 02:55:19.714   File "E:\System Volume Information\_restore{F12267EB-4139-410B-A5CA-39ACA65FED85}\RP2012\A0678310.exe" has been cleaned up.
2016-08-10 02:55:19.714   Removal successful
2016-08-10 02:55:19.745   Contents of SafeClean bin directory:
2016-08-10 02:55:19.776   {
2016-08-10 02:55:19.776        RecordID   : "0000000000000001",
2016-08-10 02:55:19.776        ItemType   : "1",
2016-08-10 02:55:19.776        Location   : "E:\ROM Kitchen\Raph\«Unlocking and Cooking»\Kitchen\",
2016-08-10 02:55:19.776        FileName   : "buildos+package_tools-4.2b3.zip",
2016-08-10 02:55:19.776        ThreatName : "Mal/BredoZp-B",
2016-08-10 02:55:19.776        Checksum   : "fffe68ae79d0986d358789b256def43af80cadacbb654637903383a4b1bf1867",
2016-08-10 02:55:19.776        TimeStamp : "Tue Aug 09 11:10:19 2016"
2016-08-10 02:55:19.776   }
2016-08-10 02:55:19.776   {
2016-08-10 02:55:19.776        RecordID   : "0000000000000002",
2016-08-10 02:55:19.776        ItemType   : "1",
2016-08-10 02:55:19.776        Location   : "E:\ROM Kitchen\Raph\«Unlocking and Cooking»\« Unlocking »\",
2016-08-10 02:55:19.776        FileName   : "RaphaelUnlocker.exe",
2016-08-10 02:55:19.776        ThreatName : "Mal/Mdrop-CE",
2016-08-10 02:55:19.776        Checksum   : "c80ee04e23d7b853899f72bca4fba0d655d76d87e37133a19245a25b5616b5ab",
2016-08-10 02:55:19.776        TimeStamp : "Tue Aug 09 11:10:33 2016"
2016-08-10 02:55:19.776   }
2016-08-10 02:55:19.776   {
2016-08-10 02:55:19.776        RecordID   : "0000000000000003",
2016-08-10 02:55:19.776        ItemType   : "1",
2016-08-10 02:55:19.776        Location   : "E:\System Volume Information\_restore{F12267EB-4139-410B-A5CA-39ACA65FED85}\RP2012\",
2016-08-10 02:55:19.776        FileName   : "A0678310.exe",
2016-08-10 02:55:19.776        ThreatName : "Mal/Mdrop-CE",
2016-08-10 02:55:19.776        Checksum   : "c80ee04e23d7b853899f72bca4fba0d655d76d87e37133a19245a25b5616b5ab",
2016-08-10 02:55:19.776        TimeStamp : "Tue Aug 09 22:55:10 2016"
2016-08-10 02:55:19.776   }
2016-08-10 02:55:21.151   Error level 0

========================================================================

After the Sophos scan, I followed your instructions to run mbam-clean-2.3.0.1001.exe (which was a bit newer than the one I ran in June (mbam-clean-2.2.2.7.exe), and I downloaded and reinstalled the newest version (which appears to be the same as what I had). I've reactivated it, and ran a new Threat Scan, which appears to have replaced the Version number, at least for now. The log from that Threat Scan is here:

========================================================================

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/9/2016
Scan Time: 11:36:16 PM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.08.10.01
Rootkit Database: v2016.08.09.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: pvs

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 440552
Time Elapsed: 46 min, 19 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

========================================================================

Once that scan was complete, and still with my AV disabled, I re-ran the FarBar Recovery Tool, per your Step 07, above. I have attached both the resulting logfiles (FRST_06-08-2016_23-30-04.txt and Addition_06-08-2016_23-30-04.txt) to this post.

Please let me know your thoughts at your earliest convenience.

Once again, thank you for all your attention to this issue.

-pvs

FRST_06-08-2016_23-30-04.txt

Addition_06-08-2016_23-30-04.txt

pvs · August 10, 2016

Just a couple of questions for you, Ron:

I am unsure about what the RKill program did in the first step. If I understand correctly, it killed certain processes that could harbor Malware. But I am not sure if I was supposed to run it to kill those processes before every scan we did above, or if it should have only been run that one time. FWIW, I only ran it that one time. Is that okay?
I see that Bitdefender DOES have tools available to do an uninstall (http://www.bitdefender.com/site/view/uninstall_consumer_paid.html). I was wondering if you thought I might add that "Step" into what we're doing. I might need to run one for both 2015 and 2016, I guess, unless you can easily identify which of them is the culprit.

