DaveyWavey

Last post... Unhide did it's job. Everything back. "System Fix" quicklaunch (and shortcut that appeared after unhide completed) pointed to the exe in AppData that I had deleted previously. Recycle bin they go... Unhide also fixed the Malwarebytes update issue -- I tried running the update on the freeware version prior to installing the PRO and the update worked with no error messages. My guess is that the System Fix attribute changes included a read only attribute for whatever folder Malwarebytes uses for the update. This issue can be closed... Now if I can just get rid of that Google redirect...

Malwarebytes finds 0 infected items. Unhide crunching away with directories and files showing up in a semi-random fashion. Looks like it is working. "System Fix" icon showing in Quicklaunch -- hopefully pointing to an empty directory or file that is no longer there... Purchased MalwarebytesPRO and will install after unhide is done. Hopefully this will fix the update issue I was having and provide future protection... Hoping next post with final result is last one...

Rebooted with JOY! Gray screen (missing wallpaper), programs still hidden, and quick launch buttons missing. But no pop-ups and taskman fires up with a 3 finger salute. Still getting error on Malwarebytes Update... Any ideas on that problem? Also, will unhide return attributes for the file structure? Thanks.

Update: Downloaded rkill and ran. Processes terminated by Rkill or while it was running: C:\WINDOWS\system32\cidaemon.exe C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\5W401YN0\uSeRiNiT[1].exe Then went in and deleted the rogue exes. Then ran mbam. Currently scanning. I expect it to find the bad reg entries and then remove them... Crossing fingers....

Finally got DDS to work... Looks like 2 rogue exes in AppData created about the same time as I got infected... . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20 Run by Dave at 11:21:39 on 2011-12-03 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.262 [GMT -7:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\ZuneBusEnum.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Logitech\ioSoftware\LPTrySvr.exe C:\Program Files\Common Files\Anoto\DockingEngine.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Documents and Settings\All Users\Application Data\NaAlgcphpofdVU.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe C:\Documents and Settings\All Users\Application Data\MYBFzRZ0YNBqrM.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\attrib.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\WINDOWS\system32\cidaemon.exe . ============== Pseudo HJT Report =============== . uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = localhost;*.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [spark] c:\program files\spark\Spark.exe uRun: [EPSON PictureMate (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2P1.EXE /P26 "EPSON PictureMate (Copy 1)" /M "PictureMate" /EF "HKCU" uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [Google Update] "c:\documents and settings\dave\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack mRun: [Logitech Pen TrayIcon Server] c:\program files\logitech\iosoftware\LPTrySvr.exe mRun: [Logitech Pen Docking Engine Server] c:\program files\common files\anoto\DockingEngine.exe mRun: [soundMan] SOUNDMAN.EXE mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [<NO NAME>] mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [EPSON PictureMate (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2P1.EXE /P26 "EPSON PictureMate (Copy 1)" /O5 "LPT1:" /M "PictureMate" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe" mRun: [NaAlgcphpofdVU.exe] c:\documents and settings\all users\application data\NaAlgcphpofdVU.exe uPolicies-explorer: NoDesktop = 1 (0x1) mPolicies-explorer: RevertWebViewSecurity = 1 (0x1) IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL Trusted Zone: intuit.com\ttlc Trusted Zone: turbotax.com DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135113565000 DPF: {89242969-422B-46BF-B0D5-6A7B7DC4D0E0} - file:///C:/Documents%20and%20Settings/Dave/Local%20Settings/Temp/SimpleShare_NASFinder/NASFinder-050809/html/nafcom.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 TCP: Interfaces\{3B3A41A1-08D1-4EA0-926C-7795EBA2C6C4} : DhcpNameServer = 75.75.75.75 75.75.76.76 TCP: Interfaces\{507EDAF8-AA82-448E-BED1-7F39FB114EC5} : DhcpNameServer = 192.168.11.1 SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll Hosts: 10.140.9.12 bcref Hosts: 10.140.9.17 bctl1 Hosts: 10.140.9.22 bctl2 Hosts: 10.140.9.27 bctl3 Hosts: 10.140.9.32 bctl4 . Note: multiple HOSTS entries found. Please refer to Attach.txt . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\dave\application data\mozilla\firefox\profiles\pr11a8rx.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z192&install_date=20110815 FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20110815&q= FF - plugin: c:\documents and settings\dave\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll . ---- FIREFOX POLICIES ---- FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.04.06);user_pref(general.useragent.extra.zencast, ============= SERVICES / DRIVERS =============== . R0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys [2005-12-20 164256] R2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter-a.exe [2011-8-19 423536] R2 vmware-converter-server;VMware vCenter Converter Standalone Server;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter.exe [2011-8-19 423536] R2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter.exe [2011-8-19 423536] R2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);c:\windows\system32\drivers\vstor2-mntapi10-shared.sys [2011-7-12 22768] R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-12-3 41272] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-5 135664] S3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2011-3-15 54384] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-5 135664] S3 LapUsb;Logitech io Pen USB driver;c:\windows\system32\drivers\LapUsb.sys [2004-10-16 68571] S3 SUSCOM;Susteen Serial port driver;c:\windows\system32\drivers\SUSCOM.SYS [2002-10-22 40448] S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624] S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?] S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528] . =============== Created Last 30 ================ . 2011-12-03 17:58:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-12-02 18:11:51 352392 ---ha-w- c:\documents and settings\all users\application data\MYBFzRZ0YNBqrM.exe 2011-12-02 05:35:43 444552 ---ha-w- c:\documents and settings\all users\application data\NaAlgcphpofdVU.exe 2011-11-30 03:25:09 -------- d--h--w- C:\HP Universal Print Driver 2011-11-28 05:20:34 -------- d-----w- c:\documents and settings\dave\local settings\application data\VMware 2011-11-28 05:20:33 -------- d--h--w- c:\program files\VMware . ==================== Find3M ==================== . 2011-11-27 18:20:42 60416 ---h--w- c:\windows\ALCFDRTM.VER 2011-11-26 17:46:40 414368 ---h--w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-10 14:22:41 692736 ---ha-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06:50 599040 ---ha-w- c:\windows\system32\crypt32.dll 2011-09-26 17:41:20 611328 ---h--w- c:\windows\system32\uiautomationcore.dll 2011-09-26 17:41:20 220160 ---ha-w- c:\windows\system32\oleacc.dll 2011-09-26 17:41:14 20480 ---ha-w- c:\windows\system32\oleaccrc.dll 2011-09-06 13:20:51 1858944 ---ha-w- c:\windows\system32\win32k.sys . ============= FINISH: 11:34:20.04 ===============

