Posts by PhilliePhan

if it was something else you were asking for please let me know, I'm a little slow sometimes:)

No worries :)

I've been volunteering in Forums for a long time and one thing I've learned to do is ask, ask and ask again. It's a wonder people put up with me!

Anyhoo, the next step I'd like to take gets us back to hacking ( or monkeying with, in layman's terms) the registry.
While I expect no problems, I'd like to be available to help, if need be.
So, I might not post those until Monday - weekend is going to be hectic and I imagine the same for you.

Cheers :)
PP

Well . . That's odd.

Hang in there - there are a couple steps we have yet to take. I'll try to get back to you over the weekend, but you might have to wait until Monday. Sorry.

PP :)

i'm assuming this is due to the fact that the trojan was removed and the registry settings were restored. is that correct?
let me know if i'm good to go.

Probably - I'd need to see the MBAM log , though.
Generally, I would prefer to run a few other tools before I could make an accurate assessment.

PP :)

sorry, the new anti spyware is the Avira, AVG is supposedly gone, which is why I thought that the message was really strange, considering it isn't supposed to be there anymore.

Yup - we'll probably need to do more digging there - low priority right now.

I was trying not to do this because of my licensing issues, ......

Then, probably best to leave it alone. Don't want to mess up any licensing.

Frankly, I'd be expressing some displeasure to Adobe support regarding this issue... :)

where do I find this?

Don't worry about that - it's my standard "canned speech." You should not have any problems.

PP :)

I didn't read in the instructions that it would reboot so that kinda freaked me but here is the log.

Yeah - it does that sometimes.

We are making some progress - I'd like to double-check something:

Click START > RUN > Type cmd and hit OK

At the command prompt, type or Copy&Paste: dir /a /s "%systemdrive%\eventlog.dll" >> "%userprofile%\desktop\logit.txt"

Please post me the Logit.txt that appears on your Desktop.

PP:)

I think it might be a good idea to Uninstall All things Adobe for the time being.

I don't mind, this is way to long to read to go back through it. Got rid of AVG, using AVIRA, seems to be working fine. Ok, so now I'll do the Adobe thing and get back to you.

The reason I asked about AVG is because in Post 99 you mentioned:
The new anti spyware has run and hasn't found any problems.
I tried to open a pdf with acrobat pro and it still won't open at all, it did update finally last night, I think it was successful. But still won't open. If something tries to open outlook I get a strange warning that AVG has stopped it from working, then it opens anyway.

So I was confused . . . .

-- Have you tried installing Adobe offline?

I'd like two new logs for updated reference:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.

Did you reboot and see if back to normal?

No joy?

Let me know - I put together a little tool that will automate the "long and drawn out" process that constitutes Plan B....

PP:)

that may be so, but the scales are balanced with patience and wisdom...
and as I tell my son when he feels superior, I lack the advantage of having had a computer since I was 4 years old... :)

So very true :)

This problem is vexing me....

-- So you're positive everything is being done "as Administrator?" Uggh - I hate Vista! LOL!

-- Can you link me to the version of Adobe you are installing?

-- What happened with AVG anti-virus? Remove? Reinstall? Go with Avira?
(That's the trouble with long threads - and forums in general - hard to keep updated. Much easier if I am sitting in front of the machine. I apologize for any redundancy ;) )

A couple things:
We should make sure the key exists. Did any of previous help have you check?
Are you comfortable navigating the registry? - You can really screw up a machine if not careful.

See if you can run Windows Installer CleanUp Utility
-- Run it Only for Adobe!

Let me know how you fare with that and my other questions.

Also, please do this before doing the above:
-- Please back up your registry with ERUNT
-- Here are the instructions.

Since you are using Vista, you'll need to Turn User Account Control Off before using ERUNT.

Go …

Thanks for the help. I will run the combofix and post log.

Great!

The Win32kDiag looks good.

Let me know if you run into any problems with combofix.

PP:)

win32di...

OK - Let's go ahead and do the following:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

Let it run as before and then post me the log.

Then:
If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to iexplore.exe and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post me those logs and let me know if your ran into any trouble along the way.

