Installation Problems on the 8-step

[Kraminator]

Hi, I've been following the 8 step program as well as I have been able to, but I've run across some problems. When trying to install SuperAntiSpyware, I get an error saying The system admin has set policies to prevent this installation. I also get this when trying to install the latest Java. Also, when I start up me computer I don't select to enter safe mode; however, my current situation with the OS seems to have some characteristics of safe mode such as old-style toolbars without the option to change it to windows xp theme, along with some other safe mode characteristics. I've attached MBAM, HiJackthis, and Combofix logs in case they're needed. Thanks in advance.

Well after trying to cure my computer of whatever cancer it previously had, I've come to yet another problem. My computer starts up in a semi-safe mode. What I mean by that is I spam F8 upon my computer starting up, select enter using Normal Mode, but when I load in it asks me if I want to log in as Admin or my normal account(it never did this before; it went straight to my account). My wallpaper is what it used to be and it doesn't say safe mode everywhere, but it has the safe-mode theme(the old windows toolbar and windows look), and there's no option to change it to the windows xp theme. Also, when I try to install some programs it gives me the error that the admin has prevented me from doing this. I've looked in msconfig and /SAFEBOOT is unchecked. This new demeanor started happening after I ran ComboFix, which seemed to fix a lot of my problems except the current one I'm having. Can anyone help me?

 

[mflynn]

OK we can fix the screen if not by fixing the Malware.

Run MBAM and post another log!

Another ComboFix log.

Then reboot to Safe Mode Networking and try SAS again.

Mike

 

[Kraminator]

I ran combofix, then mbam, then combofix again. I tried to install SAS again in safe mode, but to no avail. I've attached the logs in sequential order(combofix before I scanned with mbam, and then again afterwards).


After using combofix, is it normal for the taskbar and everything else except for the wallpaper to disappear? That's what happens to me, and forces me to force-shut down my computer by holding down the power button.

EDIT: I'm pretty sure my computer thinks I'm in safe-mode. When I tried to load the luna(windows XP) theme, it said that that service wasn't enabled, but could be through administrative tools. So I tried to enable the themes tool through administrative tools, but it gave me an error saying I couldn't due to me being in safe-mode. Any idea as to why my computer insists on going into safe-mode even though I tell it to go into normal mode on startup and even in msconfig it says to start up normally?

 

[mflynn]

Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end.

We will address the screen issues when we are clean ignore it for now!

Update then run MBAM Quick scan once more to confirm removal of what it found last run.

Then to get SAS installed...

Download the Alternate Installer: http://downloads.superantispyware.com/downloads/SAS_FREE.EXE
Then if it installs but will not run download and use this:http://www.superantispyware.com/downloads/RUNSAS.EXE

You have both Mcafee and Avira. It is not good to have more than one full fledged Virus scanner.

You should uninstall one of them I and most on this board recommend Avira even over the paid versions of Mcafee and Norton.

Mike

 

[Kraminator]

I ran HJT and found 2 lines with (no file) at the end, both were BHO. Afterwards, I ran a quick-scan twice and mbam couldn't find anything.

I uninstalled McAfee, I've heard that it's a resource hog and not very good.

And I still could not install superantispyware, regardless of which installer I tried to use.

 

[mflynn]

Yes it is a resource hog!

You should run the Mcafee removal tool: http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

--------------------------------------------------------------------------------------------------------------------------
Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del /f /q /s tdss*.*
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del /f /q "%UserProfile%\Desktop\Antivirus 2009.lnk"
del /f /q  "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
del /f /q "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
del /f /q "%UserProfile%\Start Menu\Antivirus 2009\*.*"

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del /f /q c:\WINDOWS\system32\ieupdates.exe
del /f /q c:\WINDOWS\system32\scui.cpl
del /f /q c:\WINDOWS\system32\winsrc.dll

attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel

del /f /q c:\program files\xwdxqu.txt
del /f /q c:\windows\x
del /f /q c:\windows\SxsCaPendDel

attrib -h -s -r c:\windows\system32\drivers\qh3s.sys
attrib -h -s -r c:\windows\system32\drivers\jsdpp32.sys
attrib -h -s -r c:\windows\system32\drivers\oxauau96.sys

del /f /q c:\windows\system32\drivers\qh3s.sys 
del /f /q c:\windows\system32\drivers\jsdpp32.sys
del /f /q c:\windows\system32\drivers\oxauau96.sys

