Posts by PhilliePhan

Ok. I will look for the disk and check back on here tomorrow.

OK - That's probably best. If no disk, then I think the choice will be pretty obvious :)

Its up to you. Youve been great for helping me and I will continue to follow your instructions. Im happy either way now that my wife's pic's wont be lost.

Fastest and easiest and most effective thing to do is to reinstall Windows. 'Course, you'll lose everything (programs, etc..) and will need to get updated/patched immediately.

-- Do you have your Windows Disk?

-- Give me a day or so to go back over the thread and get caught up. There have been some advances in fighting this particular malware since you last posted and we can try them and see how it shakes out.

PP :)

Ok I have copied all of the pictures to discs.

OK - what's the plan?
Format / Reinstall Windows? Or do you want to try to clean this sucker?

PP:)

Same Date Error in Safe mode aswell.....?

OK - it may be an issue with combofix or an interaction with the malware on your machine.

Let's try something different:

See if you can run MSRT - Let me know what the report says after running it.

http://www.microsoft.com/security/malwareremove/default.aspx

Also, on same page, see if you are able to run the Windows Live safety scanner.
Let me know how that shakes out.

PP:)

Sorry, I had some issues earlier with the display.
Anyways back now, and still no desktop toolbar. Look.bat says my shell is still phillies.exe

OK - if that is the case, then download a fresh Phillies.exe to C:\Windows folder.
If prompted to overwrite, say yes.

Reboot - If no joy, I'll have to go back to the drawing board.....

PP:)

Malwarebytes' Anti-Malware 1.41
Database version: 3185
Windows 5.1.2600 Service Pack 3 . . . . .

Well - It didn't get the rootkit showing in the GMER log.

-- Download a fresh combofix (important) and see if it will run in Safe Mode.
Tap F8 at boot for Safe Mode. Don't use msconfig.

Let me know.

PP:)

got to go to bed, sorry, hate to bail but I've got my grandson at 7:00 am and he is 2yrs old and happens to be visually impaired so I need my rest :) He's a handful. I'll check in tomorrow, thank you.

No problem! We've all got "real lives" and they take precedence.....

This freaking Vista is really annoying.

-- Try running Regedit with an "elevated command prompt" and then try the permissions change from a few posts ago (post #126).

To get the elevated prompt, Click Start > All Programs > Accessories, RightClick Command Prompt, and then click Run as Administrator.

There are a couple other options to try as well. I'll post them Tuesday if the above fails to work.

PP:)

At first i never thought vista could be so vulnerable to viruses unlike xp. I was shocked when i noticed my laptop is starting to act weird. I used to use ComboFix before,when i don't know what virus is residing in my computer. Try to use Malwarebytes,ComboFix and Removeit pro, that usually solves my problem when I'm not really sure what virus is in my computer

This situation is a bit different :)

Dont type that too loud she may hear you :)

LOL! :)

first one says: ERROR: Access is denied, 2nd did nothing

OK - Let's try this:

Open Registry Editor and RightClick on HKEY LOCAL MACHINE and select Permissions
Select Everyone and check the box to Allow Full Control and click APPLY
Click OK

Then try the command prompt reg add step again and let me know.

I'll be back in 30 min or so.

PP :)

So when I click click iexplore/combofix to run it the blue window opens as depicted in the instructions and as with the last scan. Now I get an Date Error popping up. It says Date Error: 2009-11-16 Check your settings.

Did you download a fresh copy of combofix?

-- Try updating MBAM and running it instead - It should get this, providing you Update to current definitions.

Be sure to REBOOT after running MBAM.

PP:)

Sorry for the delay - I guess I'm "in demand" these days LOL!

Let's try this:
Open a command prompt (start>run>type cmd)
At the prompt, copy&paste the following and hit ENTER each time:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS" /v "Installed" /d "1" /f

then

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS" /ve /f

You should get a confirmation/success message each time. Then, drill down and verify MSFS key.

