Real-Time Protection Always Being Turned Off

[pvs]

Hi again, Ron,

Okay, I ran the CHKDSK C: /R.  I didn't sit and watch it past a few minutes.  It seemed to be doing it's thing as usual.  When I returned to the PC, it was awaiting login, so I am assuming everything worked correctly.

I read thru the ComboFix Guide, and ran it.  The Recover Console was not installed, and failed to install. I allowed the scan to continue, as recommended.

Nearing completion, ComboFix threw a bunch of errors or warnings about not having sufficient rights to restore various registry sections and BCD.  But the machine booted okay, and here we are.

I have attached the ComboFix.txt log.

Please advise further, sir,

-pvs

ComboFix.txt

[pvs]

Hey Ron,

I've been looking at the instructions for manual installation of the Recovery Console.  I tried using my original (SP2) Installation CD, and the first window that popped up told me I could not run Setup, because my current version (SP3) is newer than the one on the CD, so I clicked OK.  But then, another windows came up telling me I CAN install the Windows Recovery Console. Considering the first message, I clicked NO, and proceeded to try the method to DL it from Microsoft, fully expecting that page to be a "Support has ended" page.

But to my surprise, the page is still there, and the instructions tell me to use the SP2 version. So I GUESS I can install it from the CD?

All the same, I am hesitant to do so, since I do not want to mess up my dual-boot process.

Do you recommend that I try to install it anyway? I guess I could always go back to the Image Backup I made yesterday if anything goes wrong, as long as I can still boot from the network, via the F12 key.

Anyway, what do you think?

Thank you!

-pvs

[AdvancedSetup]

It's nice to have but not necessary. If you can see this partition from your Windows 7 installation that can allow you to add and remove files.

Combofix found and removed quite a bit of junk. Please run a new scan with MBAM now.

 

Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below, please see the following:

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

Thanks

 

Edited August 14, 2016 by AdvancedSetup

[pvs]

Hey Ron!  I have to admit, this machine starts up and shuts down like it was new!  That is great!  I hope these procedures might've also fixed the real-time protection being turned off.  We'll see.

Anyway, I want to also advise you that I can also PXE-Boot this PC from my NAS (into a BartPE OS), so I also have THAT flexibility in working with the PC's drives if need be.

Anyway, I ran a Threat Scan this morning, but it, again, did not create a log file.  So I repeated the clean removal and reinstall process, and tried again.

S U C C E S S ! ! !

Attached is the Threat Scan Log, and I also attached the Daily Protection log, as I still see some MD5 Errors in there.  I don't know if you are expecting those, but I wanted to ensure you knew about them before we go on.

Anyway, please have a look at these logs and let me know what you think.

Threat Scan Results 2016-08-14.txt

DailyProtectionLog_2016-08-14.txt

[AdvancedSetup]

Okay, that's good news. Let's try the following, please.

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files
  

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

 

[pvs]

Okay Ron.  I DL'd and ran the MiniToolBox as you requested, and have attached the resulting MTB.txt file.

Though this PC (as I stated in my previous message) seems to be running better than it did, I AM still having the same issue, with Malwarebytes' Real-Time Protection being shut off (and sometimes with Malwarebytes not starting upon login), so, we're not out of the woods, yet.

Also, the issue that started since we've been working on this PC, where I can not use the "Open Containing Folder" feature in Firefox, to open the Downloads folder, is still here.

One more thing, and I'm really sorry that I broke the rule - AVAST was nagging me to update yesterday, so I did, and I also ran it's Smart Scan.  It found no viruses, FWIW.  I hope my updating and running of that scan did not jeopardize the things we've been working on, and will not do anything like that again in the future without first checking with you.

Anyway, please let me know what to do next.

As always, thanks a lot,
-pvs

MTB.txt

[AdvancedSetup]

Not sure if these are current issues or due to the update from Avast.

Application errors:
==================
Error: (08/14/2016 05:53:11 PM) (Source: Bonjour Service) (User: )
Description: Client application bug: DNSServiceResolve(pvsDS._device-info._tcp.local.) active for over two minutes. This places considerable burden on the network.

Error: (08/14/2016 05:53:11 PM) (Source: Bonjour Service) (User: )
Description: Client application bug: DNSServiceResolve(pvsDS._device-info._tcp.local.) active for over two minutes. This places considerable burden on the network.