Anyway, have a great night. I'm gonna turn in.

-pvs

AdvancedSetup · August 10, 2016

Hi @pvs

1. No, RKILLchecks some process, kills some process, for the most part it's almost not needed anymore as the type of changes that used to be common for malware threats are not quite like they used to be but I still have users use just in case.

2. Yes, please run the Bitdefender removal tool. I'm not sure which version but I'd try the 2016 first, it should be able to find and remove what's left over I'd think.

http://www.bitdefender.com/files/KnowledgeBase/file/Bitdefender_2016_UninstallTool.exe

http://www.bitdefender.com/files/KnowledgeBase/file/The_New_Bitdefender_UninstallTool.exe

I notice you have UltraEdit on your computer. Love that program and use it every day. I purchased a lifetime license for it and UltraCompare back in about 2003 and have been upgrading it for free now for well over a decade. Best long term software purchase I've ever made probably since I continue to use it and even have your logs open in it now.

There are quite a few errors in the logs. Not sure if they've been there for a while or if they're there due to the work we've been doing. Will need to look at that again soon and fix up.

Is this computer part of a work Domain? It has errors in Group Policy. If it's not on a domain then we may need to look at removing the entries that make it think it's on a domain.

I see you're also running this tool. Is this a server motherboard and you've installed XP and Windows 7 on it?

Supero Doctor III Client

You're also running an ancient Adobe License Manger product. I seriously doubt it's working if it's that old, but who knows for sure.

S3 Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [72704 2009-07-27] (Adobe Systems) [File not signed]

The logs show you still have an old version of Microsoft Security Essentials installed. Please uninstall it.

You have remnants of an old McAfee antivirus installed as well. Please run the following tool to remove those left over elements.

McAfee Removal Tool

Your copy of Windows Explorer appears to not be OEM and was probably modified. Not sure if done on purpose or not but using the System File Checker to restore OEM files would seem to be needed.

C:\WINDOWS\explorer.exe
[2013-11-05 20:32] - [2008-04-13 20:12] - 1031680 ____A (Microsoft Corporation) E4D6FF02A47497FF5B4338A260E3C91D

https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/system_file_checker.mspx?mfr=true

http://www.bleepingcomputer.com/forums/t/43051/how-to-use-sfcexe-to-repair-system-files/

Your JAVA is VERY old and should be removed unless you're specifically coding something in that ancient version.

Java 7 Update 71

Please look at addressing the above items. When done run the following below. Note that the fix script will remove some Java entries. If you want to keep Java on purpose then you need to remove the Java entries from the file before running it.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

pvs · August 10, 2016

Hey Ron,

Thanks for all this info. I am not finished with it yet (not close, actually), but I thought I'd reply now, and let you know what I HAVE done, let you know a few things that happened, and to ask a few questions.

And yes, I, too, have a lifetime license for UEdit! I used to program for a living, and used to have a DOS editor named QEdit. That was fantastic! As I came into Windows, I hated Notepad, though I manually wrote several websites in HTML using it. But I needed more, mainly quick macros for coding and code-formatting, and my search ultimately ended with UltraEdit 7.20 in November of 2000. I finally went with the lifetime license in February 2009. Ian has a great product, and a wonderful staff! In early 2015, I bought a new Surface Pro, and I asked them how much it would cost to add another machine to my Lifetime license with them, fully expecting them to ask for at least $50.00. They very kindly wrote back and told me that they adjusted my license, giving me 4 installs instead of the default 3, and to just install it on the Surface Pro ..... no charge!
===================================================================
Anyway, so far, I have run the Bitdefender uninstall. The one for 2016 could not run on my platform. This seems correct, as I now recall that I ran into that issue when I upgraded this past year. I own three BD installations, 2 on this machine (XP and W7), and 1 on another W7 laptop (which, incidentally, is also protected by MalwareBytes under my current license). When I upgraded from BD AV 2015, they told me that the new version (2016) would not work on the XP operating system, and they upgraded me to one of their Security Essentials products. I had severe issues with that substituted product, which was why I ditched it and went to the free version of AVAST, which, so far, has been pretty good (I think).

