Posts by PhilliePhan

Ok thanks. Yes this looks like its going to be a busy week for me also so I understand. I should have a lot of spare time next week since I start my vaccation then. Happy Thanksgiving to you too and thanks for the help as usual.

Happy to try to help!

-- Try copy&pasting and see if that will work now that subinacl has run.

I hope to be pretty busy through New Years - trying to cram in as much work as I can, given how slow my last few months have been.

With any luck, we can get this sorted out - I think the machine is pretty clean. We just need to repair the damage done by the malware.

PP:)

thank you as always, and I totally understand:) what do you think about the new 1TB Seagate? Is it worth it, if it's big enough I can supposedly use it as a scratch disk for my drawing programs. I actually priced the one you posted this weekend and was trying to decide between it and the larger one.

I have never had a problem with Seagate - have five of them and three are at least 5 years old and still as good as new.....
Haven't looked too much at the big drives, though, so I couldn't say about the TB.....

-- I think as far as protection goes, you ought to be OK with Avira as your AV. Just keep it updated.

I imagine Windows Defender is onboard, so that will give some "real-time" protection.

If you keep your SpybotSD updated and use the "immunize" feature, that will help. An alternative would be SpywareBlaster.

Keep your MBAM on hand for "on demand" scanning, as needed. Be sure to update it before scanning.

I would also suggest a decent Firewall - ZoneAlarm has an easy learning curve and is OK.
Comodo might be a better choice, but if you don't want their AV as well, you have to de-select it at install.
Or, you could remove Avira and go with the complete Comodo Suite.
Whatever you want to do.

Also, you should update your …

How whould I go about getting junction.exe in my windows folder? I cant cut and past or drag and drop....I would have to use the cmd prompt some how right?

You can use the copy command. Let's just put it on the C:\ Drive:

Copy G:\junction.exe C:\junction.exe

I'm assuming G for usb drive - you'll need to change it if different, of course.

I am going to be posting hit and miss for the next 4-5 days - I imagine you'll be pretty busy too. Please bear with me.

Happy Thanksgiving :)
PP

Yeah that would be great if you could list the registry keys that need to be deleted.

Sorry for late reply - trying to cram in some extra work before the holidays.

First. let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

If you have backed up the registry with ERUNT, let's see if we can remove that key:

Click START > Run > Type regedit and hit OK to open registry editor.

Drill down to the following Key(s):
HKLM\SYSTEM\ControlSet001\Services\UACd.sys

If these are separate, then they'll need to go too:
HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath
HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system

If any of these do in fact remain, RightClick them and try to delete them.
Be sure to delete only the EXACT keys listed above.

Let me know if you run into trouble.

Also, have a look for these files - they should be gone, but may as well verify it. You'll need to enable the …

So I made the system freeze up. . . . .as I said this was most likely my fault, I should know better, I was trying to push her beyond her limits I think...

I think you are right - probably pushing a bit hard + Vista needs a good deal of RAM.

I think I need to get a new external hard drive, just in case, that way if I have to wipe it I don't have to rely on disks and my zip drive. Do you have any recommendations?

I am partial to Seagate (and Newegg, for that matter):
Seagate FreeAgent Desk 640GB USB 2.0 Silver External Hard Drive

Let me go over your thread and see what we need to add/update or remove in the way of security apps, etc...
I am taking on some extra work before the holidays, so posting will be spotty - please bear with me....

PP:)

Everything looks OK outside of those (orphaned) registry keys. It's very odd to me that neither MBAM or combofix removed them.
I imagine the associated files are long gone.
We can try to remove those keys manually, if you feel up to poking around the registry......

-- Since you had to restore the compy, please update and run MBAM again.

-- These two need to be uninstalled. Update them to the latest, more secure versions at their respective sites:

Adobe Reader 7.0
J2SE Runtime Environment 5.0 Update 4

http://www.java.com/en/
http://www.adobe.com/products/reader/

I suggest removing this as well:
Viewpoint Media Player

Also, I suggest you/she back up her registry with ERUNT every month.
Especially if you want to try to remove those orphaned keys.

Please post the new MBAM log.

PP:)

This file is almost 500,000KB big...so that isnt even really anything from the doc. I hope those show you somthing?