Error: (08/14/2016 05:29:32 PM) (Source: Userenv) (User: NT AUTHORITY)
Description: Windows cannot unload your registry file. The memory used by the registry has not been freed. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. If this problem persists, contact your administrator.  

DETAIL - Insufficient system resources exist to complete the requested service.

Error: (08/14/2016 03:26:51 PM) (Source: Application Error) (User: )
Description: Faulting application mbam.exe, version 2.3.173.0, faulting module ti_managers_proxy_stub.dll, version 17.0.0.3040, fault address 0x00005466.
Processing media-specific event for [mbam.exe!ws!]

Error: (08/14/2016 02:17:52 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module shell32.dll, version 6.0.2900.6242, fault address 0x0002b2b4.
Processing media-specific event for [explorer.exe!ws!]

 

Please restart the computer 2 times. Then run new FRST scan and make sure you place a check mark in the Addiitions.txt check box and attach back both new logs.

Thanks

 

 

 

[pvs]

Okay, I understand.  Here is a list of the steps I just took:

1. Set iReboot to go directly into XP
2. Did a FULL shutdown
3. Waited about 10 minutes
4. Started up (directly in XP) - MBAM Started upon Login and was fully enabled
5. Set iReboot to go directly into XP
6. Did a FULL shutdown
7. Waited about 1 minute
8. Started up (directly in XP) - MBAM did NOT start upon Login
9. Disabled AVAST shields
10. Ran FRST
11. There was an error updating FRST (see attached .JPG)
12. Ran FRST again
13. Still the same error updating (FRST shows "Ready")
14. Enabled Addition.txt
15. Performed the Scan
16. Logs are attached
17. I then re-enabled MBAM's real-time protection and came here.

Again, if NECESSARY, I can restore this PC back to a couple of days before I updated AVAST, and we can try going from there. Please let me know what you think.

-pvs

FRST.txt

Addition.txt

[AdvancedSetup]

Let's go ahead and leave Avast alone for the moment. Hopefully that is not the issue.

Go to the Control Panel and click on Add or Remove Programs.
Select Bonjour from the list.
Click Change/Remove.
Choose Remove, then follow the onscreen instructions.
Then restart the computer and proceed with the other information below.

Don't delete these tasks, but disable them for now
Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
Task: C:\WINDOWS\Tasks\SafeZone scheduled Autoupdate 1465418195.job => C:\Program Files\AVAST Software\SZBrowser\launcher.exe

One of the entries from the Event Logs

Application errors:
==================
Error: (08/17/2016 02:22:15 PM) (Source: Userenv) (EventID: 1512) (User: NT AUTHORITY)
Description: Windows cannot unload your registry file. The memory used by the registry has not been freed. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. If this problem persists, contact your administrator.  

This link describes the User Profile Hive Cleanup service, but unfortunately it looks like Microsoft took down the download link
You experience log off problems on a Windows XP-based, Windows Server 2003-based, Windows 2000-based, or Windows NT 4.0-based computer
https://support.microsoft.com/en-us/kb/837115

Symbolic Name:    EVENT_FAILED_HIVE_UNLOAD
https://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=1512&EvtSrc=Userenv&LCID=1033

Please go ahead and download the UPHCS tool from Major Geeks as they still have a copy of it.
http://www.majorgeeks.com/files/details/microsoft_user_profile_hive_cleanup_service.html
Microsoft User Profile Hive Cleanup Service 1.6g

Visit this old link and download the Process Explorer v11.33 which I believe still works for XP. We can use this tool to possibly help us track down some issues.

https://web.archive.org/web/20100211204158/http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

https://web.archive.org/web/20100211204158/http://download.sysinternals.com/Files/ProcessExplorer.zip

 

You also have this error, but not finding a 100% accurate method of repair. Too many "guesses" as to what might be causing it.
Error: (08/14/2016 10:29:17 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x0000fe60.
Processing media-specific event for [explorer.exe!ws!]

Notice these errors. MBAM got this error:  %%2 = The system cannot find the file specified.

Initially I was thinking that the SuperMicro was having a service login issue, but maybe there is something else going on here.
Why would our MBAM service file be missing on your reboot?

"Event ID: 7000" or "Event ID: 7013" Error Message When You Attempt to Start a Service
https://support.microsoft.com/en-us/kb/314357

System errors:
=============
Error: (08/17/2016 02:25:35 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The SuperMicro Health Assistant service failed to start due to the following error:
%%1053 = The service did not respond to the start or control request in a timely fashion.

