Solved MalwareBytes Can't Delete Problems it Finds

August 5, 2012 at 15:01:45
Specs: Windows XP & Win7
On my wife's XP computer Google results are being redirected to spurious webpages. I've run MalwareBytes and it finds these two issues:

HKLM\System\CurrentControlSet\Services\BITS|ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot.

HKLM\System\CurrentControlSet\Services\wuauserv|ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot.

When told to delete them the program indicates its done so successfully, but on reboot they're still there.

I don't know this is causing the Google problem but I'd like to clear it out just in case.

How do I remove these things?

By the way, I also ran Avira but it didn't detect these two issues.

Edited to add:

I've run MalwareBytes in Safe Mode


See More: MalwareBytes Cant Delete Problems it Finds

Report •


✔ Best Answer
August 8, 2012 at 03:46:37
"Registry Data Items Detected: 2
HKLM\System\CurrentControlSet\Services\BITS|ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot.
HKLM\System\CurrentControlSet\Services\BITS|ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot"

Note the incorrect spelling in each path > fystem & it is telling you it is Bad & what it should be > System, is Good.

Go into the registry ( Regedit ) & change permissions for each key to > Allow changes.
Use the Modify option to change the 'f' from within '%fystemRoot%' to an 'S' to become '&SystemRoot%' on both.

Upload screen shots on to a site of your choice & post the links here, if you need help.

If your skills are Ok to proceed with regedit, after you close regedit, reboot & run MBAM again.




#1
August 5, 2012 at 16:22:43
Use this very good guide as a starting point, with a bit of luck, it will be enough.

http://www.selectrealsecurity.com/m...


Report •

#2
August 5, 2012 at 19:52:34
I ran the series. There's good news and bad news.

The good news is it looks like it fixed the Google sending to random locations.

The bad news, it didn't remove the two bad registry items.


Report •

#3
August 5, 2012 at 20:07:39
"By the way, I also ran Avira but it didn't detect these two issues"
The badies are always ahead of the goodies.
Malware Prevention
http://www.malwarevault.com/index.html
"There is no magic involved. The majority of malware is installed by the user themselves"

"The bad news, it didn't remove the two bad registry items."
That's not unusual, now work your way, through the the guide I gave you, with a bit of luck, that's all you will need.
http://www.selectrealsecurity.com/m...


Report •

Related Solutions

#4
August 5, 2012 at 23:31:11
" now work your way, through the the guide I gave you, with a bit of luck, that's all you will need."

I did. That's what I meant by 'I ran the series' It didn't help with the two items.


Report •

#5
August 5, 2012 at 23:40:28
"I did. That's what I meant by 'I ran the series' It didn't help with the two items"

Ok, can I see all the logs please.


Report •

#6
August 7, 2012 at 00:07:21
run these 3 progs in EXACTLY the order listed and don't rebbot till after the last scan:
1- rkill.exe
http://www.technibble.com/rkill-rep...
2- tdss killer
http://support.kaspersky.com/faq/?q...
3- Malwarebytes
http://www.filehippo.com/download_m...

If that doesn't fix it, run them all again, ONLY this time in safe mode.
Then run Ccleaner Slim
http://www.piriform.com/ccleaner/bu...
Clean out all your junk files and then click on the registry icon and delete ALL the obsolete entries found till it runs clean

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#7
August 7, 2012 at 17:42:29
OK. Here are all the logs that were produced. Some apps didn't create a log.

====================================================
====================================================
====================================================
====================================================

MiniToolBox by Farbar Version: 23-07-2012
Ran by huck (administrator) on 07-08-2012 at 12:44:49
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================
Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.
"Reset IE Proxy Settings": IE Proxy Settings were reset.

"Reset FF Proxy Settings": Firefox Proxy settings were reset.


**** End of log ****

====================================================
====================================================

Ran TDSSKiller and it found nothing.

====================================================
====================================================

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.03.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
huck :: RED [administrator]

8/7/2012 4:00:08 PM
mbam-log-2012-08-07 (16-00-08).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221107
Time elapsed: 13 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKLM\System\CurrentControlSet\Services\BITS|ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot.
HKLM\System\CurrentControlSet\Services\wuauserv|ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

====================================================
====================================================

[code]
HitmanPro 3.6.1.163
www.hitmanpro.com

Computer name . . . . : RED
Windows . . . . . . . : 5.1.3.2600.X86/1
User name . . . . . . : RED\huck
License . . . . . . . : Free

Scan date . . . . . . : 2012-08-07 12:49:06
Scan mode . . . . . . : Normal
Scan duration . . . . : 3m 34s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 1
Traces . . . . . . . : 209