Let me know if that works.

PP :)

nope, still not there, admin doesn't come up on right click but I tried it again anyway

OK - let me double-check some things & I'll get back to you.

PP :)

I may be doing something wrong, it says error, cannot access the registry

Bloody hell - it's probably a Vista thing . . .LOL.

-- Did you try RightClicking and running as Administrator?

Also, do the drill down with registry editor and check if MSFS key exists now.
I've had users get error messages and yet still have the keys created.

If that doesn't work, we'll try another way.

PP :)

the only thing in that folder says default, Reg_SZ, (value not set), so I'm assuming that means no

OK - Let's do this:

Download the attached FixIt.ZIP and Extract FixIt.reg from the ZIP to the Desktop
-- DoubleClick on FixIt.reg and Allow it to merge into the registry.

Just to be certain, open registry editor again and drill down and make sure the MSFS key is there.

If it is there, try installing Adobe again and let me know how you fare.

PP:)

ok, got all the to the end but there is no MSFS

That's what I suspected since it did not show in previous log.

You do have the "OptionalComponents" Key? Or no?
I don't remember seeing that either....

PP:)

Here is the MBAM log:

How are things running now?

I'd like to see a couple other scanlogs, just to be safe.

Let's do this first:
-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

I will check back as time permits - I'm a bit over-extended at the moment.

PP:)

Update: Well I thought I would try out the computer and search the web. So I googled Microsoft and second browser window opened up. It wanted me to allow cookie 'admnt" or something. I closed the window and proceeded to Microsoft.com. Instead of the website I get windows security alert popup. Kaspersky detected 2 Trojans and 1 Maliciuos tools at the same time. Iwas able to close the window.

Looks like some new rootkit files - combofix ought to get these.

-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Run Combofix as before and post me that log.

Try to stay offline as much as possible - we will still have some manual cleanup yet to do after this run.

PP :)

Anyhoo, the next step I'd like to take gets us back to hacking ( or monkeying with, in layman's terms) the registry.
While I expect no problems, I'd like to be available to help, if need be.
So, I might not post those until Monday - weekend is going to be hectic and I imagine the same for you.

Sorry I couldn't get back sooner - Let's see if we can deal with that problem key.
-- I did not see it in previous log, so I'd like to check if it exists at all.

Click START > RUN > type Regedit and hit OK to open the Registry Editor

Please "drill down" through the subkeys to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

If you need clarification, let me know. I imagine your son could do this with his eyes closed (though I don't recommend that :) )

Under the Run Key, let me know if you can drill down further to "OptionalComponents" Key and then to "MSFS" key.

Are they there?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS

PP :)

Is there anyway I can save the pictures that are on my computer to my external HD? If I can do that then we can finish this the easy way by just completely redoing the computer. The pictures is all she really cares about.

Yeah - I think we can wrangle that.

I am waaay over-extended at the moment, so I may not be able to reply in a timely manner + I need to read over this thread to get back up to date on what is going on.

In the meantime, please create Hiren's Boot CD
All you need is a working computer - The data and the tools to create it are all in the ZIP.
Personally, I just use imgburn to burn the ISO.

Let me know when you have that and we'll go from there.

Will try to post back as soon as I can - have a bunch of other threads to get to as well...

PP :)

Did that, no change.

OK - If it allowed you to make that change and the Winlogon Shell Value = Phillies.exe and the Phillies.exe you downloaded is present in the C:\Windows folder, then, upon reboot, you should be running Phillies.exe as shell and desktop ought to be back to normal.

Did you reboot?

At command prompt, type dir /a /s %systemdrive%\Phillies.exe and see if it is in the Windows folder.

Better yet, type copy "%systemdrive%\phillies.exe" %windir%
If it exists, you'll be prompted to overwrite it - select YES.

Then, reboot.