Error: (08/17/2016 02:25:35 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the SuperMicro Health Assistant service to connect.

Error: (08/17/2016 02:25:35 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error:
%%2 = The system cannot find the file specified.

Error: (08/17/2016 02:25:35 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MFP Server Enhanced Controller service failed to start due to the following error:
%%1058 = The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (08/17/2016 02:25:35 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMProtector service failed to start due to the following error:
%%2 = The system cannot find the file specified.

DO NOT DOWNLOAD from this site. Just linking to it to show this other error as it goes in line with the errors above too.

Error: (08/17/2016 02:20:48 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MFP Server Enhanced Controller service failed to start due to the following error:
%%1058 = The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

 

LINK:

http://www.liutilities.com/device-driver/mfp-server-enhanced-controller/

DO NOT DOWNLOAD ANYTHING from this link above.

Wow, just noticed your version of Acronis. Not a problem as long as it works 100% (2008-06-24)
HKLM\...\Run: [AcronisTimounterMonitor] => C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe [904768 2008-06-24] (Acronis)

Your version of iReboot, might be part of the issue. If I'm reading the version you have and the one online and what it says it fixes. But may not be related or part of the issue, just something to look at further.

ShortcutTarget: iReboot 1.1.1.lnk -> C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe (NeoSmart Technologies)
2009-09-15 06:51 - 2009-09-15 06:51 - 00017408 _____ () C:\Program Files\NeoSmart Technologies\iReboot\iRebootd.exe

http://neosmart.net/Software/Changelog/11
iReboot 2.0.1.42 (May 25, 2015)

    [IRBT-31] - New: Always save/remember user changes to settings in menu
    [IRBT-32] - Fixed: Remoting channel times out between client and service

 

STEPS TO DO:

For now please uninstall the Bonjour
Disable the Tasks listed above
Download and install the UPHC (User Profile Hive Cleanup Service) and restart the computer.
Review all of your services and make sure none of them are set to logon as you or any other user.
Review your iReboot app and see if you think it might be related or not and let me know.

Very odd that our protection driver would not be found on reboot.
Please check the startup service settings for all the Avast services and write them down. Don't rely on your memory.
Then set all of them to DISABLED and reboot.

Use the MBAM CLEAN tool and uninstall MBAM once again, then reinstall MBAM, update it, and activate it. Then restart the computer 3 times so we can see the Event Logs to see what good any of the above procedures have done for us.

Then run FRST again, and place a check mark in the Additons.txt check box and ATTACH back both new logs on your next reply.

Then, go ahead and reset Avast services back to what they were originally (do not due until you run FRST again above)

Thanks

 

Edited August 18, 2016 by AdvancedSetup

[pvs]

1) Okay, I have uninstalled Bonjour using the normal uninstaller, and it worked without issue (or error messages, anyway).  FWIW, I never liked having that in my system.  I am not SURE that I need it at all.  Maybe it helps with syncing my old iPhone 4s.  Maybe, if you agree, I can see if having removed it causes me any issues.  If not, I think it might be a good idea to get rid of it altogether, and not look back.

FWIW, after uninstalling Bonjour, AVAST threw up a panel saying that Bonjour has not been completely removed, and offered to delete 3 additional files associated with it.  I did NOT click on the button to let it do so.

2) I disabled the two AVAST tasks in Task Scheduler by unchecking the enabled box in each of their Properties panels.

3) I've DL'd both the UPHClean utilities and the Process Explorer, as you recommended.  On this issue, I just want to let you know that I very seldom have shutdown issues.  Once in a while, I need to take some kind of action, but shutdowns usually go fine. I am not disagreeing with you here, just giving you some additional info on my symptoms.

4) Weird about the Explorer issue.  I have no ideas, either.  I guess maybe we'll see as we progress.

5) The MFP error MIGHT be because the printer that's attached to that device was shut off.  I will make sure it is turned on for all future reboots while we investigate.  I THINK that might make that issue go away.  We'll see. FWIW, I turned that printer ON today before I logged in, and MBAM successfully loaded and was enabled - for that one boot, anyway.  I wonder if that one simple thing might fix this issue. (Nevermind - see item 8, below)

6) As for Acronis, yes, it's old, but working very well for me, on all three installations (I have it on this PC's XP and W7 partitions, as well as one of my laptops). I Back-Up pretty regularly (and restore when needed).  I do not upgrade because "it ain't broke" and many times, newer software breaks things. (LOL)

7) I installed the UPHClean utility, per your instructions.