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys

del /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
del /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop WinSvchostManager
sc delete WinSvchostManager

sc stop ntndis
sc delete ntndis

attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"

del /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
del /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"

sc stop u_lehj
sc delete u_lehj

attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
del /f /q "c:\program files\Common Files\System\u_lehj32.dll"

attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"

del /f /q "C:\WINDOWS\system32\svcprs32.exe"
del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
del /f /q "C:\WINDOWS\system32\mdmcls32.exe"

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

This should run and exit!

It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

Mike

 

[Kraminator]

Thanks for the quick reply. I pasted that into a cmd black command box, and it ran but didn't do anything afterwards. What now?

Posted what appeared in my CMD box

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Anonymous>@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
exefile="%1" %*
ftype batfile="%1" %*
batfile="%1" %*
ftype cmdfile="%1" %*
cmdfile="%1" %*
ftype comfile="%1" %*
comfile="%1" %*
ftype scrfile="%1" /S
scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
regfile="regedit.exe" "%1"
ftype piffile="%1" %*
piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
inffile=C:\WINDOWS\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
vbsfile=C:\WINDOWS\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
jsfile=C:\WINDOWS\System32\WScript.exe "%1" %*

assoc .exe=exefile
.exe=exefile
assoc .bat=batfile
.bat=batfile
assoc .cmd=cmdfile
.cmd=cmdfile
assoc .com=comfile
.com=comfile
assoc .scr=scrfile
.scr=scrfile
assoc .reg=regfile
.reg=regfile
assoc .pif=piffile
.pif=piffile
assoc .lnk=lnkfile
.lnk=lnkfile
assoc .inf=inffile
.inf=inffile
assoc .vbs=VBSFile
.vbs=VBSFile
assoc .js=JSFile
.js=JSFile

sc stop TDSSserv.sys
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

sc delete TDSSserv.sys
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdss
data"

Error:  The parameter is incorrect.
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"

Error:  The parameter is incorrect.
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdss
data" /f

The operation completed successfully
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f

The operation completed successfully
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s

 

[mflynn]

If it ran and exited on its own it did what it was supposed to do!

Redownload and replace the normal SAS and try the install again.

Mike

 

[Kraminator]

It ran, but did not exit. I also tried installing SAS again but still got the error "The system admin has set up policies to prevent this installation.". Whenever I try to do a workaround, I get an error saying that it can't be installed in safe-mode.

I've attached a screenshot of my current desktop to give you more of an idea of what I mean by "semi-safe-mode". It also doesn't allow me to change my theme due to "being in safe mode".

 

[mflynn]

Oh I think I see!

Rt click My computer-Properties-Advanced-Performance-Settings-Adjust for best performance then put check in Use visual styles...., Use common tasks and Smooth edges of screen fonts. Apply and OK all the way out!

Then

Rt click an empty spot on DeskTop-Properties click Appearance here chose Windows XP style under Windows and buttons. Then on same page click Effects chose ClearType in the second box!

Then click Settings-Advanced-Adapter-List all modes and chose you preferred resolution and the highest Hertz for that setting. Apply and OK out.

Now for the SAS

D/L and install Windows Resource Kit
Listed as 2003 but works in Vista, XP and 2K
http://www.microsoft.com/downloads/...69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en

The install must be to the default location do not change

Then do the below

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt.

@echo off
:: Fix Access denied
cd /d "%ProgramFiles%\Windows Resource Kits\Tools"

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
exit
exit

Mike

 

[Kraminator]

Your instructions worked until you told me to right click, into appearance; the only option was Windows Classic. I'm pretty sure this is caused by my computer thinking it's in safe-mode for some reason.

Also, it wouldn't allow me to install the resource kit because "The system admin has made policies preventing this installation".

