WARNING: THE FOLLOWING IS A REALLY LONG-WINDED POST, BUT ... OMG ... DO I NEED TO VENT!

About what? Nothing much except for a 3-day ordeal with a mega-infected PC! ... Linux and MAC users need not read any further ... unless you are in the mood for a laugh at the expense of us Windoze users!!

I'm posting this here because (1) I don't want to forget what it was that I did and (2) I hope that it will benefit another unfortunate soul who may find him/herself in a similar situation.

As some of you know, I have a sideline interest in internet security issues and often assist friends with fixing up their home PCs when they get overwhelmed with all manner of scumware.

I never resort to wiping a hard drive clean and re-installing Windows because I can usually narrow down the offending programs and kill them, then secure the system against reinfection whereas most people nuke the HD, re-install Windows without any proper protection and 1 month later they're back to where they started: Infected.

It's really a "cat and mouse" game (which seems appropriate, since I'm mostly dealing with RATs, i.e., Remote Access Trojans), and I enjoy the challenge immensely. Frankly, I have never had a real problem cleaning those systems up -- until now, that is.

I don't think I will ever know what malware caused this installation of XP to lose its Windows Scripting ability, but whatever it was, it really messed this system up badly.

It all started when I was trying to install CounterSpy -- my all-time favorite anti-spyware application (and I've tried several). Originally, it was a minor annoyance when I ran the installer and an "Internal Error 2738" message popped up.

When I googled the problem further, it was apparent that this is not an uncommon error ("due to a Windows Installer error, which could not access VBScript run time"). An easy enough fix is to simply download the Windows Script 5.6 for Windows XP from Microsoft and you're on your way. Well, I tried that and came to a dead end when the Windows Script 5.6 installer couldn't register the vbscript.dll file with its own error message: "Error registering the OCX c:\windows\system32\vbscript.dll". No problem I thought; simply register it manually via regsvr32. Well, that just landed me another message -- this time: "Dll Register Server in vbxcript.dll failed Return code was 0x80004005"

And that's when the fun began!

Where to find a fix? I must have visited over 40 sites -- all dead ends. I found out that I was just as frustrated as the other unfortunate individuals who posted to the many online help forums. They were all getting the same advice about simply installing Windows Script 5.6 and no explanation as to why the vbscript.dll simply refused to register. I tried Sysinternals' amazing Filemon and Regmon apps to analyze what was happening to the vbscript.dll file as attempts were made to register it. It seemed to me like the problem resided in the Registry -- but where?!

It was a chance read in an unrelated forum post that convinced me it was tied to the VBS (Visual Basic Script) references in the Registry, so I fired up Registrar Lite and narrowed down the location of the problem to the "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBS" through to the "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile.HostEncode" keys. What surprised me was that the majority of these entries had sub-key values marked as "ACCESS DENIED" -- even when logged in as the Administrator of that computer. I had seen that a few times before and really paid it no attention because I was looking at different values within the Registry for different reasons. Now, this "ACCESS DENIED" was staring me right in the face and I couldn't get away from it. I really came close to scrapping the system and reinstalling Windows at that point, but I felt compelled to get to the source of this problem.

A tip at another forum inspired me to use a registry editor on a bootable CD similar to "Bart PE" that I've been using for years, so I fired up the PC with that CD and was able to isolate the same Registry entries and deleted them. Once done, I rebooted the computer and went back to the normal Windows session. I tried another shot at the Windows Script 5.6 installation. This time, I got past the vbscript.dll registration error, but got hit with a new one, this time for the scrrun.dll file! Sigh ... back to Google!

This time, I was convinced that there was some other key in the Registry that was now blocking the scrrun.dll file's registration. However, I didn't want to dig any further (I was tired!). I learned by this time that the "ACCESS DENIED" values in the Registry were likely created by some scumware which created a bogus user profile in Windows and took ownership of the affected registry keys then deleted that profile, thus locking any changes to those keys even by the Administrator account user. A fix that finally allowed me to successfully install Windows Script 5.6 was a suggestion on a blog to try a Microsoft tool called "SubInACL" which would allow me to reset ALL keys to their appropriate Administrator permissions (run in Safe Mode with Command Prompt). That did it! I was then able to install CounterSpy which discovered 69 individual spyware components and now ... I can go to sleep!

Cheers!!

It looks like Ximinez regards computer issues as big, interesting-to-solve puzzles, which is great with the knowledge to get them done!

Yeah, that would just about sum it up!

The messier, the better!!