8) I did a full reboot (SHUTDOWN, wait, RESTART).  MBAM did restart, but very late, and Real-Time Protection was disabled, so the MFP Printer being ON did NOT help.  Oh well. FWIW, I restarted MBAM's Real-Time Protection before proceeding.

9) All of the Services in my Services Panel show that they either Log On As "Local System" or "Network Service".

10) I would consider updating my iReboot app.  FWIW, I DO still have a copy of the Version 1.1.1 Installer if need to roll back without doing a full Restore-From-Backup.  Please let me know if you want to try that.

11) Checking my Services list for AVAST-related items, I DO see that Bonjour Service is still listed (and STARTED).  Should I disable it?  Try to allow AVAST to delete those three other files?  Please advise.

12) The only entry I find for AVAST in my Services List is Avast Antivirus, set to Automatic.  If I try to Disable it, I get an "Access Is Denied" error. Any ideas?  FWIW, it is set to Log On As "Local System".

13 Looking in MS Config on the Services Tab, I see that Avast Antivirus is listed there, but similarly, due to Access Levels, I cannot disable it.  FWIW, I AM an Administrator, and am logged in as such.

NOTE: I ALSO see the Bonjour Service in this MS Config list, and it IS running.  Should I disable it?  Do more to fully uninstall it?  Please advise.

===============================================================================
So that's where I am standing right now.  As I could not complete all of the instructions, I have not yet done another MBAM Clean Install, nor rerun FRST.  Please reply back with further instructions regarding:

1) Bonjour Service complete removal
2) Any way to disable AVAST (getting around the access rights)
3) Should I try upgrading iReboot?

Thanks so much, Ron.  Boy, this stuff gets complicated, eh?  I am SO HAPPY to have you assisting me with it (and I THINK I'm actually learning from the experience!  Not bad for a 60 year old, eh)?

Hope to hear from you soon,

-pvs

[pvs]

Hey Ron,

I've been thinking, and I recall a few months ago, I was toying around in the system32 folder.  I had an issue with User Permissions, and I think I might've screwed some of them up.  I was searching the Internet a few moments ago from one of my other machines, and I ran across this post , which refers to the SubInACL utility. This utility sounds like it might be promising, and could be able to clean up any mess I might've made (or maybe it'll make some other ones).

I downloaded the .MSI Installer (on this PC,not the one we're working on) from https://www.microsoft.com/en-us/download/confirmation.aspx?id=23510. I couldn't believe they still have it up there - and it SAYS it's for WinXP!!!

What do you think?  Could THIS be the cause of my current MBAM issues and other system errors?  Is it worth a shot?

Please advise.

-pvs

[AdvancedSetup]

This Post

Okay, this is a long shot, so, please make a full backup of your current Windows XP box as what we're going to do "cannot be undone". If it works, great, if not, we cannot change it back without doing a full restore. Do not take this WARNING lightly. We will modify all file, folder, and registry permissions back to an assumed default level, this is not supported by Microsoft.

 

STEP 1
Close all applications before running tool below.

STEP 2

Review This Post on how to exclude MBAM and Avast mutually and set that up.

STEP 3

Note: Only attempt this if you are running an English installation of Windows XP as this tool has NOT been tested on non-English installations of Windows:

Reset Default Permissions:

• Please download ResetDefaultPerms by AdvancedSetup from here and save it to your desktop
• Close any open programs and save anything you were working on
• Double click on restoredefaultperms.exe to run it
• Once it completes it will restart your computer
  

After the reboot make sure that antivirus and MBAM are running properly. Then reboot a couple more times, make no other changes to the system yet, run a NEW FRST set of logs and let me know if MBAM failed to load on any of these reboots.

 

[pvs]

Okay Ron.  Thanks again.

I have downloaded the restoredefaultperms.exe file and saved it in two secure locations (and marked them RO).

I then went into MBAM and excluded the "C:\Program Files\AVAST Software" folder, as described in the first "This Post" link you provided.  Note, I did NOT follow the other instructions in that post, regarding cleanup of temporary files, downloading of OTC, deleting MBAM history, nor the one to DL version 2.2 of MBAM.  I ONLY used that post for instructions on excluding the AVAST Software folder in MBAM. I hope that is what you wanted me to do.