I'm ran the command you told me to, it exited, but it still won't let me install some things.

Like I said, I think the root of this problem is that my computer thinks I'm in some sort of safe-mode, even though I don't tell it to.

 

[mflynn]

Do the below then go back thu the setting again:

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
sc config Alerter start= disabled
sc stop Alerter

sc config AeLookupSvc start= disabled
sc stop AeLookupSvc

sc config ClipBook start= disabled
sc stop ClipBook

sc config Dfs start= disabled
sc stop Dfs

sc config FastUserSwitchingCompatability start= disabled
sc stop FastUserSwitchingCompatability

sc config TrkWks start= disabled
sc stop TrkWks

sc config TrkSvr start= disabled
sc stop TrkSvr

sc config DNSCache start= disabled
sc stop DNSCache

sc config ERSvc start= disabled
sc stop ERSvc

sc config HidServ start= disabled
sc stop HidServ

sc config PolicyAgent start= disabled
sc stop PolicyAgent

sc config CiSvc start= disabled
sc stop CiSvc

sc config IsmServe start= disabled
sc stop IsmServ

sc config kdc start= disabled
sc stop kdc

sc config LicenseService start= disabled
sc stop LicenseService

sc config Messenger start= disabled
sc stop Messenger

sc config Netlogon start= disabled
sc stop Netlogon

sc config NetTcpPortSharing start= disabled
sc stop NetTcpPortSharing

sc config mnmsrvc start= disabled
sc stop mnmsrvc

sc config NetDDE start= disabled
sc stop NetDDE

sc config NetDDEdsdm start= disabled
sc stop NetDDEdsdm

sc config NtLmSsp start= disabled
sc stop NtLmSsp

sc config SysmonLog start= disabled
sc stop SysmonLog

sc config RSVP start= disabled
sc stop RSVP

sc config SSDPSRV start= disabled
sc stop SSDPSRV

sc config upnphost start= disabled
sc stop upnphost

sc config WMPNetworkSvc start= disabled
sc stop WMPNetworkSvc

sc config WmiApSrv start= disabled
sc stop WmiApSrv

sc config WmdmPmSN start= disabled
sc stop WmdmPmSN

sc config RemoteRegistry start= disabled
sc stop RemoteRegistry

sc config RemoteAccess start= disabled
sc stop RemoteAccess

sc config SCardSvr start= disabled
sc stop SCardSvr

sc config TlnSvr start= disabled
sc stop TlnSvr

sc config UPS start= disabled
sc stop UPS

sc config WebClient start= disabled
sc stop WebClient

sc config DNSCache start= disabled
sc stop DNSCache

sc config RpcSs start= Automatic
sc start RpcSs

sc config RpLocator start= Automatic
sc start RpcLocator

sc config MSIServer start= Automatic
sc start MSIServer

sc config Themes start=Automatic
sc start Themes
exit
exit

Mike

 

[Kraminator]

I posted what you said in the black box, I'm pretty sure it ran correctly, but I still ran into the same problems.

 

[mflynn]

Ok we will get it!

Go here http://www.kellys-korner-xp.com/xp_tweaks.htm Scroll down to line 187 get both and right. dbl click each Reg file and approve add to registry

If the file opens when clicked then close it and rt click and the Save As.

Mike

 

[Kraminator]

When I tried to install the Luna theme, I got an error saying "The theme couldn't be loaded because the theme service is not running. You can activate it in control panel....". I tried activating it, but I just got another error saying that I can't do that because I'm in safe mode.

 

[mflynn]

OK use this!

http://www.superadblocker.com/downloads/BootSafe.exe

You told me but i didn't believe it especially wnen the jpeg you linked did not show the Safe Mode in the corners.

Mike

 

[Kraminator]

Well, it seems as if things have taken a turn for the better.

I had an idea of starting up my comp in the last known good config, then from there starting in safe mode and doing some scans. To my pleasant surprise, when I loaded the last good config, everything worked! I'm running mbam scans and I installed superantispyware ( ). I'm going to do a full cleaning now, but it appears as if things have stabled off. I'm not sure what did it, but thank you for your persistence in helping me!