Need help with infected laptop

To give some background, this is a friend's old laptop running Windows XP Pro SP3 (32-bit). When he brought it to me, I boot it up and after the boot-up sequence completed, all I could see was the desktop's wallpaper. I could not see any icons nor the Start menu. I was able to start Task Manager via Ctrl+Alt+Del and I tried File->Run "explorer.exe" to see if I could get the desktop icons back, but the process would start and immediately disappear from TM. I tried booting up in all 3 variations of Safe Mode, but it didn't help. I then proceeded to use Hiren's Boot CD and was able to run Malwarebytes' Anti-Malware from it based on some instructions elsewhere. Unfortunately, I didn't save the log from it as it was run from the Boot CD's mini-XP OS. I also tried to run an Anti-Virus from it, but wasn't able to do so successfully. After several tries to run an Anti-Virus scan, I decided to try booting up the laptop again and this time it booted up normally. The computer had an outdated version of Java so I removed it. When using the browsers, there were many popups, redirects and page loadups. Therefore, I proceeded to download the following programs and run them:

Malwarebytes' Anti-Malware 1.75.0.1300
Spybot - Search & Destroy 2.3
SUPERAntiSpyware 5.7.0.1018
SpywareBlaster 5.0
CCleaner 4.10.4570
AVG 2014 Free

I removed everything MAB found. I Immunized the system and removed everything Spybot found. I removed everything SAS found. I removed everything AVG found.

When trying to install the latest Java version, I get a "Java Setup" window with the following error:

Java Setup

Installation Failed

The wizard was interrupted before Java 7 Update 51 could be completely installed. To complete installation at another time, please run the setup again.

Click "OK" to exit the wizard.

I tried uninstalling and reinstalling the latest version of Java many times using different methods and I am not able to successfully install it. I keep getting the same error no matter what I try. I tried deleting the "incomplete/partial install" using Comodo Programs Manager as well as trying to get rid of all traces of JRE using JavaRa 2.5. When trying to install it I tried both the online method and the offline method to no avail.

I then noticed that the laptop started responding slower and would eventually just hang. Therefore, I deleted some suspicious programs using Add/Remove Programs from the Control Panel, others using Revo Uninstaller (once I downloaded it), and others using Comodo Programs Manager (once I downloaded it and uninstalled Revo Uninstaller). I also deleted several startup items using CCleaner, however I did not run its Cleaner or Registry scan. I read about AVG using up too many resources, especially on an old laptop with only 2GB of RAM. I proceeded to uninstall AVG and ran into some complications. After several attempts using different methods, I was finally able to completely remove AVG from the system. I read that Avast! is light on resource usage, so I downloaded the free latest version of it. I ran a Quick Scan first then a Full Scan later. Both times, Avast! found something and I quarantined/removed the results.

I know, I know, I should've just come here immediately after being able to boot up the laptop successfully to follow the Malware Removal Procedure. So after all I did prior to coming here, I am still not able to install Java and am not sure that I got rid of all Malware. Therefore, I have gone through the Malware Removal Procedure exactly as instructed. I only had a problem running RogueKiller. I tried it twice and both times got a BSOD with some long message of which I captured only the following:

Technical information:

*** STOP: 0x0000008E (0xC0000005, 0xB9E9A630, 0xA7267C78, 0x00000000)

*** cumon.sys - Address B9E9A630 base at B9E85000, DateStamp 4e64a35f

Attached are the logs from the Malware Removal Procedure scans.
*Note - there is no RKreport[1].txt log, since I wasn't able to run RogueKiller

 

Ok, I removed Microsoft Security Essentials. For ZoneAlarm Security, I only have the firewall installed so I didn't remove it. I did, however, disable both ZoneAlarm firewall and Avast! Antivirus before proceeding.

As for RogueKiller, I again got a BSOD when I tried to "Run" it with the following error:

A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this stop error screen, restart you computer. If this screen appears again, follow these steps:

Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, resart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical information:

*** STOP: 0x0000008E (0xC0000005, 0xB9ECA630, 0xA7880C78, 0x00000000)

*** cumon.sys - Address B9ECA630 base at B9EB5000, DateStamp 4e64a35f


It's basically the same error as before with only a couple of the addresses being slightly different under the Technical Information. Oh, a debug log file was created, but it is empty. I'm attaching it anyway.

JRT ran fiine and I'm attaching its log.

When running HitmanPro, I forgot to click on "Save Log". I re-ran it and this time it only found 2 results. One that was a Suspicion, which I Ignored since you didn't have it listed for removal and another that I had already tried to delete the first time (HKLM\SYSTEM\ControlSet001\Services\ca82e1a5\ (FLV Player)). I tried deleting it again and saved the log I am attaching. For some reason it is not deleting this entry. I confirmed this by running it a 3rd time and this entry still shows as a result (in addition to the Suspicion I chose to Ignore).

GetLogs.bat ran fine and I'm attaching its logs.

 

Ok, I ran Hitman. It did detect the item in question. I selected for it to get Deleted and continued. However, I suspected it didn't really get deleted...just like the previous times I ran it.