If still no joy, run another look.bat and see if the Winlogon Shell value is still Phillies.exe or if it has been changed.

There are some items in your last combofix log that might be affecting the changes, but I'm not certain.

PP:)

Yes I know how to edit the registry and whatnot.

Sorry for delay - doing a bunch of things at once here :)

Open Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

-- Click the Winlogon Folder icon
-- In the Right Window where it says Shell REG_SZ Explorer.exe RightClick on Shell and choose Modify
Where it says Value data:, remove Explorer.exe and type in Phillies.exe and hit OK.

Let me know if you have any trouble - something could be preventing the change - either malware or a security program such as KAV.

PP :)

Changing Winlogon Shell Value To Phillies.exe

The operation completed successfully
Copying C:\Phillies.exe to C:\WINDOWS
1 file(s) copied.

Rebooting

-------

Again nope lol, this is hopeless.

See - this is odd:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
......................................
"Shell"="Explorer.exe"

Unless you ran replaceIt.bat TWICE, that should be Shell=Phillies.exe

-- Are you comfortable with Regedit & editing the registry?

PP :)

Again nope lol, this is hopeless.

Now - this is worriesome....

Can you run me a fresh log from Look.bat.

P :)

Lost the first log, the last two logs are identical and are . . ..

LOL! - It might be faster to do this manually step by step....

Anyhoo, download the previously linked Phillies.exe to C:\Phillies.exe

Download ReplaceIt.bat to the desktop.
Run ReplaceIt.bat once and post me the log.

Then, Reboot and see if that works.

PP :)

Again no such luck. This seems to hate me.

I'd need to see the accompanying logs....

Let's try a different way.

Please download Phillies.exe to your C:\Drive

Let me know when you've done this and we'll go from there.

PP:)

I am running the paid version of MBA-M, not SAS.

Hey Judy - You guys need to run GMER & Combofix to sort this problem out.

PP :)

No such luck.

My fault - sorry. :$

I changed the link about 5 minutes after I posted it. You must've gotten the first one....

I wrote it to copy from ServicePackFiles\i386\explorer.exe . . . which I then checked and saw that you don't have on your machine. So I rewrote it and reposted it.

Please download PhilliePhix.bat again and run it as before and post the logs.

If it doesn't work, we'll need an uninfected copy of Explorer.exe. Do you have a Windows disk?

PP :)

No joy. :[
I wonder what could possibly be wrong.

It is probably infected - Hopefully none of the other copies on your machine are infected as well....

I've automated the process:

-- Please download PhilliePhix to your Desktop.
-- DoubleClick on it to run it. Follow the prompt and post the log for me.

Reboot

-- You should now have your desktop, etc... back, but you need to run PhilliePhix again to restore the normal settings. Post me the 2nd log and Reboot again.

Then let me know how things are running.
If this doesn't work, we'll need to get you an uninfected copy of Explorer.exe.....

Cheers :)
PP

Update: Well I thought I would try out the computer and search the web.

You should keep the surfing to a minimum until we can finish up.

I have a lot on my plate this weekend - I still need to go over your combofix log.

I would like to see two more logs:

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then click the save button and name the log GMER – 1.log and save it to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items …

if it was something else you were asking for please let me know, I'm a little slow sometimes:)

No worries :)

I've been volunteering in Forums for a long time and one thing I've learned to do is ask, ask and ask again. It's a wonder people put up with me!

Anyhoo, the next step I'd like to take gets us back to hacking ( or monkeying with, in layman's terms) the registry.
While I expect no problems, I'd like to be available to help, if need be.
So, I might not post those until Monday - weekend is going to be hectic and I imagine the same for you.

Cheers :)
PP

Well . . That's odd.

Hang in there - there are a couple steps we have yet to take. I'll try to get back to you over the weekend, but you might have to wait until Monday. Sorry.

PP :)

i'm assuming this is due to the fact that the trojan was removed and the registry settings were restored. is that correct?
let me know if i'm good to go.