I also went into Avast! and set up the six exclusions shown on the second "This Post" link, as well as the web exclusion. Note that my newer version of AVAST is quite a bit different from that write-up.  If you want, when we're done here, I can give you a better description of the process for this newer AVAST Antivirus.

I am now going to run a full sector-by-sector backup of the entire boot drive (both partitions).  This will save the above settings, as well as the disabling of the two AVAST Tasks we did a few posts above.  I will make note of that in the Backup Comment, so that I don't forget about it if I ever need to restore from that backup copy again.  This backup will take about 7 hours to complete.  Once it's done, I will check back here for any further instructions, and then run RestoreDefaultParms and FRST.

Two questions on the repeated reboots (before FRST):

1. If they don't start automatically, should I restart MBAM and/or enable Real-Time Protection between those reboots?
2. Should I deactivate AVAST and MBAM Protection prior to running FRST?

Okay, that should do it for now.  I'll be back sometime tonight or tomorrow.

-pvs

[AdvancedSetup]

Let's try and see what we get without you manually making the changes to enable MBAM. No, both Avast and MBAM should be okay to leave on for FRST scan.

I'll check back on you again sometime tomorrow.

Thank you

Ron

 

[pvs]

Okay Ron,

I did the full backup, and it went SURPRISINGLY fast - Under 3 hours, where it has always taken at least 6 hours before.  Weird.  Anyway, due to this speed, I wasn't feeling secure that the backup was valid (though Acronis said it was). So I decided to swap out my hard drive for another one I had handy, and create a clone, just to be sure I had a working copy.  I am happy to report that it worked like a charm, so I now have two identical drives, outside of the fact that this one has had restoredefaultperms.exe run on it.

The first reboot after RestoreDefaultPerms threw an error message about the MFP device (see attached .JPG), but I restarted that device before the next boot (not sure I actually HAD to), and that error did not reoccur on subsequent reboots. MBAM did not load on this boot - or maybe I didn't wait long enough (about 5 minutes).

The second boot threw no errors, but again, MBAM did not load within about 5 minutes.

On the third boot, MBAM DID finally start (maybe because I had the machine running for a longer time?), but the Real-Time Protection was disabled.

Anyway, attached are the new log files from FRST.  Please note that I did not disable AVAST's shields, but I DID manually re-enable MBAM's Real-Time Protection.  I hope that's okay (I really need to get some sleep, and I messed up).

Just thinking, maybe with the permissions fixed, I should do another clean install?  I'm just guessing here, I will await instructions from you.

Thanks, yet again,
-pvs

FRST.txt

Addition.txt

[AdvancedSetup]

Same issue. We've cleaned up a couple other errors that no longer show now, but ERROR 2 means File Not Found. Which is what you got on both reboots.

System errors:
=============
Error: (08/19/2016 03:55:14 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error:
%%2 = The system cannot find the file specified.

Error: (08/19/2016 03:55:14 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMProtector service failed to start due to the following error:
%%2 = The system cannot find the file specified.

Now that we have a full backup that we know works, let's go ahead and fully uninstall the Avira antivirus. Then reboot, wait 5 minutes, reboot, wait 5 minutes, do that for a total of 3 reboots. Each time leaving it on for 5 minutes before the next reboot.

If MBAM does not load all 3 times, then do the MBAM CLEAN removal, reinstall process and try the 3 reboots again with Avira still uninstalled.

Thanks

 

 

 

[pvs]

Hey Ron,

Sorry for the delay.  Two nights ago, I realized that I could no longer Remote Desktop into this machine while it was running WinXP. It still works from the Win7 side, so I know this issue is not a network problem.

Anyway, I proceeded to do the full uninstall of AVAST, and I double-checked using the wbemtest tool you showed me.  As hoped for, I had NO antivirus Products installed. I rebooted twice after that, and MBAM did not start on any of them.

At that point, I rechecked to see if Remote Desktop worked.  Nada.  So I then did a clean uninstall of MBAM.  Leaving that uninstalled, I again rechecked Remote Desktop.  Still nothing.

So I decided to get a couple more extra HDDs out of my desk drawer, and do a few restorations of much older versions of this machine.  My May 28, 2016 version's restore, which was just before I dropped Bitdefender for AVAST, had a few issues due to a (at that time) recent change of my video card, which had died.  Before trying to fix those issues, I then restored from a June 18th backup, which was immediately after I installed AVAST.  Here, Remote Desktop WAS working, though this issue with MBAM was already evident.