Objects scanned . . . : 534,050
Files scanned . . . . : 36,848
Remnants scanned . . : 149,617 files / 347,585 keys

Malware _____________________________________________________________________

C:\Documents and Settings\huck\Desktop\mfc40foobaruudll.temp
Size . . . . . . . : 68,096 bytes
Age . . . . . . . : 263.8 days (2011-11-17 17:12:42)
Entropy . . . . . : 7.0
SHA-256 . . . . . : CFF40897A5C731FFC9824FB6C3FB56AD343F7C19A927D2C9E6E9350C7B17A62C
Product . . . . . : Microsoft® Windows® Operating System
Publisher . . . . : Microsoft Corporation
Description . . . : Syriac Standard Keyboard Layout
Version . . . . . : 5.1.2600.0
Copyright . . . . : © Microsoft Corporation. All rights reserved.
> G Data . . . . . . : Gen:Variant.Graftor.4111 (Engine A)
> DrWeb . . . . . . : Trojan.Juan.699
> Ikarus . . . . . . : Win32.SuspectCrc!IK
Fuzzy . . . . . . : 111.0


Cookies _____________________________________________________________________

C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:247realmedia.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:2o7.net
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:a1.interclick.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:ad.360yield.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:ad.yieldmanager.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:adbrite.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:adinterax.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:adlegend.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:ads.as4x.tmcs.ticketmaster.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:ads.bridgetrack.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:ads.cnn.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:ads.foodbuzz.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:ads.pointroll.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:ads.pubmatic.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:doubleclick.net
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:eas.apm.emediate.eu
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:eas21.emediate.eu
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:fastclick.net
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:getclicky.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:in.getclicky.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:interclick.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:invitemedia.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:kontera.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:media6degrees.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:mediaplex.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:nbcuniversal.122.2o7.net
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:network.realmedia.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:overture.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:perf.overture.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:pointroll.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:questionmarket.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:realmedia.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:revsci.net
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:rotator.adjuggler.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:ru4.com
C:\Documents and Settings\huck\Application Data\Mozilla\Firefox\Profiles\3a3fnsdj.default\cookies.sqlite:samsclub.112.2o7.net
C:\Documents and Settings\huck\Cookies\huck@247realmedia[2].txt
C:\Documents and Settings\huck\Cookies\huck@2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@7search[1].txt
C:\Documents and Settings\huck\Cookies\huck@a1.interclick[3].txt
C:\Documents and Settings\huck\Cookies\huck@ad.360yield[1].txt
C:\Documents and Settings\huck\Cookies\huck@ad.mlnadvertising[2].txt
C:\Documents and Settings\huck\Cookies\huck@ad.thehill[1].txt
C:\Documents and Settings\huck\Cookies\huck@ad.wsod[1].txt
C:\Documents and Settings\huck\Cookies\huck@ad.yieldmanager[1].txt
C:\Documents and Settings\huck\Cookies\huck@adbrite[2].txt
C:\Documents and Settings\huck\Cookies\huck@adinterax[1].txt
C:\Documents and Settings\huck\Cookies\huck@adlegend[2].txt
C:\Documents and Settings\huck\Cookies\huck@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\huck\Cookies\huck@ads.bridgetrack[2].txt
C:\Documents and Settings\huck\Cookies\huck@ads.cnn[1].txt
C:\Documents and Settings\huck\Cookies\huck@ads.cnn[2].txt
C:\Documents and Settings\huck\Cookies\huck@ads.foodbuzz[2].txt
C:\Documents and Settings\huck\Cookies\huck@ads.gamersmedia[1].txt
C:\Documents and Settings\huck\Cookies\huck@ads.hlntv[1].txt
C:\Documents and Settings\huck\Cookies\huck@ads.meredithads[2].txt
C:\Documents and Settings\huck\Cookies\huck@ads.mlive[1].txt
C:\Documents and Settings\huck\Cookies\huck@ads.n-ws[2].txt
C:\Documents and Settings\huck\Cookies\huck@ads.pixfuture[2].txt
C:\Documents and Settings\huck\Cookies\huck@ads.pointroll[2].txt
C:\Documents and Settings\huck\Cookies\huck@ads.pubmatic[1].txt
C:\Documents and Settings\huck\Cookies\huck@ads.saymedia[1].txt
C:\Documents and Settings\huck\Cookies\huck@ads.shorttail[2].txt
C:\Documents and Settings\huck\Cookies\huck@ads.undertone[2].txt
C:\Documents and Settings\huck\Cookies\huck@adserver.adtechus[2].txt
C:\Documents and Settings\huck\Cookies\huck@adserver.arrests[1].txt
C:\Documents and Settings\huck\Cookies\huck@adserver2.news-journalonline[1].txt
C:\Documents and Settings\huck\Cookies\huck@adtech[1].txt
C:\Documents and Settings\huck\Cookies\huck@adultfriendfinder[2].txt
C:\Documents and Settings\huck\Cookies\huck@advertising[1].txt
C:\Documents and Settings\huck\Cookies\huck@adviva[1].txt
C:\Documents and Settings\huck\Cookies\huck@allbritton.122.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@americancancersocietyinc.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@apmebf[2].txt