Probably - I'd need to see the MBAM log , though.
Generally, I would prefer to run a few other tools before I could make an accurate assessment.

PP :)

sorry, the new anti spyware is the Avira, AVG is supposedly gone, which is why I thought that the message was really strange, considering it isn't supposed to be there anymore.

Yup - we'll probably need to do more digging there - low priority right now.

I was trying not to do this because of my licensing issues, ......

Then, probably best to leave it alone. Don't want to mess up any licensing.

Frankly, I'd be expressing some displeasure to Adobe support regarding this issue... :)

where do I find this?

Don't worry about that - it's my standard "canned speech." You should not have any problems.

PP :)

I didn't read in the instructions that it would reboot so that kinda freaked me but here is the log.

Yeah - it does that sometimes.

We are making some progress - I'd like to double-check something:

Click START > RUN > Type cmd and hit OK

At the command prompt, type or Copy&Paste: dir /a /s "%systemdrive%\eventlog.dll" >> "%userprofile%\desktop\logit.txt"

Please post me the Logit.txt that appears on your Desktop.

PP:)

I think it might be a good idea to Uninstall All things Adobe for the time being.

I don't mind, this is way to long to read to go back through it. Got rid of AVG, using AVIRA, seems to be working fine. Ok, so now I'll do the Adobe thing and get back to you.

The reason I asked about AVG is because in Post 99 you mentioned:
The new anti spyware has run and hasn't found any problems.
I tried to open a pdf with acrobat pro and it still won't open at all, it did update finally last night, I think it was successful. But still won't open. If something tries to open outlook I get a strange warning that AVG has stopped it from working, then it opens anyway.

So I was confused . . . .

-- Have you tried installing Adobe offline?

I'd like two new logs for updated reference:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.

Did you reboot and see if back to normal?

No joy?

Let me know - I put together a little tool that will automate the "long and drawn out" process that constitutes Plan B....

PP:)

that may be so, but the scales are balanced with patience and wisdom...
and as I tell my son when he feels superior, I lack the advantage of having had a computer since I was 4 years old... :)

So very true :)

This problem is vexing me....

-- So you're positive everything is being done "as Administrator?" Uggh - I hate Vista! LOL!

-- Can you link me to the version of Adobe you are installing?

-- What happened with AVG anti-virus? Remove? Reinstall? Go with Avira?
(That's the trouble with long threads - and forums in general - hard to keep updated. Much easier if I am sitting in front of the machine. I apologize for any redundancy ;) )

A couple things:
We should make sure the key exists. Did any of previous help have you check?
Are you comfortable navigating the registry? - You can really screw up a machine if not careful.

See if you can run Windows Installer CleanUp Utility
-- Run it Only for Adobe!

Let me know how you fare with that and my other questions.

Also, please do this before doing the above:
-- Please back up your registry with ERUNT
-- Here are the instructions.

Since you are using Vista, you'll need to Turn User Account Control Off before using ERUNT.

Go …

Thanks for the help. I will run the combofix and post log.

Great!

The Win32kDiag looks good.

Let me know if you run into any problems with combofix.

PP:)

win32di...

OK - Let's go ahead and do the following:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

Let it run as before and then post me the log.

Then:
If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to iexplore.exe and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post me those logs and let me know if your ran into any trouble along the way.

PP :)

AllRightyThen . . . . Let's see if we can do this explorer.exe fix the easy way (might work) as opposed to the long and drawn out way (which will definitely work).

Please download this file and place it in your C:\ Drive

Then, please download these to the C:\Drive as well:
File One
File Two
RunThis.bat

Please run RunThis.bat.
A log ought to pop up - please post it for me.
Reboot and see if the problem remains - If so, we'll fix it the long and drawn out way ;)

PP

He says "this issue" is not his thing though, he doesn't like Vista.

I have yet to meet somebody who likes Vista. . . . .