Yeah - looks like the tool ran properly. No worries there.
Let's try to verify that:
Please extract junction.exe from the Junction.zip you downloaded and place junction.exe in your C:\Windows directory.
Start a command prompt and type:
junction -s > C:\Logit.txt ENTER
Let the tool run and then post the C:\Logit.txt for me.

-- Also, download a fresh MBAM and see if it will install and run now.

PP:)

Oh if you insist, and it isn't too much trouble.
What happens first?

Follow the steps in Post #41 and we'll go from there.

I do not know what it is that I am missing. Perhaps a little confusion in the whole process - my "automating" it probably made it more difficult.....

The fact that Litestep works is encouraging - It is likely something simple.

Also, if you prefer to keep Litestep, I believe it is possible to keep it and run it along with explorer.

PP:)

only a couple of strange things now is that I keep having to reinstall programs. I try to open a program and it comes up and says this is only for an installed program.

That's odd - can you give me the exact error message? Definitely need to see that before I can make any suggestions.

On the plus side, those other logs look good, so I think you are OK as far as malware goes.
Not sure about the system instability - that can be chalked up to any number of things, not the least being the malware and all of the (powerful) tools we have run during the course of this process.

Let me know about the error messages - I'd like to get that sorted before we start adding and removing any programs.

PP:)

It will not let me cut and paste it in here...it is a very big log. Ive tried it on 4 diffrent computers now. I quess I can email it or somthing but I couldnt get it to even pull up on 2 of the computers.

EDIT: It will let me cut and past it a little at a time but not if I select all. It is too big to do a little at a time though....I tried it for about 30 min and didnt even have an 1/8 of the log highlighted.

Can you zip it and attach it using the "manage attachments" button?

If not, highlight a bunch of it an post that for me - I'd like to see if it is throwing a bunch of errors.

Better yet, use the edit feature to search for "Elapsed time" - there should be Eight occurrences of this. When you find those, post me the block of data between Elapsed time and Last Done or Last Failed.

Here's an example:

Elapsed Time: 00 00:13:10
Done: 337110, Modified 337108, Failed 2, Syntax errors 0
Last Done : HKEY_LOCAL_MACHINE\SYSTEM........
Last Failed: HKEY_LOCAL_MACHINE....... 5 A
ccess is denied.

Hang in there - We may get this sorted by Christmas, LOL :)

PP

Had to restart from last known good configuration. Start successful. Not sure if I should retry Avenger?

No - Don't try Avenger again. Something's hinky here.
Normally combofix will remove those with no problem, but it is not in this case.

-- Do you still have the Recovery Console installed?

Let's try this, instead:
Please Download Kaspersky's AVP Tool

-- Save AVP Tool to your Desktop.
-- Please boot to Safe Mode (tap F8 at reboot - Do Not use msconfig!)

Once in Safe Mode:
-- DoubleClick the AVP Tool setup file to run it.
Follow the prompts and it should install to your Desktop Folder
-- If you get a prompt for scanning in Safe Mode, click OK.
-- AVP Tool will open.
-- Click the Manual Cure Tab
-- Click the Collect system information Button and let it run
-- When it finishes, it will say Completed. Report saved to LOG\avptool_syscheck.zip

Please save the log and post it for me.

THEN:
Please select the Automatic Scan Tab
Be sure the following boxes are checked:
• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• All other drives

-- Please click the Scan Button.
AVP Tool should Neutralize any objects it finds. If some are left un-neutralized, Click the Neutralize All button.
Note: If an …

Did that, using the new shell. I think I shall mark this case solved.
Thank you so much for your help!

You're welcome - happy to help!

Are you sure you don't want to try to sort out the explorer.exe issue?
I know there are many preferable shells (Aston comes to mind as being the best IMO), but it might be nice to try to get to the bottom of the problem.

Whatever you decide is cool with me :)

PP

That is good news indeed! And, a very generous thank-you offer to boot!
Generally, I am happy if people "pay it forward" and do a good turn for somebody else in need. I figure that eventually it'll work its way back to me :)

I'd like to run a couple more tools to check for lingering malware and then we can move on to making sure everything is updated and put some additional protective measure in place.

-- Please Update your MBAM (update tab) and then run the Full Scan and have it remove all it finds.
Post the log for me.