PP :)

AllRightyThen . . . . Let's see if we can do this explorer.exe fix the easy way (might work) as opposed to the long and drawn out way (which will definitely work).

Please download this file and place it in your C:\ Drive

Then, please download these to the C:\Drive as well:
File One
File Two
RunThis.bat

Please run RunThis.bat.
A log ought to pop up - please post it for me.
Reboot and see if the problem remains - If so, we'll fix it the long and drawn out way ;)

PP

He says "this issue" is not his thing though, he doesn't like Vista.

I have yet to meet somebody who likes Vista. . . . .

Anyway, I am running IE 8.0.

Try rolling back to IE7 and see if issues remain:
http://support.microsoft.com/kb/957700

And a one click tool would be wonderful, thank you so much for taking the time to do it. :)

Actually, the more I look at this, it looks to be an Adobe issue rather than a Windows problem.
Have you tried installing "as administrator?"
RightClick and run the Adobe installer "as administrator."

Before we mess with the supposed problem key, let's have a look at it:
Please download PeekKey.zip and extract the PeekKey Folder from the ZIP to your Desktop.
-- In the folder, you'll find RunThis.bat.
-- DoubleClick on it to run it and please post me the log that pops up.

I really appreciate everything you and Crunchie have done to help me.

We are happy to try to help . . . though I suspect we are a couple of old dogs in a young dog's world.... :)

PP

My son says I should have been using firefox all along anyway.

He is a smart man :)

-- What version of IE do you have?

I will put together a little "one click" tool to try to deal with that registry key this evening and post it for you then.

Cheers :)
PP

I like the philosophy "pay it forward" and I live by it. Therefore I am poor, but happy.

Me, too - this world can sometimes be a mean place with a bunch of "I got mine, the rest are out of luck" types. But there are a lot of good people out there as well who are willing to help out of the goodness of their hearts....

Of course I would never take advantage either so next time around I will see what i can do.

You are always welcome here. No worries!

Happy holidays
NW

The same to you :)
PP

M-bam log file:

You need to have MBAM Remove the baddies. :)

What problems are remaining?
I can't really do much without seeing some scanlogs (HJT really doesn't help too much in these cases).

--- I'd still like to see a Win32kDiag log before we try any further tools.

PP:)

I don't have those folders I'm afraid. I do have C:\WINDOWS\Driver Cache\i386, but no atapi.sys there either.

That is quite strange.

Let's try a different tack and go ahead with combofix:
If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

I will check back as time permits.

PP:)

explorer.exe is what runs the start bar, and the desktop, and basically navigating the file system. It will run for a second, and die. I'm ready for anything that can help, thanks a ton.

OK - Let's do this first:

-- Please delete your copy of ComboFix and download a fresh one to c:\documents and settings\Kevin's Desktop
-- Download the attached file CFScript.txt to c:\documents and settings\Kevin's Desktop as well

-- Click START > RUN > type "C:\documents and settings\Kevin's Desktop\combofix.exe" "C:\documents and settings\Kevin's Desktop\CFScript.txt" and hit ENTER.

-- Let Combofix run as before and post me that log.

THEN:
-- Please download Look.bat to where you can find it.
Run Look.bat. A command box will pop up - no worries. Let it run and a log should pop up. Please post that for me. along with the new combofix log and we'll have a go at this explorer.exe problem.

Cheers :)
PP

Firefox is running fine right now. The cursor thing seems to be better too. So yeah! Progress! :) Thank you! Now if I can just figure out what Acrobat's issue is... I'm going to have to go back and read my own posts to see if I am forgetting anything now. Wow, it is great to be able to type quickly again!

-- Are you still getting DEP warning?

-- Have you updated to the latest version Adobe? Did you completely uninstall previous version(s)? If need be, use REVO.
I can help you change permissions on that key, if need be.

-- Have you tried "rolling back" to a previous version of IE?
Firefox is great, but it is a workaround and not a solution. Though, if you take the time to configure Firefox to your liking with Add-ons (Themes / Plug-ins / Extensions), you'll never go back to IE . . ..