I then ran LSP-Fix. I didn't see a "lspmiy.dll" file in the Keep section, but then figured it must've been a typo on your part as in the next step you stated to Select the >> button to move "pcprotect.dll". So I moved the "pcprotect.dll" file from the Keep section to the Remove section and clicked on Finish.

I disabled Anti-virus and Firewall, and then ran analyse.exe. I exited all browsers and deleted the Util Whilokii service. After clicking on Fix, it asked me to reboot.

After rebooting, I disabled AV and ZA. I didn't find the Whilokii folder under C:\Program Files since I had deleted that a while back. I did find the numerically-named folders under Application Data and deleted them. By the way, I re-ran Hitman to see if my suspicion was correct and sure enough, it still detects the HKLM\SYSTEM\ControlSet001\Services\ca82e1a5\ (FLV Player) PUP. Like previously, it is not able to Delete it. I am attaching the Hitman log.

I ran CCleaner and cleaned the results.

I ran GetLogs.bat and am attaching the MGlogs.zip file.

The system seems to be running ok. Should I try re-installing Java now, since that was one of the problems I was having previously? Also, I forgot to mention that I had previously been having trouble updating Google Chrome, so I had removed it. However, when I had previously tried to re-install it, the installation would fail. Should I try reinstalling Google Chrome now as well?

 

Ok, I did get a Success message when executing the fixME.reg file.

I re-ran Hitman and this time it only detected the HKLM\SYSTEM\ControlSet001\Services\ca82e1a5\ (FLV Player) PUP and not the Suspicious file: C:\Monitor.exe. This file does exist; is it needed? Anyhow, I selected Delete for the PUP and hit Next. This time I did see a message about it attempting to remove it. Once completed I saved the log and exited. For sanity check, I re-ran Hitman and again it detected the PUP in question. Again, I selected Delete and it supposedly removed it again. I still don't think it's been deleted, though. I have attached both logs.

I tried installing Java using the online method (i.e. jxpiinstall.exe) and got an error about some uncompressed file as well as a warning from Avast!. I added an exception for it in Avast!. The next time I tried to install it, I used the offline method (i.e. jre-7u51-windows-i586-iftw.exe) and I received the same error I had gotten all the other times I had tried to install Java as shown below:

Java Setup

Installation Failed

The wizard was interrupted before Java 7 Update 51 could be completely installed. To complete installation at another time, please run the setup again.

Click "OK" to exit the wizard.

I then used Comodo Programs Manager to remove the partial/incomplete installation and all traces of Java it found. It removed hundreds of Java files and registry entries. It asked me to reboot so I did. After reboot, I tried to further remove any traces of JRE using JavaRa 2.5 (i.e. JavaRa.exe). It removed 455 additional entries. I then proceeded to try to reinstall Java and again I received the Installation Failed error posted above. The strange part is that even though I got the installation error and Comodo Programs Manager currently lists it as a "Partially Uninstalled Application", when I go to the Verify Jave Version website it says "Congratulations! You have the recommended Java installed (Version 7 Update 51).". However, I don't see a Java entry in the Control Panel or under Add/Remove Programs.

As for Google Chrome, I was able to successfully install it.

 

Ok, I manually deleted the key from the registry.

I then ran Hitman and this time nothing was detected. I'm attaching the log.

As for the file I asked you about previously, what is "monitor.exe" and is it needed? Why is it in C:\? I also see a "monitorsvc.exe" file in C:\. Is that also needed?

By the way, this laptop was set to turn off the display, turn off the hard disk and go into Standby mode after some time. Therefore, I would have to wait a while for it to re-obtain an internet connection after waking it up. However, the last time I woke it up it presented me with a pop window with the following error:

Data Execution Prevention - Microsoft Windows

To help protect your computer, Windows has closed this program.

Namem: Windows Explorer
Publisher: Microsoft Corporation

Data Execution Prevention helps project against damage from viruses and other security threats.

Do you know what that's about? I wasn't doing anything other than waking up the computer after it had been inactive for a while and went into Standby mode.

 

Ok, I've zipped the files and am attaching them. Remember, the C:\monitor.exe file is the one that Hitman used to detect as a "Suspicion". I always left it as "Ignore" (never deleted it), therefore I don't know why it didn't show up in the latest Hitman scans.

 

No, I have never installed that. If these are not windows/system files, then I'd like to get rid of them if it's safe to do so.

As for the "Data Execution Prevention - Microsoft Windows" pop-up error I received as I described in my second to the last reply, do you know what it refers to?

 

Well, as the last Hitman log I attached shows, a Hitman scan no longer detects anything. I deleted monitorsvc.exe manually. I wasn't able to delete monitor.exe initially because I got a message about it being used. I searched for it in Task Manager and there was a process by the same name. I ended the process and then deleted the file. I will reboot and see if that service really wasn't needed.

I will pursue the Java issue in the Software forum. However, how can the other issue not be a Malware problem when part of it's error message specifically mentions viruses as follows?:

Data Execution Prevention helps project against damage from viruses and other security threats.

 

Ok, thanks for the heads up. What's the next step?

 

Yes, things seem to be running smoothly for now.

 

Thank you very much for all your help!