So, SOMETHING has killed Remote Desktop.  I am not sure if it is due to some of the cleaning processes we did, or something else.  I have tried disabling the firewall, and turning Remote Desktop off and back on on this PC, but it is refusing to connect.

So, FWIW, I have gone back to the disk we were last working with, and I reinstalled MBAM.  Surprisingly, even though I had done the full clean uninstall, when I reinstalled, I did not need to re-activate the product.  The license info somehow carried across auto-magically.  I am attaching the log from the "first" Threat Scan, below.

I did the three boots as soon as this scan completed. I am happy to report that MBAM started up each time, fully enabled!  So it is LOOKING like there is an incompatibility between MBAM and AVAST, eh?  I am open to suggestions on another AV Product. As I have already paid for BD (and it was brutal on this PC), I would PREFER a "free" option, if possible, but I know we often get what we pay for, and vice-versa.

I also went ahead and re-ran FRST, and attached the two logs. I see that that REGISTRY Error is still there!!!  Please let me know if you see anything else of interest.

Please note that I am still getting the Update Error (5) when FRST starts up.  Should I try to manually download a newer version?

In the meantime (and as a side note, right now), I have a few complete backups of this system that I made while we were going through this process (2016-08-06, 2016-08-12, 2016-08-14, and the one from 2016-08-18, which we are currently working from).  I plan to restore each one in succession to try to determine at which point Remote Desktop stopped working.  But I will keep this HDD and the prior one intact in case we need to go back to them at some point. I will proceed with these restores and let you know what I find.

Hoping you might have some ideas about what I am experiencing, thanks again for all of your time and effort in assisting me.
-pvs

 

Threat Scan Results 2016-08-21.txt

FRST.txt

Addition.txt

[AdvancedSetup]

Hi @pvs

Please ping me in PM tomorrow as a reminder to follow up. I have an early morning meeting so have to be getting to bed.

 

[pvs]

Hi again, Ron,

Okay, yesterday, I went full-tilt with my backups, and created separate drives for each of my most recent backups, since we began working on my issue with MBAM Real-Time Protection always turning off.  I now have individual drives for each backup - August 6, August 12, Aug 14 and Aug 18, as well as the one with a few changes since Aug 18 (ResetDefaultPerms being run, in particular, as well as AVAST being uninstalled).

Despite what I had stated earlier, it seems that Remote Desktop was indeed working okay right through Aug 18th, before we ran ResetDefaultPerms. (It seems I didn't wait long enough before trying to log in remotely in my previous tests. Oy!)

Anyway, now that I have all 5 of these HDDs, maybe we can go back and see at which point FRST first gave us the issues with the Registry Hive memory not being able to be released.  I am thinking it MIGHT've been with the scan I inappropriately did using AVAST's newest version, but I am not sure.

I am not going to run anything on any of the drives before I have your say-so.  So I will bump this thread again tonight, and let you think about my options.  Hopefully, having this "library" of HDDs to select from, we will be able to get a better picture of what might be going on. 

As a side note, I am SO HAPPY I set up this backup/restore procedure a few years back.  (It also helps a lot to have all these extra HDDs laying around!)  It has been a great feature, and has gotten me out of jams a few times in the past.  I hope we can similarly find a resolution in this go-round!

Anyway, I just wanted to set the record straight regarding Remote Desktop's functionality throughout this process.

Looking forward to hearing what you think.

-pvs

Edited August 22, 2016 by pvs

[AdvancedSetup]

Well, if you know for certain that Remote Desktop was working before the  ResetDefaultPerms and that did not fix the issue then I think we should go back to a disk before you ran it. Then make sure Remote Desktop is working. Then for whatever reason, it's certainly looking like something is up using Avast and MBAM on the system as it is.

Get back to that older disk, remove Avira, install/reinstall MBAM and then possibly try Avast or AVG free and see if the issue resolves itself with one of those AV products.

 

[pvs]

Hi again, Ron,

I just wanted to write back and acknowledge your last post here.

I have gone through my assorted restored HDDs, and found that Remote Desktop worked right through Aug 14th's version.  However, that was also where FRST started to show the issue with Registry hive memory not being able to be freed-up.  I found that my Aug 12th backup did not have that error.

FWIW, I went back and manually downloaded the newest FRST from the website you linked earlier, and have been using that version since.

I also shrunk the two partitions so that I can again use two other Velociraptor 300GB HDDs I've had in storage, and I restored the August 12th version onto both of them them, so that I can "play".

