TechSpot

Installation Problems on the 8-step

By Kraminator
Mar 16, 2009
  1. Hi, I've been following the 8 step program as well as I have been able to, but I've run across some problems. When trying to install SuperAntiSpyware, I get an error saying The system admin has set policies to prevent this installation. I also get this when trying to install the latest Java. Also, when I start up me computer I don't select to enter safe mode; however, my current situation with the OS seems to have some characteristics of safe mode such as old-style toolbars without the option to change it to windows xp theme, along with some other safe mode characteristics. I've attached MBAM, HiJackthis, and Combofix logs in case they're needed. Thanks in advance.

    Well after trying to cure my computer of whatever cancer it previously had, I've come to yet another problem. My computer starts up in a semi-safe mode. What I mean by that is I spam F8 upon my computer starting up, select enter using Normal Mode, but when I load in it asks me if I want to log in as Admin or my normal account(it never did this before; it went straight to my account). My wallpaper is what it used to be and it doesn't say safe mode everywhere, but it has the safe-mode theme(the old windows toolbar and windows look), and there's no option to change it to the windows xp theme. Also, when I try to install some programs it gives me the error that the admin has prevented me from doing this. I've looked in msconfig and /SAFEBOOT is unchecked. This new demeanor started happening after I ran ComboFix, which seemed to fix a lot of my problems except the current one I'm having. Can anyone help me?
     

    Attached Files:

  2. mflynn

    mflynn TS Rookie Posts: 2,655

    OK we can fix the screen if not by fixing the Malware.

    Run MBAM and post another log!

    Another ComboFix log.

    Then reboot to Safe Mode Networking and try SAS again.

    Mike
     
  3. Kraminator

    Kraminator TS Rookie Topic Starter

    I ran combofix, then mbam, then combofix again. I tried to install SAS again in safe mode, but to no avail. I've attached the logs in sequential order(combofix before I scanned with mbam, and then again afterwards).


    After using combofix, is it normal for the taskbar and everything else except for the wallpaper to disappear? That's what happens to me, and forces me to force-shut down my computer by holding down the power button.

    EDIT: I'm pretty sure my computer thinks I'm in safe-mode. When I tried to load the luna(windows XP) theme, it said that that service wasn't enabled, but could be through administrative tools. So I tried to enable the themes tool through administrative tools, but it gave me an error saying I couldn't due to me being in safe-mode. Any idea as to why my computer insists on going into safe-mode even though I tell it to go into normal mode on startup and even in msconfig it says to start up normally?
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Run HJT Scan only and select and Fix all lines listed below
    Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end.

    We will address the screen issues when we are clean ignore it for now!

    Update then run MBAM Quick scan once more to confirm removal of what it found last run.

    Then to get SAS installed...

    Download the Alternate Installer: http://downloads.superantispyware.com/downloads/SAS_FREE.EXE
    Then if it installs but will not run download and use this:http://www.superantispyware.com/downloads/RUNSAS.EXE

    You have both Mcafee and Avira. It is not good to have more than one full fledged Virus scanner.

    You should uninstall one of them I and most on this board recommend Avira even over the paid versions of Mcafee and Norton.

    Mike
     
  5. Kraminator

    Kraminator TS Rookie Topic Starter

    I ran HJT and found 2 lines with (no file) at the end, both were BHO. Afterwards, I ran a quick-scan twice and mbam couldn't find anything.

    I uninstalled McAfee, I've heard that it's a resource hog and not very good.

    And I still could not install superantispyware, regardless of which installer I tried to use.
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    Yes it is a resource hog!

    You should run the Mcafee removal tool: http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

    --------------------------------------------------------------------------------------------------------------------------
    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
    del /f /q /s tdss*.*
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del /f /q "%UserProfile%\Desktop\Antivirus 2009.lnk"
    del /f /q  "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    del /f /q "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    del /f /q "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    
    del /f /q c:\WINDOWS\system32\ieupdates.exe
    del /f /q c:\WINDOWS\system32\scui.cpl
    del /f /q c:\WINDOWS\system32\winsrc.dll
    
    attrib -h -s -r c:\program files\xwdxqu.txt
    attrib -h -s -r c:\windows\x
    attrib -h -s -r c:\windows\SxsCaPendDel
    
    del /f /q c:\program files\xwdxqu.txt
    del /f /q c:\windows\x
    del /f /q c:\windows\SxsCaPendDel
    
    attrib -h -s -r c:\windows\system32\drivers\qh3s.sys
    attrib -h -s -r c:\windows\system32\drivers\jsdpp32.sys
    attrib -h -s -r c:\windows\system32\drivers\oxauau96.sys
    