Regardless, the program at the second (The New) BD Uninstaller link worked very well, I believe, as is went through at least four iterations for many of the BD Product Line. I saw the Antivirus Plus product uninstall, as well as the Security Essentials. It also did a few others, but sorry, I did not keep a log of them.
===================================================================
Regarding MS Security Essentials, I ran the uninstaller in Programs & Features sometime around when MS stopped supporting XP (April 2014?), and as such, it is not in my list of installed Programs & Features. If there are still remnants lingering, do you recommend that I run this uninstaller?

http://www.bleepingcomputer.com/download/microsoft-security-essentials-removal-tool/

Or would you suggest I do something else?
===================================================================
As for the Group Policy / Work Domain issues, please note that this machine is a central part of my small home network. Yes, this PC DOES have a Server Motherboard, but it's running XP and W7 as workstations. It has 5 internal 2TB drives and a 500GB drive that is used for the OS. The data drives are duplicated on a Synology NAS, which also houses a library of Acronis Image backups of the system drive for this machine, as well as backups from 2 other laptops and a Time Machine backup for a Mac. Though most (not all) of these workstations can see each others' shared files and folders, this machine is not really used as a server.

I might've made some mistakes in the network settings I've used, that might indicate that this is a Work Domain. I used what I had learned while on the job prior to my retirement to build this network. So some of my settings might be modeled after my corporate environment.

As for Group Policy errors, well, I was never at a high enough level (at my job) to have had access to Group Policy (I was on a Client Department's, IS Team, and only our IT Department could access GP). So I might've made some errors in setting them up. (Or maybe they're due to malware?)

So, with regard to this GP and Domain stuff, I would very much appreciate recommendations from you to correct the issues. But please understand, I feel my network setup is currently giving me EVERYTHING I need at the moment, and am hesitant about changing it (the old, "if it ain't broke..." adage). But again, I am all ears for any suggestions you might have. Please advise!
===================================================================
With regard to Adobe, Hmmm. I have every version of Adobe Photoshop going back to Version 6.0, and they're all installed. This was due to the way Adobe upgraded the product line. The upgrade needed to see a prior licensed product installed before it installed the new one. In many instances, Adobe had removed features from the newer upgrade, so the newer product made a completely new install in a new directory. This way, the customer still had access to the old features.

I still use the oldest Photoshop occasionally, as it's start-up time is quick, and it gives me quite a few great features. I also use the latest installed one. I could probably remove most of the subsequent ones, though, as Adobe has changed the way it releases software now, and I will NEVER make use of their new (rental) model. Besides, anything newer will never run on this old XP Installation.

So with regard to the old license ... I'd like to save that for later. Once we get the rest of this machine cleaned up, I will make a new Image Backup of the System Drive, and then we can experiment with removing that License Manager. This way, if removal of the manager kills my working PS6.0, I can revert back to a nice clean system.
===================================================================
Moving on, I DL'd and ran the newer MCPR.exe that you linked to. It ran fine and completed with a required reboot. That reboot did not go well, though, with only 4 tray icons appearing. So I tried to shut down and reboot. That attempted shutdown also failed, repeatedly. I then tried shutting down explorer.exe through Task Manager, but Task Manager would not come up. I then noticed that I could not even click on the Windows Icon (lower left) to try another shutdown. So I needed to de-power the machine and start over. Luckily, the next boot went well (seemingly), and here we are.
===================================================================
Yikes! I do NOT like the sound of what you're saying about my copy of Windows Explorer! I am going to review those two links you provided, and try to correct this issue as soon as I finish posting this to our thread.
===================================================================
Yes, my Java is the last one I can get for XP. I don't know that I really need it. I do not code in Java (at the moment, anyway). The only thing that I have that MIGHT need it is my Web-based GUI for the NAS, and THAT product continually complains about the version. Similar to the Adobe License Manager, above, I think I'd rather wait with this until we have other things cleaned up .... unless you think it's part of any infection I might have. Please advise, here.
===================================================================
So that's about it for now. I need to await your instructions about the MS Essentials uninstaller before I can go on with the fixlist.txt stuff. Please let me know what you think about that, as well as the other issues I've detailed above.