I used one of those disks today, and tried ResetDefaultPerms one more time.  Unfortunately, it DID replicate my issue of no longer being able to connect via Remote Desktop.  So it looks like I cannot use that utility - too bad.

Anyway, I am going to continue poking around on this PC to see if I can clear up some of the errors noted using FRST.  I have briefly looked at some stuff on the web regarding removal of Bonjour, but it seems I really might need that utility, as I DO sync my phone with Outlook using iTunes, and from what I'm seeing, I need to have that thing installed.

I am probably going to try a different AV product at some point, but for now, I want to try to get rid of some stuff I don't use, creating backups every step of the way, and rolling back whenever necessary.

If you want, I will update this thread with anything new I find, in hopes that doing so might help some other folks out there who are still using XP. Could you please keep the thread open so that I might do so?

Thanks so much for your time and patience, AND for the excellent utilities you've introduced me to.  I think that with the help of those tools, I might get a better handle on what's going on with this old XP installation.

And again, the steps we've taken thus far have already improved the responsiveness of this PC a LOT!  And it's great to know that my issues do not seem to be related to viruses or malware. (I think?)

Hope to hear from you again,
-pvs

[pvs]

Hey Ron,

Just another note from today...

Following along with the steps you gave me after Aug 12th, I used another freshly-restored HDD from that date, and ran ComboFix.  ComboFix upgraded me to Version 16.8.21.2. 

At the end of the AutoScan, ComboFix threw a few RegReplaceKey: 5 - Access Denied errors:

• C:\WINDOWS\system32\config\SECURITY
• C:\WINDOWS\system32\config\software
• C:\WINDOWS\system32\config\system
• C:\WINDOWS\system32\config\default
• C:\WINDOWS\system32\config\SAM
• C:\Boot\BCD

I answered "Yes" to every prompt that came up.

I have attached the resulting Log if you'd like to review it.

When it completed I ran a MBAM Threat Scan, and have included those logs as well.

Finally, I ran another FRST/Addition scan.  I do not see the issue we had earlier regarding the failure to release Registry memory, but a lot of errors still remain in the log, including the Bonjour stuff (and again, I think I need to keep Bonjour, unfortunately).

FWIW, the PC is still permitting me to use Remote Desktop.  As a matter of fact, I ran ALL of these scans via remote control from my Surface Pro.

So, with that, I am about to run another full backup, and will proceed to do only one step at a time between backups from here on out. 

As I have not yet killed AVAST, I am not sure if you want to keep following me on this, Ron.  But if you do, and check these log files, I want to let you know that I would appreciate any and all tips you might have for me on getting rid of the continuing System and Application Errors that ware showing up.

Finally, once I have this current backup completed and cloned to an HDD, I plan to run MiniToolBox again, as that was the step we had done previously once ComboFix was run.  I will post those results when I have done that.

Thanks again,

-pvs

ComboFix_2016-08-24.txt

Threat Scan Results 2016-08-24.txt

FRST_2016-08-24_AfterComboFIX.txt

Addition_2016-08-24_AfterComboFIX.txt

[AdvancedSetup]

Yes, Combofix removed a lot of junk. But with changing of images it's difficult to keep up, or keep track of where you're at.

I'm not saying you cannot have or use Bonjour only that you should uninstall it as well as iTunes and then once you get other items cleaned up and the Event Logs look better, then you can reinstall iTunes and it should install Bonjour again for you.

Possibly with the use of Process Monitor you may be able to track down the issue between Avira and MBAM but it could be difficult trying to verify that as the tool is complex to use for most users.

 

 

[pvs]

Hi again, Ron, and once more, I apologize for the delay - but I ran into some issues with the last go 'round.  I understand your inability to keep up with me as I go back and forth with my different HDD revisions.  I know I am not making it easy for you.  But I am trying to be as careful as possible in cleaning my issue, and trying hard not to lose functionality in this PC, which was working fine outside of my issue with the Real-Time Protection always getting shut off.  Toward this end, I BELIEVE we have isolated the issue as being some sort of incompatibility between MBAM and my AVAST antivirus.