    del /f /q c:\windows\system32\drivers\qh3s.sys 
    del /f /q c:\windows\system32\drivers\jsdpp32.sys
    del /f /q c:\windows\system32\drivers\oxauau96.sys
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    :: rootkit gaopdxserv
    attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
    attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop gaopdxserv.sys.sys
    sc delete gaopdxserv.sys.sys
    
    del /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    del /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
    del /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop WinSvchostManager
    sc delete WinSvchostManager
    
    sc stop ntndis
    sc delete ntndis
    
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    del /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
    del /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    sc stop u_lehj
    sc delete u_lehj
    
    attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
    del /f /q "c:\program files\Common Files\System\u_lehj32.dll"
    
    attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
    attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"
    
    del /f /q "C:\WINDOWS\system32\svcprs32.exe"
    del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    del /f /q "C:\WINDOWS\system32\mdmcls32.exe"
    
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    This should run and exit!

    It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

    Mike
     
  7. Kraminator

    Kraminator TS Rookie Topic Starter

    Thanks for the quick reply. I pasted that into a cmd black command box, and it ran but didn't do anything afterwards. What now?

    Posted what appeared in my CMD box

    Code:
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    
    C:\Documents and Settings\Anonymous>@echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    exefile="%1" %*
    ftype batfile="%1" %*
    batfile="%1" %*
    ftype cmdfile="%1" %*
    cmdfile="%1" %*
    ftype comfile="%1" %*
    comfile="%1" %*
    ftype scrfile="%1" /S
    scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    inffile=C:\WINDOWS\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    vbsfile=C:\WINDOWS\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    jsfile=C:\WINDOWS\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    .exe=exefile
    assoc .bat=batfile
    .bat=batfile
    assoc .cmd=cmdfile
    .cmd=cmdfile
    assoc .com=comfile
    .com=comfile
    assoc .scr=scrfile
    .scr=scrfile
    assoc .reg=regfile
    .reg=regfile
    assoc .pif=piffile
    .pif=piffile
    assoc .lnk=lnkfile
    .lnk=lnkfile
    assoc .inf=inffile
    .inf=inffile
    assoc .vbs=VBSFile
    .vbs=VBSFile
    assoc .js=JSFile
    .js=JSFile
    
    sc stop TDSSserv.sys
    [SC] OpenService FAILED 1060:
    
    The specified service does not exist as an installed service.
    
    sc delete TDSSserv.sys
    [SC] OpenService FAILED 1060:
    
    The specified service does not exist as an installed service.
    
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdss
    data"
    
    Error:  The parameter is incorrect.
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    
    Error:  The parameter is incorrect.
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdss
    data" /f
    
    The operation completed successfully
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    
    The operation completed successfully
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    If it ran and exited on its own it did what it was supposed to do!

    Redownload and replace the normal SAS and try the install again.

    Mike
     
  9. Kraminator

    Kraminator TS Rookie Topic Starter

    It ran, but did not exit. I also tried installing SAS again but still got the error "The system admin has set up policies to prevent this installation.". Whenever I try to do a workaround, I get an error saying that it can't be installed in safe-mode.

    I've attached a screenshot of my current desktop to give you more of an idea of what I mean by "semi-safe-mode". It also doesn't allow me to change my theme due to "being in safe mode".
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    Oh I think I see!

    Rt click My computer-Properties-Advanced-Performance-Settings-Adjust for best performance then put check in Use visual styles...., Use common tasks and Smooth edges of screen fonts. Apply and OK all the way out!

    Then

    Rt click an empty spot on DeskTop-Properties click Appearance here chose Windows XP style under Windows and buttons. Then on same page click Effects chose ClearType in the second box!

    Then click Settings-Advanced-Adapter-List all modes and chose you preferred resolution and the highest Hertz for that setting. Apply and OK out.

    Now for the SAS

    D/L and install Windows Resource Kit
    Listed as 2003 but works in Vista, XP and 2K
    http://www.microsoft.com/downloads/...69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en

    The install must be to the default location do not change

    Then do the below

    Left Drag mouse and Copy for Pasting all text in the box below.
    Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt.
    Code:
    @echo off
    :: Fix Access denied
    cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
    
    subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
    subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
    subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
    subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
    subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
    
    secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
    exit
    exit
    Mike
     
  11. Kraminator

    Kraminator TS Rookie Topic Starter

    Your instructions worked until you told me to right click, into appearance; the only option was Windows Classic. I'm pretty sure this is caused by my computer thinking it's in safe-mode for some reason.