Thanks again, Ron. I'll be listening up.
-pvs

pvs · August 10, 2016

Hi again! Okay, I've been looking at the links regarding SFC, and I understand what it does. I have the original Installation CD, but it's an SP2 version.

If I use SFC, can I still use Windows Update to get back to the most recent SP3 versions? Since MS killed XP, I have shut off Windows Updates, as well as the Security Center Alert Setting, so I don't even know what will happen if I try (probably get about 3,500 Updates to Windows 10 (HaHa)). Please let me know if you know the answer.

Thanks again!

-pvs

pvs · August 10, 2016

Hey again! Looking through the fixlist.txt file, I am thinking of just allowing the Java stuff to be removed. Especially if this stuff is only for programming, which I really doubt I will ever do.

But I am also looking at those language .DLLs (en_res.dll, fr_res.dll, etc, as well as grm_res.dll) in my C:\Documents and Settings\pvs\ Folder.. Those seem to be parts of the Powerchute software that monitors my UPS (I looked at them with UE, and see the traces of the component name in them, and they're signed by American Power Conversion which would be correct). I fear if I delete them, my monitoring software will no longer work. Are you sure they should be removed?

Sorry for all of these questions, but I just want to make sure before I do anything.

-pvs

pvs · August 10, 2016

Also, while I'm still thinking about it, there are entries in the Fix File for Bitdefender. Will they pose an issue if they have already been removed by the uninstaller I ran this morning? Should I remove those before doing this step?

Agggh! Questions! I am SO sorry!

-pvs

AdvancedSetup · August 12, 2016

No problem pvs

Good questions.

Yes, using the MSE removal tool from Bleeping computer should be okay. If files I have in the "fix" file are from something you know to be valid please remove that entire line and let me know which lines you removed so I don't put them back in.

Difficult to say about the Java. Older java is certainly compromised and can help lead to an infection but is not necessarily the issue. I too have to run some older Java for some older server software.

The group policy stuff we can look at a bit later, not too important. Once you get the stuff removed that we're going to remove and have edited and run the fix file for FRST you need to reboot and then run FRST again and place a check mark in the Additions.txt check box and attach back both new logs and we'll go from there.

Thanks

pvs · August 12, 2016

Well, I tried to download the MS Security Essentials Removal Tool (both Version 1.0.1963 and Version 2), and I am redirected to a page from MS advising that the product has been retired.

Do you have any other ideas for how to fully uninstall Security Essentials?

Also, regarding the SFC to get back to a proper version of Internet Explorer, I've been looking at the links regarding SFC, and I understand what it does. I have the original Installation CD, but it's an SP2 version. So, if I use SFC, can I still use Windows Update to get back to the most recent SP3 versions? Considering that the SE Removal Tool is no longer available, I imagine XP Updates are also gone.

Any ideas?

Thanks again,

-pvs

pvs · August 12, 2016

I MIGHT have an idea about Security Essentials. I have found that I still have the old install/setup for it:

(mssefullinstall-x86fre-en-us-xp.exe 11,585KB 05/25/2010)

I am not 100% sure that it will allow me to install it, as sometimes these setups require resources on the Internet, and I am sure that any such resources are probably "retired", just like the uninstall tools. But what do you think? Maybe I could try to re-install it, and then try to uninstall it immediately after.

Please let me know if you think this might work, or if you have any other ideas.

-pvs

pvs · August 12, 2016

Okay, Ron, please disregard that last post. I found THIS webpage (https://support.microsoft.com/en-us/kb/2483120) and am following the instructions to "fix it myself". I hope this process manages to fully remove MS Security Essentials from this machine. I guess you will be able to confirm whether it worked or not, once I submit newer scans to you.

pvs · August 12, 2016

Okay Ron, so far, so good, I think. I have completed my MANUAL removal of MS Security Essentials, and the PC restarted normally. NOTE: I have NOT yet done anything about the non-OEM Internet Explorer, as I am still awaiting some info from you on whether or not I will be able to perform Updates to get back to SP3.