-- Then, please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then click the save button and name the log GMER – 1.log and save it to where you can …

Ok - let's have a go at this:

-- Download the attached FixIt.zip and Extract the FixIt Folder from the ZIP and place it on the ill computer.
In the FixIt Folder, you'll find RunThis.bat.
Run that and give it as long as it needs. A log will pop up - please post that for me.
As usual, let me know if any problems with the above.

Busy weekend upcoming - will check back as time permits.

PP:)

it is here :)

Finally! LOL! Lovin' that Vista!

See if you are able to install Adobe now - hopefully that will complete OK and then we can look at security again.

Typical busy Fall weekend upcoming - will check in as time permits.

PP:)

Exact Name:
Compaq_Administrator

going to look at post 102 now

Great - I'm going to use the same procedure I'm using in another thread to try to restore permissions on the ill compy so we can get things to run.

PP:)

I don't have any credit card info on this computer. Thanks for the links I will look them over tonight. So, all that said... Back to the issue at hand.

AllRightyThen - On we go!

Let's try again to set up that reg key and see what happens:

Open another elevated command prompt and Copy&Paste

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS" /v "Installed" /d "1" /f
and hit ENTER

Then, Copy&Paste

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS" /ve /f
and hit ENTER

You should get a confirmation/success message each time. Then, open registry editor and drill down and verify the MSFS key truly exists.

With any luck, that will work :)
PP

Ok now lets see if I can fit the report on here:
(I left the infected computer just how it was after the scan...its still on, still in safe mode and still has the scan info pulled up)

Well - The vast majority of what was removed were baddies that had been quarantined by combofix and things in System Restore.
So, I'd wager most if not all malware is now gone.

I'd like to try a couple things:
-- Please do the step in post #102 and attach the log for me.
-- What is the exact username you log on to the compy with?

PP:)

So now someone has hacked my computer and has gotten all of my information, including my social, which I don't use online so I don't understand that one, and set up all kinds of accounts that charge my phone bill. This may be a completely separate issue but now I have no idea what to do. They are using my email address to do this apparently. Sorry to throw this at you too, but any idea as to what I do to stop it? Do I have to wipe the whole system or can I just change my passwords? :(

That's terrible!

Are you sure you've been hacked? There are a lot of ways to steal identities and defraud people these days....

That said, you did have traces of rootkit activity on your computer when you first posted. The steps crunchie had you perform removed those traces, but I don't think either of us dug any deeper than that. It is quite possible that you could have had a rootkitted trojan on your machine that compromised your information. It could well have been removed before you posted here. Honestly, I didn't think the logs were that bad - 'Course, baddies could have been well hidden.

-- The way you describe it, I am less inclined to think you were hacked. I mean, billing your phone bill? Why not credit card(s)?
And, I imagine your email is given out all over the place. . . .
…

When I get home I'll put together something to remove them just to be safe.

Ok - Let's do this:

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the Everything in Red below and copy it using Ctrl+C or RightClick > Copy:

Drivers to delete:
UACd.sys

Files to delete:
C:\windows\system32\drivers\UACmlsfkrshab.sys
C:\windows\system32\UACyewybordig.dll
C:\windows\system32\UACobuaiteytn.dll
C:\windows\system32\UACsxrogejixq.dat
C:\windows\system32\UACktapucvber.dll
C:\windows\system32\UACblqpqeupkd.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

-- You may get some errors if the files are already gone. No worries.

PP:)

thank you :)

OK - I was a bit sloppy with that batch file, but not enough to cause that error.
Let's have another go at it:

-- Download the attached FixPerms.zip to your Desktop and Extract the FixPerms Folder from the ZIP to the Desktop.

Then, open an Elevated Command Prompt
At the prompt, Copy&Paste:
"%userprofile%\desktop\FixPerms\RunThis.cmd"
and hit ENTER

Let it run for as long as it takes. A log ought to pop up. Please attach that for me.

PP:)

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#### PERMISSIONS AFTER FIX ####

it was in the correct file, and only took a minute to run?

Let me rewrite it - something's hinky.

Will post it again asap - could be tomorrow, though. Or late tonight.

PP:)

OK no UCAd.sys on correct computer either. There is on called Serial and has a ! next to it.

OK - I think those might be remnants . . . . or very well hidden.

When I get home I'll put together something to remove them just to be safe.