Anyway, I am running IE 8.0.

Try rolling back to IE7 and see if issues remain:
http://support.microsoft.com/kb/957700

And a one click tool would be wonderful, thank you so much for taking the time to do it. :)

Actually, the more I look at this, it looks to be an Adobe issue rather than a Windows problem.
Have you tried installing "as administrator?"
RightClick and run the Adobe installer "as administrator."

Before we mess with the supposed problem key, let's have a look at it:
Please download PeekKey.zip and extract the PeekKey Folder from the ZIP to your Desktop.
-- In the folder, you'll find RunThis.bat.
-- DoubleClick on it to run it and please post me the log that pops up.

I really appreciate everything you and Crunchie have done to help me.

We are happy to try to help . . . though I suspect we are a couple of old dogs in a young dog's world.... :)

PP

My son says I should have been using firefox all along anyway.

He is a smart man :)

-- What version of IE do you have?

I will put together a little "one click" tool to try to deal with that registry key this evening and post it for you then.

Cheers :)
PP

I like the philosophy "pay it forward" and I live by it. Therefore I am poor, but happy.

Me, too - this world can sometimes be a mean place with a bunch of "I got mine, the rest are out of luck" types. But there are a lot of good people out there as well who are willing to help out of the goodness of their hearts....

Of course I would never take advantage either so next time around I will see what i can do.

You are always welcome here. No worries!

Happy holidays
NW

The same to you :)
PP

M-bam log file:

You need to have MBAM Remove the baddies. :)

What problems are remaining?
I can't really do much without seeing some scanlogs (HJT really doesn't help too much in these cases).

--- I'd still like to see a Win32kDiag log before we try any further tools.

PP:)

I don't have those folders I'm afraid. I do have C:\WINDOWS\Driver Cache\i386, but no atapi.sys there either.

That is quite strange.

Let's try a different tack and go ahead with combofix:
If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

I will check back as time permits.

PP:)

explorer.exe is what runs the start bar, and the desktop, and basically navigating the file system. It will run for a second, and die. I'm ready for anything that can help, thanks a ton.

OK - Let's do this first:

-- Please delete your copy of ComboFix and download a fresh one to c:\documents and settings\Kevin's Desktop
-- Download the attached file CFScript.txt to c:\documents and settings\Kevin's Desktop as well

-- Click START > RUN > type "C:\documents and settings\Kevin's Desktop\combofix.exe" "C:\documents and settings\Kevin's Desktop\CFScript.txt" and hit ENTER.

-- Let Combofix run as before and post me that log.

THEN:
-- Please download Look.bat to where you can find it.
Run Look.bat. A command box will pop up - no worries. Let it run and a log should pop up. Please post that for me. along with the new combofix log and we'll have a go at this explorer.exe problem.

Cheers :)
PP

Firefox is running fine right now. The cursor thing seems to be better too. So yeah! Progress! :) Thank you! Now if I can just figure out what Acrobat's issue is... I'm going to have to go back and read my own posts to see if I am forgetting anything now. Wow, it is great to be able to type quickly again!

-- Are you still getting DEP warning?

-- Have you updated to the latest version Adobe? Did you completely uninstall previous version(s)? If need be, use REVO.
I can help you change permissions on that key, if need be.

-- Have you tried "rolling back" to a previous version of IE?
Firefox is great, but it is a workaround and not a solution. Though, if you take the time to configure Firefox to your liking with Add-ons (Themes / Plug-ins / Extensions), you'll never go back to IE . . ..

PP:)

Thanks, but PhilliePhan should head that list. I've just been here longer :D.

I think somebody's being a bit modest.. .. .. Your 700+ solved threads might beg to differ :)

that's fine, I.Explorer

OK - For diagnostic purposes, see if you can install Firefox Browser

Let us know if you run into the same problems as with IE.

I shall return Thursday evening (EST).

Cheers :)
PP