DownHillSkier

I have all files you requested (WinK32Diag.txt, OLT.txt, Extras.txt and MalwareBytes Logs). However, when I copied them here, the Forum said my post was too long. I will zip OLT.txt and Extras.txt and include as an attachment. Running from: F:\Forum\Win32kDiag.exe Log file at : C:\Documents and Settings\Rob K\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINNT'... Finished! Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4052 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 5/11/2010 11:48:27 PM mbam-log-2010-05-11 (23-48-27).txt Scan type: Quick scan Objects scanned: 124759 Time elapsed: 9 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\valueableshoppingtips.valueableshoppingtips (Adware.PlayMP3z) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\valueableshoppingtips.valueableshoppingtips.1 (Adware.PlayMP3z) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\ValueableShoppingTips.dll (Adware.PlayMP3z) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Adware Professional (Rogue.AdwarePro) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\ValueableShoppingTips (Adware.PlayMP3z) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\All Users\Start Menu\Programs\Adware Professional (Rogue.AdwarePro) -> Quarantined and deleted successfully. Files Infected: C:\WINNT\system32\drivers\rppbdmcqpfviuksm.sys (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Adware Professional\Uninstall Adware Professional .lnk (Rogue.AdwarePro) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4052 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 5/12/2010 6:50:25 AM mbam-log-2010-05-12 (06-50-25).txt Scan type: Full scan (C:\|) Objects scanned: 176074 Time elapsed: 1 hour(s), 6 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\Program Files\Adware Professional\nutilities.dll.vir (Rogue.Agent) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINNT\system32\scecli.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{194E8605-F2D6-4C99-9F5C-59984A886ED8}\RP5\A0000534.dll (Rogue.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{194E8605-F2D6-4C99-9F5C-59984A886ED8}\RP5\A0000539.dll (Trojan.Sirefef) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4052 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 5/12/2010 6:42:40 PM mbam-log-2010-05-12 (18-42-40).txt Scan type: Full scan (C:\|E:\|) Objects scanned: 230382 Time elapsed: 1 hour(s), 31 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: E:\WINDOWS\TEMP\GLB8313.TMP (Adware.BonziBuddy) -> Quarantined and deleted successfully. E:\WINDOWS\TEMP\GLBB005.TMP (Adware.BonziBuddy) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4052 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 5/12/2010 12:00:39 AM mbam-log-2010-05-12 (00-00-39).txt Scan type: Quick scan Objects scanned: 124729 Time elapsed: 9 minute(s), 57 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) OTL_Extras.zip

Okay, here we go..... 1) Ran Win32KDiag.exe. Ran much faster than first time and file much smaller. Unfortunately, I am in the office and the .txt file is home, so I can't post it. Will do if needed tomorrow. 2) Downloaded Inherit.exe and copied into c:program Files\Malwarebytes' Anti-Malware. Than dragged MBAM.exe into it. Receive this error: "Windows Script Host Can't find script engine "VBScript" for Script "C:\Documents and Settings\Rob K\Local Settings\Temp\info.vbs". 3) Than downloaded OTL to desktop, made the edits as indicated, pasted script into Custom scan and ran it. However, Notepad is gone frpm my computer, therefore never recieved the files OTL.txt or Extras.txt. As an attempted remedy, I changed the program to open .txt files in Word in folder options. Still produced no .txt files. At this point I was very frustrated, so I ran ComboFix. It delete files and folders of some strange antivirus software (Something like "Ad ware professional") .Not the Adaware from Lavasoft we are familar with. Than, I re-installed MalwareBytes, and IT RAN!!!!!!!!!! It found a rootkit (TDDSS, I think) and 8 other files assosicated with the files Combofix deleted. Than ran a full scan, and found another rootkit and some other stuff. I am not sure this has fixed it. I am still getting errors when I try to run or delete some programs on my desktop that you asked me to download. For example, received this error when I tried to delete OTL.exe from desktop: "Error Cannot delete OTL.exe: Access is denied. Make sure the disk is not full or write protected and that the file is not currently in use". Also, HiJack this will not run. Sorry, I did not post the actual files. I forgot to bring USB stick with me today. Still, this is the first time since I got MalwareBytes to run! Any suggestion on how to proceed? Thanks for your help