C:\Documents and Settings\huck\Cookies\huck@ar.atwola[2].txt
C:\Documents and Settings\huck\Cookies\huck@asco.122.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@at.atwola[2].txt
C:\Documents and Settings\huck\Cookies\huck@atdmt[2].txt
C:\Documents and Settings\huck\Cookies\huck@atlanticmedia.122.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@atwola[2].txt
C:\Documents and Settings\huck\Cookies\huck@bea.px.invitemedia[2].txt
C:\Documents and Settings\huck\Cookies\huck@bs.serving-sys[3].txt
C:\Documents and Settings\huck\Cookies\huck@burstnet[2].txt
C:\Documents and Settings\huck\Cookies\huck@c.atdmt[2].txt
C:\Documents and Settings\huck\Cookies\huck@c4.zedo[1].txt
C:\Documents and Settings\huck\Cookies\huck@care2.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@casalemedia[1].txt
C:\Documents and Settings\huck\Cookies\huck@cbsdigitalmedia.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@chicagosuntimes.122.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@cmp.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@collective-media[1].txt
C:\Documents and Settings\huck\Cookies\huck@dmtracker[2].txt
C:\Documents and Settings\huck\Cookies\huck@doubleclick[1].txt
C:\Documents and Settings\huck\Cookies\huck@ev.ads.pointroll[1].txt
C:\Documents and Settings\huck\Cookies\huck@ewstv.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@fastclick[2].txt
C:\Documents and Settings\huck\Cookies\huck@fourseasonshotels.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@galleries.adult-empire[2].txt
C:\Documents and Settings\huck\Cookies\huck@galleries1.adult-empire[1].txt
C:\Documents and Settings\huck\Cookies\huck@galleries2.adult-empire[1].txt
C:\Documents and Settings\huck\Cookies\huck@gallys.rk[2].txt
C:\Documents and Settings\huck\Cookies\huck@gntbcstglobal.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@googleads.g.doubleclick[2].txt
C:\Documents and Settings\huck\Cookies\huck@gsicace.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@hancockfabrics.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@healthgrades.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@hyatt.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@in.getclicky[1].txt
C:\Documents and Settings\huck\Cookies\huck@interclick[1].txt
C:\Documents and Settings\huck\Cookies\huck@invitemedia[2].txt
C:\Documents and Settings\huck\Cookies\huck@komen.122.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@kontera[1].txt
C:\Documents and Settings\huck\Cookies\huck@lego.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@levelwing.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@libertymutual.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@linksynergy[1].txt
C:\Documents and Settings\huck\Cookies\huck@lulu.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@matcher.realmedia[1].txt
C:\Documents and Settings\huck\Cookies\huck@medhelpinternational.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@media6degrees[2].txt
C:\Documents and Settings\huck\Cookies\huck@mediaplex[1].txt
C:\Documents and Settings\huck\Cookies\huck@mm.chitika[2].txt
C:\Documents and Settings\huck\Cookies\huck@movieticketscom.122.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@msnbc.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@msnportal.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@networksolutions.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@newsday.122.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@nhlbi.122.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@overture[2].txt
C:\Documents and Settings\huck\Cookies\huck@pointroll[1].txt
C:\Documents and Settings\huck\Cookies\huck@pubads.g.doubleclick[2].txt
C:\Documents and Settings\huck\Cookies\huck@questionmarket[2].txt
C:\Documents and Settings\huck\Cookies\huck@realmedia[2].txt
C:\Documents and Settings\huck\Cookies\huck@revsci[1].txt
C:\Documents and Settings\huck\Cookies\huck@rtst.122.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@ru4[2].txt
C:\Documents and Settings\huck\Cookies\huck@saxotech.122.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@serving-sys[3].txt
C:\Documents and Settings\huck\Cookies\huck@smartadserver[1].txt
C:\Documents and Settings\huck\Cookies\huck@specificclick[1].txt
C:\Documents and Settings\huck\Cookies\huck@stat.dealtime[2].txt
C:\Documents and Settings\huck\Cookies\huck@stat.onestat[2].txt
C:\Documents and Settings\huck\Cookies\huck@statcounter[1].txt
C:\Documents and Settings\huck\Cookies\huck@stats.talkingpointsmemo[2].txt
C:\Documents and Settings\huck\Cookies\huck@stats.townnews[2].txt
C:\Documents and Settings\huck\Cookies\huck@stats.townnews[3].txt
C:\Documents and Settings\huck\Cookies\huck@stats.townnews[4].txt
C:\Documents and Settings\huck\Cookies\huck@stats.townnews[5].txt
C:\Documents and Settings\huck\Cookies\huck@stats.townnews[6].txt
C:\Documents and Settings\huck\Cookies\huck@statse.webtrendslive[1].txt
C:\Documents and Settings\huck\Cookies\huck@survey.g.doubleclick[2].txt
C:\Documents and Settings\huck\Cookies\huck@tacoda.at.atwola[2].txt
C:\Documents and Settings\huck\Cookies\huck@texassexcrimedefense[2].txt
C:\Documents and Settings\huck\Cookies\huck@torstardigital.122.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@trafficmp[1].txt
C:\Documents and Settings\huck\Cookies\huck@tribalfusion[1].txt
C:\Documents and Settings\huck\Cookies\huck@usatoday1.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@usnews.122.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@www.belstat[1].txt
C:\Documents and Settings\huck\Cookies\huck@www.burstnet[2].txt
C:\Documents and Settings\huck\Cookies\huck@x-milfsoup.bangbros1[1].txt
C:\Documents and Settings\huck\Cookies\huck@yadro[2].txt
C:\Documents and Settings\huck\Cookies\huck@yahoogroups.112.2o7[1].txt
C:\Documents and Settings\huck\Cookies\huck@yieldmanager[1].txt
C:\Documents and Settings\huck\Cookies\huck@zedo[1].txt