I edited the fixlist.txt file to remove the Java stuff (thought I'd keep it for now, considering your last comments.

I left the other stuff (those DLLs and stuff from Docs&Settings\pvs) in the fixlist file, but I first copied them to the NAS, in case I wind up needing them again in the future.

I am attaching the new fixlist.txt for your use.

FWIW, I had some issues with FRST.exe. I found that if the fixlist.txt file was in the path, when it first tried to update, it would delete the .EXE and not put a new one in place, so it just died there. So I first allowed it to update, and THEN put the fixlist.txt file into the path, and clicked FIX. The first time I did this, it crashed with the error message and details I have attached below.

Then I went into the fixlist.txt file and further removed the three entries for Bitdefender (since those SHOULD've been removed via the uninstaller. Once that was done, it completed successfully, and the Fixlog.txt file is attached (though FRST threw another error regarding a failure to update (also attached).

Anyway, I have attached the resulting FRST.txt and Addition.txt to this post for your review.

Please let me know what I need to do next.

-pvs

AdvancedSetup · August 12, 2016

Let's give the tool below a try and see if it removes the entry for MSE

Remove Microsoft Security Essentials WMI Registration

Click on the Start menu.
Select Run...
Type wbemtest and click OK
Click Connect
Type (or copy/paste) root/SecurityCenter in the NameSpace box
Click Connect
Click on Query
Type in or copy / paste SELECT * FROM AntiVirusProduct and click on Apply

If there is more than one result, it means there is more than one Antivirus program installed.
Double click on each result to view the properties for that Antivirus product.
Identify the product(s) installed and DELETE any records for Microsoft Security Essentials

[Linked Image]

Next, let's do a clean removal and reinstall of MBAM as the log says it's missing a file it can't find.

Please uninstall your current version of MBAM and reinstall the latest version using the following guide. MBAM Clean Removal Process 2x

Then let me know how the computer is running now.

pvs · August 12, 2016

Okay Ron, I ran wbemtest and deleted the entry (that WAS STILL THERE) for Security Essentials. I did another clean removal and install, and ran a new Threat Scan, which seemed to complete much faster than previously. Maybe that was because I had not yet enabled Rootkit Scanning, I don't know.

Looking at the log, it seems there is still something wrong, as I see Bad md5 or size reports for akadomains and akaips, and a few others.

Also, my Firefox browser will no longer open the download folder, but that's not a real biggy for me.

Overall, the system seems a bit snappier, and seems quicker on startup and shutdown. I will let you know how Malwarebytes does after a few restarts.

Please let me know what you think about the foregoing.

Thanks again!

-pvs

Threat Scan Results 2016-08-12.txt

AdvancedSetup · August 13, 2016

Hi @pvs

That is the protection log, not the threat scan log.

Let's try the following. Open a command prompt using an account with Admin rights.

Then type in the following.

CHKDSK C: /R

Press the Y key to tell it to run after a restart. Then restart the computer. Depending on the speed of the computer it can take a few hours to run.

Once that's done then run the following.

Please visit this web page and read the ComboFix User's Guide:

Once you've read the article and are ready to use the program you can download it directly from the link below.
Important! - Please make sure you save combofix to your desktop and do not run it from your browser
Direct download link for: ComboFix.exe
Please make sure you disable your security applications before running ComboFix.
Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
Please attach that log file to your next reply.
If needed the file can be located here: C:\combofix.txt
NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

Edited August 13, 2016 by AdvancedSetup

pvs · August 13, 2016

Hmmm. Yes, I see that I did not attach the Threat Scan Log. And this morning when I looked, I see that there IS NO Scan Log in History. So I tried running another Threat Scan, but, again, no log was created. Weird. MalwareBytes DOES tell me about my expected PUM, the fact that I've turned off Auto Updates. I was looking for the way to add that as an Exception, but can't find it right now.

Anyway, FWIW, I ran an Acronis Image Backup last night, so I can preserve the amount of work we've already done. I am going to run that CHKDSK C: /R now, and will follow with the ComboFix thing.

I'll be back later,

-pvs

Real-Time Protection Always Being Turned Off

Recommended Posts

Link to post

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information