MBAM will not run

[jkim]

the contents of Win32kDiag.txt:

Running from: C:\Documents and Settings\Soup\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Soup\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

[1] 2009-02-06 04:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2004-08-04 04:00:00 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 18:12:40 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 18:12:40 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 04:10:02 227840 C:\WINDOWS\system32\dllcache\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 04:10:02 227840 C:\WINDOWS\system32\wbem\wmiprvse.exe ()

[1] 2004-08-04 04:00:00 218112 C:\i386\wmiprvse.exe (Microsoft Corporation)

Finished!

[JSntgRvr]

Click on Start -> Run... and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Give it enough time to run

[jkim]

unless i did something wrong it finished pretty quickly . . . contents of Win32kDiag.txt:

Running from: C:\Documents and Settings\Soup\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Soup\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe

Finished!

[JSntgRvr]

Please follow these steps:

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

2. Restart your computer (very important).

3. Download and run this utility. mbam-clean.exe

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here. mbam-setup.exe

Launch the program. Then go to the UPDATE tab if not done during installation and check for updates.

Restart the computer again and verify that you can run a quick scan.

• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.

1. Read through the requirements and privacy statement and click on Accept button.
   
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
   
3. When the downloads have finished, click on Settings.
   
4. Make sure the following is checked.
   
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
     

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply.

Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 18.
  
• Click the "Download" button to the right.
  
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  
• Click on Continue.
  
• Click on the link to download Windows Offline Installation (jre-6u18-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java version.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u18-windows-i586.exe and select "Run as an Administrator.")
  

[jkim]

the following was the log report from running MBAM as directed . . . I will also run the Kapersky Online Scan next and post the log but it may take a while to scan (it took ~5-6 hours last time)

Malwarebytes' Anti-Malware 1.44

Database version: 3748

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/16/2010 7:27:32 PM

mbam-log-2010-02-16 (19-27-32).txt

Scan type: Quick Scan

Objects scanned: 129231

Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 3

Registry Data Items Infected: 1

Folders Infected: 2

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mev (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

[jkim]

the following is the report from the kaspersky scan:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Wednesday, February 17, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Wednesday, February 17, 2010 01:40:47

Records in database: 3542910

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Objects scanned: 223823

Threats found: 2

Infected objects found: 3

Suspicious objects found: 0

Scan duration: 05:42:11

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir Infected: Trojan.Win32.Koblu.ccb 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000031.exe Infected: Trojan.Win32.Koblu.ccb 1

C:\_OTL\MovedFiles\02162010_141302\C_Program Files\MyWaySA\SrchAsDe\deSrcAs.dll Infected: not-a-virus:AdWare.Win32.MyWay.aw 1

Selected area has been scanned.

[JSntgRvr]

Hi, jkim.

Congratulations. Detections are quarantined files and files backed-up by Windows.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.

• Click START then RUN
  
• Now copy and paste "c:\documents and settings\Soup\Desktop\Combo-Fix.exe" /Uninstall in the runbox (including the quotation marks) and click OK.
  

Launch OTL and click on the Cleanup button. Follow the prompts.

Go to Start -> Run, copy and paste the following command (including the quotation marks) and press Enter:

"%Userprofile%\desktop\maxlook.exe" -cleanup

Manually remove the rest of tools.

Create a Restore point:

1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
   
2. In the System Restore dialog box, click Create a restore point, and then click Next.
   
3. Type a description for your restore point, such as "After Cleanup", then click Create.
   

Something that I am concern in your system is that lots of files lost their signature. You can read about file signatures here. I have consulted with colleagues and they have suggested reinstall SP3. I have never had to do this, so the outcome is uncertain. The SP3 package is a whopped 316.4 MB download. I will give you the steps provided by Microsoft to remove SP3 and the download link. I would suggest you backup your personal documents, in case something goes wrong. Here are the instructions:

Download Windows XP Service Pack 3 to your desktop:

Uninstalling Service Pack 3 (SP3)

1. Click Start, and then click Run.
   
2. Copy and then paste the following command in the Open box, and then press ENTER:
   
   appwiz.cpl

   
   

3. Click to select the Show Updates check box.
   
4. Click Windows XP Service Pack 3, and then click Remove.
   

Click Finish to restart the computer after the removal process is complete.

Reinstalling Service Pack 3

1. Navigate to the Service Pack 3 installation package on your desktop and click on it.
   
2. Click Express .
   
3. Click "I Accept" on the installation window after reading the terms and conditions and install the program.
   
4. Follow the prompts thereafter
   
5. Restart your computer.
   

Let me know about your decision and/or outcome.

[jkim]

first of all thank you so much for your time, patience, and help . . . i appreciate what you guys do and if there is someway to support you guys or the website please let me know . . .

I will attempt the reinstall of SP3 (rolled the dice so far) after backing up my personal files . . . (will there be an issue using the files i backup down the road if they don't have a signature?)

I was also able to manually remove all the remaining tools except rootrepeal - it says access denied . . . should i just leave it or is there a way around it?

I was also wondering about protection . . . is the full version of mbam (with the realtime protection) sufficient to prevent similar infections in the future? and if not, is there another AV program you recommend?

And just out of curiosity what was the 'very special infection' that i had?

[JSntgRvr]

Personal files need no signature. So you will be safe there.

I would recommend AVAST as an Anti-Virus. The full version of Malwarebytes's Anti-malware is a good investment. MBAM is kept up-to-date, so it will keep you protected against new variants.

Concerning RootRepeal, download this program and save it to your desktop. Drag and drop Rootrepeal on to Inherit.exe, then wait for it to say "OK". Try to remove Rootrepeal.

Keep me posted

[JSntgRvr]

And just out of curiosity what was the 'very special infection' that i had?

It is an infection that rips files' permissions and creates mountpoints to block everything in your computer. The Access Denied you are experiencing with Rootrepeal is an example of the type of problems it creates. Also your access to Explorer.exe. The infection is newtralized but it may leave the file's permissions borked.