PP:)

Ok thanks again. I guess tonight I will look around the site and figure out how to keep this from happening again.

I'll be happy to suggest some things once we sort this mess out :)

PP

it says FixPerms.cmd is not recognized as an internal or external command, operable program or batch file

OK - Either it wasn't extracted from the zip or it wasn't located properly.

Try extracting it to the desktop and then Copy and paste FixPerms.cmd into the C:\ProgramFiles\Windows Resource Kits\Tools folder.

Open the elevated command prompt and type or copy&paste:

C:\ProgramFiles\Windows Resource Kits\Tools\FixPerms.cmd
and hit Enter

That ought to do it.

If not, I'll rewrite the .cmd file when I get home.

PP:)

UACD.sys is not shown in the non plug and play

OK - those might just be registry remnants. I'm not certain.

We'll just try to pull them out manually - these particular keys can be tricky.

I'm heading out the door - I'll have to post the steps later.

Hang in there.

PP:)

Ok. Well right now its at 54% and has been running for almost 24hrs. I think it will be done tomorrow right around the time I get home from work.

Still 36 detected threats.

OK . . . I guess it's in no hurry . . . I've never seen that before. LOL!

I really hope it gives us some good progress.

No rush. No worries. I'll be around.

PP:)

I think I may have found the source of my problem, when I tried to start the computer with my last most recent settings that worked, it takes me to the desktop with explorer.exe missing. However, when I choose to run Windows XP, it gives me blue screen of death. Same with when I try to run safe mode.

Combofix noted an MBR problem that seems to be remaining. We need to boot to Recovery Console to address that.
I was hoping to get a stable shell running before we do that.

At reboot, select Recovery Console.
At the command prompt, type: fixmbr ENTER
When done, type exit at the command prompt to restart your machine.

PP:)

Let me put together that program for the registry. I'll try to post it tonight.

OK - Let's give this a whack at it:

-- Download the attached FixPerms.zip to your Desktop and Extract FixPerms.cmd from the ZIP to the folder where subinacl.exe was installed ---> C:\ProgramFiles\Windows Resource Kits\Tools

Then, open an Elevated Command Prompt
At the prompt, type: cd "%programfiles%\Windows Resource Kits\Tools" ENTER
-- Note cd <space> "%programfiles%. . . . ..

Then, type: FixPerms.cmd ENTER

Let it run for as long as it takes - might be a while as subinacl.exe "walks" the registry.
When it finishes, press any key and a log ought to pop up. Please post that for me.

Let me know if you run into any trouble.

Best Luck :)
PP

Downloaded and installed new shell, works perfectly.

Great! That ought to make navigating the compy a bit easier.

What I'd like to do is have you Rename all instances of Explorer.exe on your computer to Explorer.OLD.

Do command prompt and Copy&Paste dir /a /s %systemdrive%\explorer.exe ENTER
Then, navigate to them and RightClick them and rename them.

Then, Delete all instances of Phillies.exe
dir /a /s %systemdrive%\Phillies.exe to find them all...

Then, I'd like to see another Look.bat Log to compare to the others to see what I'm missing.

PP :)

The other scan is 50% complete and has been running for 16ish hrs...you want me to stop it to run another scan? or run this one at the same time?

Edit: so far it has detected 36 virus/malware.

My bad - I didn't process that last post properly....

Let's definitely allow AVP Tool to finish this current scan and neutralize/delete the baddies.

Keep me posted on the progress.

PP:)

don't know what it means but something downloaded Microsoft Office pro yesterday which corrupted my office home suite so I had to remove it and reinstall it, no idea how this happened, it was some file with the name Bootstrap... something IDK, I think the machine has a mind of it's own.

That's odd.
The "bootstrapper" kind of controls the update/install/setup, if I am not mistaken.
Not sure why it would run out of the blue unless it was set to auto-update....

If, after I update, fix or whatever needs to be done to Acrobat pro, it works properly, I will not need Acrobat reader anymore, could possibly be one of the issues according to the tech note I read today because of duplicate plugins or something. I had reader first and did not uninstall it when I installed the newer Adobe Suite. It may have nothing to do with any of it though.

We can try uninstalling Reader - let's wait for now. I'd like to try that reg key again.

Thank you for your patience. :) I really do appreciate it.

