Slight boboo on my part

"RegisteredOrganization"

"RegisteredOwner"

Are in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion

OK open regedit and navigate to the following values in the key described

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\Winlogon

"RegisteredOrganization"

"RegisteredOwner"

"LegalNoticeCaption"

"LegalNoticeText"

"LogonPrompt"

"Welcome"

Open the values and delete the text - do not delete the value itself

i.e.  "RegisteredOwner"  "antichrist"
becomes "RegisteredOwner"

To open a value double click it and you will get the following - clear the data in the box and click OK

Would you be happy manually amending your registry ?

Will it allow you to install 2007 over 2003?

Has the system returned to normal (but still with the box) .  What is the status on re-boot ?

All that combofix did was replace the default registry values

Looks like it, Lets try a different way

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

No just run the file - you will need to reboot for it to take effect

Are you able to uninstall 2003 ?

Did you download it from my link or did you get it via limewire - can you give me exact details of the problems you are experiencing

Did you run the vbs programme and then the registry fix ?

OK download this VBS file and run it - it should restore your registry.  Once done retry the regfix

 http://cid-32d8666f4048075b.skydrive.live.com/self.aspx/Malware%20files/regtmcmdrestore.vbs

Can you confirm that you have now lost the web pages opening on start

There are no tools for deleting this nightmare so I will have to do it manually

Download and run ERUNT  http://www.larshederer.homepage.t-online.de/erunt/

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click "..." to browse your computer's drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.


Next, select the backup options:

- System registry:

- Current user registy: .

- Other open user registries:

Click "OK" and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

NEXT

During this run you will loose your desktop

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

Please download this file and run it - let me know the result

http://cid-32d8666f4048075b.skydrive.live.com/self.aspx/Malware%20files/FixShell.cmd

Now I need to do a deep search and look for drivers

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Here I be    This looks like a fun one as it does a lot of registry changes

So lets go to work - I will do some exploratory removal first and progress from there

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:

• Tools->Options->Main tab
• Set to "Always ask me where to Save the files".

• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
  
  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you. 
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
  

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**