Trojan?

[shortwave]

Slight problem, I haven't got the Spybot icon showing in my Taskbar. I've gone into the Control panel and made sure it is ticked as "Always Show", applied and O.K.d but it doesn't appear. I'm sure it has been there in the past, but I normally have most items hidden.

[ndmmxiaomayi]

Hello,

You can ignore the first 2 steps for disabling Spybot Teatimer.

[shortwave]

Posting this from another machine. Just run ComboFix - it initially flagged up that Recovery Console was already installed, so after waiting for a couple of minutes I restarted it and it completed as per the instructions. When the log file had been produced the Spybot Teatimer popped up, first with a warning about Epson printer drivers which I denied, then "KernelFaultCheck". At this point I will wait for your advice.

[ndmmxiaomayi]

Can you try it in Safe Mode?

There's a lot of changes that needs to be made, and Teatimer will interfere. Hopefully, Safe Mode won't.

[shortwave]

May be a while - I got into Safe Mode but found that there are no icons for Avast! or Spybot in the Taskbar, so I will have to reboot back into normal mode disable them and then go back to Safe Mode.

[ndmmxiaomayi]

They aren't active in Safe Mode.

[shortwave]

Oh well... Just started again in Safe Mode, I will try and copy the logs via a USB stick so I can post them via this P.C. and leave the NEC running in Safe Mode.

[shortwave]

It's just finished scanning, produced a logfile and now the TeaTimer's popped up again...

[shortwave]

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:47:19, on 09/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-online.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:12080
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [InnovativeMemoryOptimizer] C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe
O4 - HKLM\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_S136.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1159614706021
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6278 bytes


And Combofix log:

ComboFix 08-08-08.08 - Owner 2008-08-09 17:28:38.2 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-09 11:39 . 2008-08-09 11:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-08-09 11:39 . 2008-08-09 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-03 10:42 . 2008-08-03 10:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 17:01 . 2008-07-23 17:12 <DIR> d-------- C:\Program Files\Desktop Calendar
2008-07-19 22:01 . 2008-07-19 22:01 <DIR> d-------- C:\Program Files\Google
2008-07-18 13:27 . 2008-07-18 13:27 <DIR> d-------- C:\Program Files\IZArc
2008-07-10 13:54 . 2008-08-09 16:57 7,575,584 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-10 13:54 . 2008-08-09 16:57 78,092 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-10 13:51 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-07-10 13:51 . 2008-07-10 13:53 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 10:13 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-05 12:26 24,360 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-07-29 21:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-07-26 16:51 --------- d-----w C:\Program Files\Java
2008-07-25 19:23 --------- d-----w C:\Program Files\Microsoft Works
2008-07-18 15:54 --------- d-----w C:\Program Files\NCH Swift Sound
2008-07-10 12:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-09 08:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-06 21:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-06 20:59 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-07-06 20:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-26 15:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-06-26 15:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\CopyToDvd
2008-06-26 12:13 --------- d-----w C:\Program Files\ConvertHelper
2008-06-21 22:34 --------- d-----w C:\Program Files\QuickTime
2008-06-21 22:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-21 22:31 --------- d-----w C:\Program Files\Apple Software Update
2008-06-21 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 17:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2006-09-21 19:31 81,920 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2006-09-21 19:31 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"Desktop Calendar"="C:\Program Files\Desktop Calendar\Desktop Calendar.exe" [2003-10-31 12:38 442368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-04-09 17:10 135168]
"SECEDIT"="C:\Drivers\SECEDIT.EXE" [2005-05-26 23:07 24576]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 10:47 131072]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 13:16 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 15:38 78008]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"InnovativeMemoryOptimizer"="C:\Program Files\Innovative Solutions\Innovative System Optimizer - version 1.9\MemoryOptimizer.exe" [2004-05-27 18:02 581120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Secunia PSI (RC1).lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Secunia PSI (RC1).lnk
backup=C:\WINDOWS\pss\Secunia PSI (RC1).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\emMON]
-ra------ 2006-12-15 08:54 61440 C:\WINDOWS\emMON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 10:47 163840 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-10-11 12:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-01-13 10:46 135168 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CLSched"=2 (0x2)
"CLCapSvc"=2 (0x2)
"CyberLink Media Library Service"=2 (0x2)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"AOL ACS"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"CiSvc"=3 (0x3)
"seclogon"=2 (0x2)
"RasMan"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"WebClient"=2 (0x2)
"SSDPSRV"=3 (0x3)
"PolicyAgent"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\APPS\\Powercinema\\PowerCinema.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 15:35]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 15:37]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 03:12]
S3 pacdcacm;pacdcacm;C:\WINDOWS\system32\DRIVERS\pacdcacm.sys [2005-08-22 00:45]
S3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-02-19 09:24]
S3 USB28xxBGA;USB 2860 Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 13:20]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 13:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fb37896-f7a3-11da-b1cf-00038a000015}]
\Shell\AutoRun\command - E:\autorun.bat
.
Contents of the 'Scheduled Tasks' folder

2008-07-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h7sbz40n.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.tiscali.co.uk/index_first.html


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 17:32:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-09 17:35:48
ComboFix-quarantined-files.txt 2008-08-09 16:35:37
ComboFix2.txt 2008-08-09 15:28:31

Pre-Run: 15,667,888,128 bytes free
Post-Run: 15,646,527,488 bytes free

154 --- E O F --- 2008-07-09 14:57:34

[ndmmxiaomayi]

Hello,

1. Please download Malwarebytes' Anti-Malware and save it to a convenient location.
2. Double click on mbam-setup.exe to install it.
3. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
   • Update Malwarebytes' Anti-Malware
     Launch Malwarebytes' Anti-Malware
4. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
5. Select the Scanner tab. Click on Perform full scan, then click on Scan.
6. Leave the default options as it is and click on Start Scan.
7. When done, you will be prompted. Click OK, then click on Show Results.
8. Checked (ticked) all items except items in the C:\System Volume Information folder and click on Remove Selected.
   
   
   
   
9. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

In your next reply, please post:

1. A new HijackThis log
2. Malwarebytes' Anti-Malware scan report