Below is the Win32KDiag.txt file: Running from: C:\Rob\Win32kDiag.exe Log file at : C:\Documents and Settings\Robert K\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINNT'... Found mount point : C:\WINNT\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF} Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINNT\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF} Cannot access: C:\WINNT\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\37f6297b42610206c3fdeaf1ae71345e\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\37f6297b42610206c3fdeaf1ae71345e\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\43fb223dd070b3aa4f2d807de00e9723\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\43fb223dd070b3aa4f2d807de00e9723\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\59732c3a78c987eaec1ee41ab88e3da8\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\59732c3a78c987eaec1ee41ab88e3da8\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\5e5aab0184cde550e4ba21f1d2bd377e\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\5e5aab0184cde550e4ba21f1d2bd377e\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\678162639e69c808c1768ab6340eae25\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\678162639e69c808c1768ab6340eae25\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\6b4e49f1a78b9558feeb103a07b06a32\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\6b4e49f1a78b9558feeb103a07b06a32\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\71668abe67b6d77ebac6750f25908a6e\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\71668abe67b6d77ebac6750f25908a6e\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\75cd10bc79782317976e2a857798ad9f\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\75cd10bc79782317976e2a857798ad9f\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\a4c8b51fef38872a7ec62d0a40ca147c\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\a4c8b51fef38872a7ec62d0a40ca147c\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\d8ef7c8f90f509563f255df3e967b057\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\d8ef7c8f90f509563f255df3e967b057\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\da7fee2d51e2e59bdd47cb9e03387bcc\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\da7fee2d51e2e59bdd47cb9e03387bcc\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\e15760431e46367ca5a3dfd40a9d03e3\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\e15760431e46367ca5a3dfd40a9d03e3\update\update.exe Cannot access: C:\WINNT\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\update\update.exe Attempting to restore permissions of : C:\WINNT\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\update\update.exe Cannot access: C:\WINNT\system32\dumprep.exe Attempting to restore permissions of : C:\WINNT\system32\dumprep.exe Cannot access: C:\WINNT\system32\MRT.exe Attempting to restore permissions of : C:\WINNT\system32\MRT.exe Cannot access: C:\WINNT\system32\scecli.dll Attempting to restore permissions of : C:\WINNT\system32\scecli.dll [1] 2004-08-04 01:56:44 180224 C:\WINNT\$NtServicePackUninstall$\scecli.dll (Microsoft Corporation) [1] 2003-06-20 06:00:00 114448 C:\WINNT\$NtUpdateRollupPackUninstall$\scecli.dll (Microsoft Corporation) [1] 2008-04-13 18:12:05 181248 C:\WINNT\ServicePackFiles\i386\scecli.dll (Microsoft Corporation) [1] 2008-04-13 18:12:05 60928 C:\WINNT\system32\scecli.dll () [2] 2008-04-13 18:12:05 181248 C:\WINNT\system32\sceclt.dll (Microsoft Corporation) Cannot access: C:\WINNT\system32\wbem\wmiprvse.exe Attempting to restore permissions of : C:\WINNT\system32\wbem\wmiprvse.exe Finished!

The OS is Windows XP 32 professional with sp3. I ran the program you suggested Win32KDiag.exe. Attached is the file. I was watching it for about 15 minutes and it appeared to keep repeating. Hope this helps, and THANK you for helping me with this issue. Win32kDiag.txt

I followed your directions and here are the results: 1) Downloaded Defogger. It ran (Disable) and I selelcted finish (no errors). However, it never asked for a reboot, so, I did it manually. 2) Downloaded and ran DDS. A DOS screen popped up and closed within 3 seconds. The log files (DDS.txt and Attach.txt) were never generated. Perhaps I missed one of the script blockers. Please advise were these are found. 3) Downloaded and ran GMER Rootkit Scanner. It ran for about 15 minutes and than shut down. I tried to run it again and got this error message: "Windows cannot access the specified device, path, or file. You may not have the appropiate permissions to access the item" This is the same message it get when I try and run Malwarebytes a second time from the desktop icon. Also, tried to delete the GMER icon from desktop and received this error: "Cannot delete whlk6go9: Access denied Make sure the disk is not full or write protected and that the file is not currently in use" Again, this is the same message I recieve with other antivirus software, but I can remove in them in control panel and then reinstall. However, nothing works! What else can I do? Thank you

Hi, My computers OS is XP 32 sp3 Professional and MalewareBytes will not run. It will install, but when I select it to run, it says "preparing to start" than after about 3 - 5 seconds, the program stops and will not open again. I have tried renaming the .exe, tried running in safe mode, tried Rkill, exehelper. Nothing seems to work. Lavasoft Adaware will not run, as well as Windows defender, Webroot and others. I have since removed all antivirus software and disconnected the computer from the internet. Any suggestopns will be greatly appreciated. Also, HJT will try and run, but once it completes, it shuts down. Thanks