    Also, it wouldn't allow me to install the resource kit because "The system admin has made policies preventing this installation".

    I'm ran the command you told me to, it exited, but it still won't let me install some things.

    Like I said, I think the root of this problem is that my computer thinks I'm in some sort of safe-mode, even though I don't tell it to.
     
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    Do the below then go back thu the setting again:

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    sc config Alerter start= disabled
    sc stop Alerter
    
    sc config AeLookupSvc start= disabled
    sc stop AeLookupSvc
    
    sc config ClipBook start= disabled
    sc stop ClipBook
    
    sc config Dfs start= disabled
    sc stop Dfs
    
    sc config FastUserSwitchingCompatability start= disabled
    sc stop FastUserSwitchingCompatability
    
    sc config TrkWks start= disabled
    sc stop TrkWks
    
    sc config TrkSvr start= disabled
    sc stop TrkSvr
    
    sc config DNSCache start= disabled
    sc stop DNSCache
    
    sc config ERSvc start= disabled
    sc stop ERSvc
    
    sc config HidServ start= disabled
    sc stop HidServ
    
    sc config PolicyAgent start= disabled
    sc stop PolicyAgent
    
    sc config CiSvc start= disabled
    sc stop CiSvc
    
    sc config IsmServe start= disabled
    sc stop IsmServ
    
    sc config kdc start= disabled
    sc stop kdc
    
    sc config LicenseService start= disabled
    sc stop LicenseService
    
    sc config Messenger start= disabled
    sc stop Messenger
    
    sc config Netlogon start= disabled
    sc stop Netlogon
    
    sc config NetTcpPortSharing start= disabled
    sc stop NetTcpPortSharing
    
    sc config mnmsrvc start= disabled
    sc stop mnmsrvc
    
    sc config NetDDE start= disabled
    sc stop NetDDE
    
    sc config NetDDEdsdm start= disabled
    sc stop NetDDEdsdm
    
    sc config NtLmSsp start= disabled
    sc stop NtLmSsp
    
    sc config SysmonLog start= disabled
    sc stop SysmonLog
    
    sc config RSVP start= disabled
    sc stop RSVP
    
    sc config SSDPSRV start= disabled
    sc stop SSDPSRV
    
    sc config upnphost start= disabled
    sc stop upnphost
    
    sc config WMPNetworkSvc start= disabled
    sc stop WMPNetworkSvc
    
    sc config WmiApSrv start= disabled
    sc stop WmiApSrv
    
    sc config WmdmPmSN start= disabled
    sc stop WmdmPmSN
    
    sc config RemoteRegistry start= disabled
    sc stop RemoteRegistry
    
    sc config RemoteAccess start= disabled
    sc stop RemoteAccess
    
    sc config SCardSvr start= disabled
    sc stop SCardSvr
    
    sc config TlnSvr start= disabled
    sc stop TlnSvr
    
    sc config UPS start= disabled
    sc stop UPS
    
    sc config WebClient start= disabled
    sc stop WebClient
    
    sc config DNSCache start= disabled
    sc stop DNSCache
    
    sc config RpcSs start= Automatic
    sc start RpcSs
    
    sc config RpLocator start= Automatic
    sc start RpcLocator
    
    sc config MSIServer start= Automatic
    sc start MSIServer
    
    sc config Themes start=Automatic
    sc start Themes
    exit
    exit
    Mike
     
  13. Kraminator

    Kraminator TS Rookie Topic Starter

    I posted what you said in the black box, I'm pretty sure it ran correctly, but I still ran into the same problems. :(
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok we will get it!

    Go here http://www.kellys-korner-xp.com/xp_tweaks.htm Scroll down to line 187 get both and right. dbl click each Reg file and approve add to registry

    If the file opens when clicked then close it and rt click and the Save As.

    Mike
     
  15. Kraminator

    Kraminator TS Rookie Topic Starter

    When I tried to install the Luna theme, I got an error saying "The theme couldn't be loaded because the theme service is not running. You can activate it in control panel....". I tried activating it, but I just got another error saying that I can't do that because I'm in safe mode.
     
  16. mflynn

    mflynn TS Rookie Posts: 2,655

  17. Kraminator

    Kraminator TS Rookie Topic Starter

    Well, it seems as if things have taken a turn for the better.

    I had an idea of starting up my comp in the last known good config, then from there starting in safe mode and doing some scans. To my pleasant surprise, when I loaded the last good config, everything worked! I'm running mbam scans and I installed superantispyware ( :D ). I'm going to do a full cleaning now, but it appears as if things have stabled off. I'm not sure what did it, but thank you for your persistence in helping me!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...