Anyway, briefly, what I had found when we last left off, was that I was having issues with Remote Desktop, which I got around by going back to my 8/12/2016 HDD backup.  But in further testing, while I could now connect via Remote Desktop, I also found the following issues:
1) I could no longer open my downloads folder from within Firefox
2) My right-click context menu and My Computer "Search" functionality no longer worked
3) I no longer had File-Edit-View... menus in Internet Explorer
4) I could no longer open a Windows Explorer panel to view my local computers (no permission?)
5) I was having an "Unspecified Security Risk" warning when right-clicking on an item from my networked devices

I tried fixing some of these issues using things I found on the Internet, but I was coming up short with a few of them, and things were just getting complicated.  Further, I wasn't sure if other things were also going wrong.  So I decided to restore my system to just before we started working on this problem.  Luckily, I had a backup from 8/6/2016, which was just before we started.  Using that backup, I went in and cleaned ALL of my Antivirus products and MBAM using the uninstallers we previously used, as follows:
 1) Uninstalled AVAST using AvastClear  (previously downloaded)
 2) Did a clean uninstall of MBAM (MBAM-clean v2.3.0.1001)
 3) Manually uninstalled MS Security Essentials as I had done before
 4) Again used MCPR (previously downloaded) to remove McAfee remnants
 5) Used the Bitdefender Cleanup utility you linked (previously downloaded)
 6) Then I did a standard "Windows Cleanup" of Drive C (Right-Click->Properties->Disk Cleanup)
 7) I removed several unused Windows Features using Add & Remove Programs & Features)
 8) I also updated VLC Player with a DL from their site.

I proceeded to make a backup of this HDD state.

Then I used a clone of the HDD and did the following:
 1) I updated iReboot to the current version (1.1.1.15)
 2) I reinstalled MBAM 2.2.1.1043, which gave me the following issues
    a) Crash on initial startup/update (1709_appcompat.txt, attached)
    b) Restarted MBAM - no AntiRootKit Driver loaded, rebooted
    c) Still no AntiRootKit driver on startup scan
    d) Retried the Scan, and now it was OK. It found the same 69 VideoAd PUPs we had found before, which I killed
    e) Rebooted - MBAM OK and Protection was enabled, but my extra Windows Taskbars were killed. I reset them as I had them.
    f) Rebooted again - MBAM and all else appear OK
    g) Ran Chameleon #1 (v3.1.29.0) - 0 threats found
    h) Rebooted again, and all looked great.  I tested all of the issues I had previously found, and everything is still working.
    
From here, I am now creating another HDD backup and clone, before I try using some of the cleaners you introduced me to, and before I install another (or the same - I don't know yet) Antivirus package.

FWIW, I hesitate to uninstall iTunes/Bonjour, due to the fact that I do not update my old iPhone nor iTunes to the latest versions, simply because Apple keeps on making my old phone slower, reduces battery life, and they obviously want me to spend money to upgrade my two phones that still work fine. I fear that reinstalling iTunes is more than likely going to present me with upgrade issues.  I will revisit this topic in the future if need be, but for now, I am opting to leave that alone.

I am attaching the crash log (1709_appcompat.txt) from the first run of MBAM, noted above. in case you see anything in there.  I am also attaching the Daily Protection Log, and the two Threat Scan Logs, for your review.

Again, I understand that I am not making things easy for you, and my case of being able to revert back to earlier HDD versions is probably not "the norm", but I am happy that whatever I do on this old rig can be easily undone, as it affords me a great amount of flexibility.  Please understand that I am not fully expecting you to review my logs at this point.  I offer them to you in case you might wish to take a look and offer pointers and suggestions. Unless you request otherwise, I will continue to post my progress, logs, and observations as I proceed.  I hope you understand.

Anyway, on to a few hours of making another Backup/Clone of this HDD.  I'll be back within a day or so with a new update.

Thanks again for everything, and for the wonderful MBAM product and your support and help.
-pvs

1709_appcompat.txt

Threat Scan Results 2016-08-26.txt

Chameleon Threat Scan Results 2016-08-26.txt

DailyProtectionLog_2016-08-26.txt

[AdvancedSetup]

Well amongst all these changes, maybe you should take one of your hard drives and FDISK, FORMAT, and reinstall Windows XP. Then install all the drivers needed to get it operational, then install all the Windows Updates. Then clone it at that point. 

Then start slowly installing things like your antivirus and MBAM, often looking for errors or issues in the Event Logs. Make sure your remote desktop works for you, etc. At points where you know, there are no errors or issues in the Event Logs, and all continues to work well, image it again. Then finish up installing all your other software.

Then you should have a very well working computer and imaged backup. Yes, a lot of work, but seems you like doing this tweaking and working on computers.

Just an idea.

Ron