Got a nasty last night on an XP system. Symptoms: Wallpaper no longer present. Boots initially to a gray screent that then turns black Program Files Folder shows empty "Windows detected a hard disk problem" followed by repeated "Windows - Delayed Write Failed" errors taskman unavailable All taskbar shortcuts are gone Several popups on taskbar: 1. "Hard drive clusters are partly damaged. Segment load failure 2. "Critical Error - Windows OS can't detect a free hard drive space. hard drive error 3. etcetera... (Clicking on the baloons pulls up "System Fix" which cannot be closed and places a shortcut for System Fix on the taskbar) cmd available, so I navigate to mbam directory and execute. mbam DB 7904 (10/8/2011) is out of date, so check for updates. Update appears to download (7.12 MB), but then error: "An error has occurred. Please report this error code to our support team. PROGRAM_ERROR_UPDATING (5, 0, CreateFile) Access is denied." Clicking on OK, mbam will continue to load with the old DB. Full scan in safe mode finds 9 registry items infected. Remove and reboot. Same symptoms including inability to update mbam. Quick scan finds 7 registry items infected. Remove and reboot. Same symptoms appear again. Repeat scan, remove, reboot -- same behavior, no joy. I am willing to continue to repeat scans in the hope that iteration will eventually get rid of all of them, but am concerned that something is not being detected due to the 2 month old DB. Is there a way to manually update the DB? Or am I chasing the wrong rabbit down the hole and should be doing something else? Next step, download DDS, copy to desktop and run. Results are a series of hash marks for much longer than 3 minutes, followed by several lines of "Access Denied", whereupon DDS (I believe) restarts the scan, and repeats until I kill the cmd shell. Thanks.

Update: Another quickscan pulls the 7 registry items up again. Reboot to same behavior...

Got a nasty last night on an XP system. Symptoms: Wallpaper no longer present. Boots initially to a gray screent that then turns black Program Files Folder shows empty "Windows detected a hard disk problem" followed by repeated "Windows - Delayed Write Failed" errors taskman unavailable cmd available, so I navigate to mbam directory and execute. mbam DB 7904 (10/8/2011) is out of date, so check for updates. Update appears to download (7.12 MB), but then error: An error has occurred. Please report this error code to our support team. PROGRAM_ERROR_UPDATING (5, 0, CreateFile) Access is denied. Clicking on OK, mbam will continue to load with the old DB. Full scan in safe mode finds 9 registry items infected. Remove and reboot. Same symptoms including inability to update mbam. Quick scan finds 7 registry items infected. Remove and reboot. Same symptoms appear again. I am willing to continue to repeat scans in the hope that iteration will eventually get rid of all of them, but am concerned that something is not being detected due to the 2 month old DB. Is there a way to manually update the DB? Or am I chasing the wrong rabbit down the hole and should be doing something else? Logs for both scans mentioned above are attached. Thanks. Logs.zip.zip