Happy to help.
I enjoy a challenge as much as the next person :)

Let me put together that program for the registry. I'll try to post it tonight.

PP:)

It says start time: 11/18/2009 8:07 PM
Finish Time: 11/21/2009 3:27 PM
lol

Good grief!

Please run the AVP Tool again.
-- Click the Manual Cure Tab
-- Click the Collect system information Button and let it run
-- When it finishes, it will say Completed. Report saved to LOG\avptool_syscheck.zip

Please save the log and post it for me.

PP:)

That looks OK.

How are things running?

A few minor things:

-- Looks like you still have remnants of Norton firewall. You should remove them.

All of these need to be uninstalled. Update them to the latest, more secure versions at their respective sites.

Ad-Aware 2007
Adobe Reader 7.0

Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 11
Java(TM) 6 Update 7

http://www.java.com/en/
http://www.adobe.com/products/reader/

I suggest removing these as well:
LimeWire 5.0.11
Viewpoint Manager (Remove Only)
Viewpoint Media Player

You should also enable System Restore . . . or better yet, back up your registry with ERUNT every month.

PP:)

aujourd'hui j'ai constaté que vers 15 h chaque que je connecte, mes pages web sont bloquer par "OpensDNS" "this domain is blocked". "Egalement ma boite E-mail. Je vous remercie de votre aide, qui m'éclairerais

You might have better luck posting here:

http://forum.zebulon.fr/
http://forum.zebulon.fr/securite-f40.html

Cheers :)
PP

Sorry about the delay but I was enjoying my 3hr commute home. :)
Scanning now.

No worries - we're all busy with real life :)

For some reason, combofix is not getting this. It should...

-- Is the recovery console still installed?

Also, see if you can do this:
-- RightClick on MyComputer Icon and select Properties.
-- Select the Hardware Tab and Click on Device Manager.
-- Select the View option and Click on Show Hidden Drivers.
--Scroll down to Non Plug and Play Drivers and Click the + to expand the list.
-- In the list of drivers, RightClick on UACd.sys and Disable it. If asked to confirm, Click Yes.

REBOOT

Don't do anything else - just answer the recovery console question and let me know if the UACd step went OK.
And we'll go from there.

PP:)

so I found and did this http://kb2.adobe.com/cps/331/331303.html and now I can open acrobat pro again but can't update till I get the disk from the office because with no plug ins the updater no longer works, nor the repair... progress? maybe

I am not sure how everything "fits together" with Adobe suite, so I really can't offer much there. My typical solution is to remove it all and try again - but we can't do that here.

-- I'd like to try the registry again with the tool you downloaded.
I am going to put together a little command for it. What is the exact username you log onto the compy with?

PP :)

ok, have done this, no problems

Great!

First, use the new account and see if you are able to install Adobe.

It probably won't be that easy . . . . LOL!

If that fails, try using the new account and open an elevated command prompt (as you did when creating new account) and then try the steps in posts 124 and 126.

Let me know how you fare. Back on Thursday.

PP:)

Downloaded and installed the program

Great! We'll get to that later.
I'd like to try the below first.

not sure about the admin account, how do I create a new admin account? Seems as though I may have done this before but cant' remember how or when or why

Try steps 1 2 7 8 & 9 in the linky below. Be sure to save the new password, etc....

http://www.vistax64.com/tutorials/67567-administrator-account.html

I have to get back to work - If I can't check in later, will be back Thursday.
Let me know if you have an problems with new account creation.

PP:)

There are a couple other things I'd like to look at, as well. Will post them as soon as I am able.

OK - We still need to boot to recovery console and run fixmbr, but I think it might be prudent to hold off for the time being.

Please download peek.bat and run it and post me the log.

-- Also, I wonder what would happen if you installed an alternate shell?

Try installing LiteStep and see what happens. Does it work?
I know it is not a solution to the problem at hand, but if it works it could make things a bit easier....

PP :)

OK - At quick glance, that looks better. A few more steps left, but before we do them:

-- How are things running?

-- I'd like a fresh GMER Scan. Delete you current copy of GMER and Download a fresh one.

Here's the canned spiel again......

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then click the save button and name the log GMER – 1.log and save it to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.

…

As soon as they came up I immediatly started the MBam Set up..when it was setting up the error 272 started popping up...then when I tried to run the actual scan after set up I recieved the 272 hour just like before. . . .