[/code]
====================================================

At this point I again ran MalwareBytes to see if the problem had been removed and it hadn't.

I then ran the sequence suggested by XpUser4Real. I ran the sequence first in regular mode and again in Safe Mode. The only new log is Rkill which follows.

====================================================
====================================================


Rkill 2.0.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 08/07/2012 03:18:30 PM in x86 mode.
Windows Version: Windows XP

Checking for Windows services to stop.

* No malware services found to stop.

Checking for processes to terminate.

* C:\WINDOWS\system32\sstray.exe (PID: 180) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings.

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.

* No issues found.

Restarting Explorer.exe in order to apply changes.

Program finished at: 08/07/2012 03:19:00 PM
Execution time: 0 hours(s), 0 minute(s), and 30 seconds(s)

====================================================
====================================================

I then reran CCleaner which I had run earlier and got no different result.


NONE OF THIS GOT RID OF the original problem:

HKLM\System\CurrentControlSet\Services\BITS|ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot.
HKLM\System\CurrentControlSet\Services\wuauserv|ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot.

from MalwareBytes


Report •

#8
August 8, 2012 at 03:46:37
✔ Best Answer
"Registry Data Items Detected: 2
HKLM\System\CurrentControlSet\Services\BITS|ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot.
HKLM\System\CurrentControlSet\Services\BITS|ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot"

Note the incorrect spelling in each path > fystem & it is telling you it is Bad & what it should be > System, is Good.

Go into the registry ( Regedit ) & change permissions for each key to > Allow changes.
Use the Modify option to change the 'f' from within '%fystemRoot%' to an 'S' to become '&SystemRoot%' on both.

Upload screen shots on to a site of your choice & post the links here, if you need help.

If your skills are Ok to proceed with regedit, after you close regedit, reboot & run MBAM again.



Report •

#9
August 8, 2012 at 10:03:20
Thanks

Plus three words


Report •

#10
August 8, 2012 at 12:33:28
you ran the progs I listed in the wrong order

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#11
August 8, 2012 at 12:37:00
You have no way to know what order I ran them in other than what I told you. I told you I ran them as you said and don't appreciate your implication I was untruthful.

In case you missed it, I said:

"I then ran the sequence suggested by XpUser4Real. I ran the sequence first in regular mode and again in Safe Mode. The only new log is Rkill which follows."

Definition of sequence:

"order of succession"
"continuity of progression"
"a sequence is an ordered list"


Report •

#12
August 8, 2012 at 13:32:55
"Thanks"
YW, nice work.

Report •

#13
August 8, 2012 at 17:21:46
thanks for the explanation Jim ;-)

I was going by the list you posted...

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •


Ask Question