PP:)

Thanks, but PhilliePhan should head that list. I've just been here longer :D.

I think somebody's being a bit modest.. .. .. Your 700+ solved threads might beg to differ :)

that's fine, I.Explorer

OK - For diagnostic purposes, see if you can install Firefox Browser

Let us know if you run into the same problems as with IE.

I shall return Thursday evening (EST).

Cheers :)
PP

It's so small that I guess it's easier if I just paste it :

Directory of C:\WINDOWS\system32\drivers

13/04/2008 22:10 96,512 atapi.sys
1 File(s) 96,512 bytes

only that

That's odd - there should be more.

What about C:\I386\atapi.sys - anything there?
How about C:\WINDOWS\ServicePackFiles\i386\atapi.sys - Any luck?

PP :)

Everything looks fine now, AVG is gone. The AVG files are AVG 8 and AVG 9 and they are in the AVG folder. The other one wasn't but it is no longer there.

You should be able to safely delete the AVG folder.
Try that - if there are any "scary" messages, then hold off.

If you no longer have a working AV, see if you are able to install Avira Anti-vir Personal - FREE

-- What browser(s) do you use? IE / Firefox / Opera (sorry - too busy to backtrack ATM - easier to ask)

PP :)

I had to zip it since I got an "invalid file" error when trying to upload it (?)

My fault - this forum doesn't support .log attachments - I should've had you change it to .txt.
No worries.

Could you click START > RUN > type cmd ENTER
At the command prompt type dir /a /s atapi.sys >> C:\Logit.txt ENTER

Then please post the C:\Logit.txt

PP :)

desktop still gone the only files are in program files folder, the weird one is gone after 2nd reboot.

Is explorer.exe running?
Open task manager (ctrl-alt-del) and see if it is running. If it is, RightClick it and restart it - does Desktop come back?

PP:)

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net. . . . .

Ooops - In my haste I forgot to use the -t switch for the first mbr scan. That's why both logs look alike.
No worries - we were going to run the -f anyway which renders the whole issue moot....

-- There are still some issues in the combofix log - I'll post the next steps as soon as I have time.

-- Is explorer.exe still borked? If so, we'll deal with that as well.

PP:)

GMER didn't seem to detect anything ..

No log at all from GMER?
Try running it again. Select the Rootkit/Malware Tab and just click the Scan button.

Allow the scan as long as it needs and then click the save button and name the log GMER – 1.log and save it to where you can easily find it and post it for me.

PP:)

Ok, I uninstalled AVG, desktop went away but there are still several file folders and a weird one with $ in front of it. Not sure the best way to safely get rid of these. It says deleting may cause the computer to become unstable and it's unstable enough. ;) Windows updates are set to auto, so however that works, sometimes it updates when it turns on.

-- Are those AVG files in the AVG Folder?

-- Does your desktop come back after a reboot?

PP :)

it doesnt appear to be redirecting anymore...i have clicked on about 30 links and they seem to all work...thanks to you and crunchie times a million!

You're welcome - happy to hear it!

Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

-- Doing the above step ought to get your clock back to normal.

Let us know if there are any further issues - otherwise I think you can mark this thread "solved."

Cheers :)
PP

I can't access microsoft.com, hotmail.com, hijack this webpage, and sometimes other seemingly random webpages like bbc news, met office, gametrailers etc. Most other webpages work fine though

I am a bit "over-extended," so hopefully another volunteer can jump in and run with this, but to get started, please do the following:

FIRST:

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.

THEN:

-- …

Done and done, everything worked perfectly.

Great! We are making some progress - still a bunch to do, though.

Please do this first:
-- Download mbr.exe to your C:\ Drive ---> C:\mbr.exe
-- Navigate to C:\mbr.exe and DoubleClick it to run it. It will run quickly and a log will appear on your C:\Drive ---> C:\mbr.log
--Please Rename that to mbr-1.log

THEN:
Click START > RUN > type or Copy&Paste mbr.exe -f ENTER
(note the space between .exe <space> -f if you type it)
-- Let the tool run and another mbr.log will appear on C:\Drive.

Please post Both logs for me and we'll go from there.

PP:)