OK - let's try whacking at this with a different tool:

Please Download Kaspersky's AVP Tool

-- Move AVP Tool to the Desktop of the ill computer.
-- Please boot to Safe Mode (tap F8 at reboot - Do Not use msconfig!)

Once in Safe Mode:
-- DoubleClick the AVP Tool setup file to run it.
Follow the prompts and it should install to your Desktop Folder
-- If you get a prompt for scanning in Safe Mode, click OK.
-- AVP Tool will open. Please select the Automatic Scan Tab
Be sure the following boxes are checked:
• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• All other drives

-- Please click the Scan Button.
AVP Tool should Neutralize any objects it finds. If some are left un-neutralized, Click the Neutralize All button.
Note: If an object cannot be neutralized, select DELETE at the prompt.

When finished, please click the Reports Button and save the log where you can find it easily. Please post that for me.
Also, let me know if you ran into any problems …

Will post a CFScript as soon as I can. Hang in there!

OK - Here we go:

-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

And . . . We'll go from there :)
PP

No change, sorry for making you stress like this. Time to take it to the shop I suppose. Thanks for your help so far!

No stress at all!

I wish I were sitting in front of the ill machine - forum settings are not always best for these issues.

-- I am a bit more busy than I expected to be this week, so please bear with me.

-- I am not sure if we messed something up in the replacement process. Because explorer.exe is "protected," we need to got through the long process of renaming and replacing, etc . . . .

There are a couple other things I'd like to look at, as well. Will post them as soon as I am able.

PP :)

Lets take another whack at it.

Where would I get the OS disk for that price though? Im sure I will need it eventually.

Well . . . That estimation was probably a bit low. I haven't priced XP recently, but I'd imagine you'll find it for significantly less than Vista or 7.

-- Let's have another try with MBAM.
Download a new version and transfer it to ill machine.
-- Also, download RKILL by Grinler. Download all four of these and place them on ill compy:
http://download.bleepingcomputer.com/grinler/rkill.pif
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.exe

First, run RKILL. You only need to run it once. If it runs successfully, a black screen will appear and then disappear.
If one doesn't run, try the next and so.

Once RKILL runs, immediately start MBAM and do the quick scan. Remove what it finds an post the log.

Let me know how you fare.

PP:)

It's the never ending computer issue... :( Maybe I need a Mac

LOL! . . . Macs have problems too :)

I've been unexpectedly busy this week (not that I'm complaining given the economy) so please bear with me.

-- For the registry issue, please download and install subinacl.exe

We'll have another crack at the registry. My fear, though, is that we'll finally be able to add the desired key and then Adobe will still have an issue with it..... But, I'd still like to give it a try.

-- For the other issues, we'll need another combofix log. Hold off on that for now until I can go back over some things.

-- And, just to complicate things a bit more . . . . Are you able to create a New Administrator account on the ill computer? Let me know.

PP:)

Let me put together a CFScript and we can try again. Will try to post it this evening.
Please keep the ill compy offline until then.

Sorry - I've been unexpectedly busy!

Will post a CFScript as soon as I can. Hang in there!

PP:)

still says Access Denied... Vista is like a plague, one small thing rapidly infecting the whole system...

I do not know how much of an exaggeration that is.....
It's that bloody UAC - Now, you did say you disabled this, but I want to double-check that.
Also, there are a couple programs we can try as well.

I ought to be available to wade back into the fray this evening :)

PP

The computer is Compaq but I have found the Windows XP Home SP1 Operating System CD that came with my HP notebook....would that work by chance?

No - because of the licensing issues and M$ Windows Genuine Advantage, you'd not be able to get the critical updates and patches that are the first line of defense against infections such as this one.

You ought to be able to buy a new Windows XPsp3 OSdisk for $10 -$15.

Or, we can take another whack at cleaning this thing.

PP:)

The MSRT did not come up with anything. Wierd thing is this morning I thought I would try the combofix one more time and it loaded right up. Heres the log.

That's encouraging that combofix is running - unfortunately, it is not getting this. Which is odd, because it should.
The only reason I can think it isn't is no recovery console. But you did install recovery console.

Let me put together a CFScript and we can try again. Will try to post it this evening.
Please keep the ill compy offline until then.

PP:)