Windows installer problems in XP

Status
Not open for further replies.

mastermiaow

Posts: 11   +0
Hi

At the moment I am unable to install any anti virus package. I have tried both Mcaffee and Avast. I have spoken to someone from technical support from broadband provider which provides Mcaffee as part of the broadband package and he thinks it is a problem with windows installer. With Mcaffee I got an installation error message. I have run malware and panda anti virus scan and have deleted the trojans that I found but I am still unable to install antivirus.
The error message I got from my attempt with avast.exe is in the attached file:

I wonder if anyone has any advice?

Many thanks

Matthew
 
thanks

Your suggestion worked and I really appreciate it :wave:
Maybe you also have suggestions for how to run the BT connection manager for mobile broadband in that every time I install it almost freezes the system. I am not sure if this is a windows installer problem as well. But although there is an icon showing in the task bar that it is running I am unable to run the programme from the shortcut on the desktop.

Anyway thanks again for your help :)

Matthew
 
Matthew, please scan with HijackThis so I can see what AV entries are on the system:

Please download HijackThis from here.

Save it to a permanent folder (such as C:\HJT).

Next, open HijackThis, and select Do a system scan and save a logfile.

A Notepad document will open. Please attach the log on your next reply.
 
hijack this

~Thanks for this bobbye

My computer does seem to be playing up still despite having run malawarebytes anti malware, panda anti virus online scan and now having avast up and running. It seems to use a lot of resources for no apparent reason and of course I can't run the mobile broadband software.
Here is the log attached.

Many thanks again

Matthew
 
Matthew, I see that you are very active with BitComet. This is a file sharing program. The P2P programs almost always add malware to the system. I recommend you uninstall it.

If you decide not to, please do not use it during our time together. If you do and I see it is adding to the system problems, I will withdraw my support.

You have two antivirus program running, Avast and Eset Nod32. Please uninstall one of them.
You also have 4 online Active scanners running and that is not fine. you need to disable/remove them. HijackThis can remove some entries and you will then disable the Active X processes.

You are very out of date with both Java and Adobe Reader. These present vulnerabilities to the system. They will be updated.we need to clean your system up!

You also have processes running in the background that started on boot. I will have you stop those.

IF at any time you decide you don't want to do these things, please let me know. Ask questions if you don't understand.

This is not a malware cleaning- that can't be don't with just a HijackThis log. but I see some conflict potential and you can stop that.

Please reopen HijackThis to 'do system scan only'
Check each of the following if present. Do not click on 'Fix Checked' until you have checked each entry:

C:\WINDOWS\System32\StkASv2K.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\Cyb2k.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bitcomet.com/client/install-finish/?l=en_us
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab


Close all Windows except for HijackThis. Click on 'Fix Checked.'

Boot into Safe Mode
[*] Restart your computer and start pressing the F8 key on your keyboard.
[*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Go to Start> Run> type in msconfig> enter> Selective Startup Startup tab> Uncheck everything EXCEPT the following:
Any Avast entries
MouseDrv.exe"
PS2USBKbdDrv.exe
hkcmd.exe (IF you are using HotKeys)

Control Panel> Add/Remove Programs> UNINSTALL the following if present:
C:\Program Files\Eset\nod32krn.exe
BitComet as advised


Disable online AV scanners:
Open Internet Explorer> Tools> Manage Add-ons> find each of the following (there are 2 sections for the dialog box- add-ons current used and add-ons previously used: look in both sections)> highlight> Disable:
ewidoOnlineScan (or any AVG entry)
trendmicro.com/housecall
BDSCANONLINE
eset/nod32


Reboot the system into Normal Mode: NOTE: ignore and close the nag message after checking 'don't show this message again.' Stay in Selective Startup.

Let me jnow how this works.
 
Additional:

Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 14 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Remove the older versions of Java:

1. Click Start, Control Panel, Add/Remove Programs.
2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 14

Update Adobe Reader 9.1
Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version : https://www.techspot.com/downloads/345-adobe-reader.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php

Uninstall any earlier Adobe Reader entries after update.

How could users remove the HouseCall 6.5 Internet Explorer ActiveX Plug-in?
You can do this to remove processes from the system.

  • [1]. Stop HouseCall scanning, if enabled.
    [2]. Open the browser and then click Tools >Internet Options.
    [3]. Click the General tab and then click Settings under the Temporary Internet files section.
    [4]. Click View Objects and then right-click HouseCall ActiveX 6.5.
    [5]. Click Remove.

    Note: Deleting these folders also removes all the quarantined files and backup files from previous scans or cleans, as well as log files.
    Where does HouseCall 6.5 store the ActiveUpdate TmuDumpt.txt log file?
 
Thank you Bobbye

Hi Bobbye

I wrote you a long message but firefox ended suddenly and it was all deleted so here goes again! First I really appreciated your help - you don't know me and yet you took the time to help a complete stranger...
I have followed your instructions but unfortunately could not install Java and am attaching printscreen of error message.
Otherwise I have uninstalled bit comet. Would your recommend a safer file sharing software? I normally download music and videos and would like to continue doing this...
Also I have previously tried to install sp3 for windows (I assume good for security) but it has resulted in my not being able to open excel files and so I restored to earlier point - do you think again I should try to download and install sp3 again?

Many thanks again Bobbye
 
Sorry I missed it Matthew. I think everyone has had a long message sail off into cyberspace!

Go to the Control Panel> Add/Remove Programs> Uninstall any Java there.
Then go to the download site and try for Java v6u14 again: http://java.com/en/download/manual.jsp

As for file sharing: is one better than another? I don't think so. IF you're going to share files, you'll also share malware. Unfortunately, that's how it works. Here are some references that might help you understand better:

Credits to kritius:
P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitComet

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs (http://spywarewarrior.com/viewtopic.php?t=26216) where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here (http://p2p.malwareremoval.com/)

I would recommend that you uninstall BitComet, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

You do not have to share files to download music and videos. I think the draw to 'sharing' is avoiding the copyright restrictions.

I'd like you to run a full system scan with the AV. Save the log and attach it here> if you got one on the system,

Follow with new scan with HijackThis after following the removals instructions and attach new log.
 
still problems!

Hi Bobbye

I uninstalled java but on attempt to install of v6u14, it is still showing same error message as last time as per print screen.
I ran panda online virus scan and it came up with lots of infected files which I am attaching. The scan took far longer than an hour (30% after 90 mins and I had to go out so not sure how long it took).
I also did hijack this and am attaching.
What programme do you recommend for downloading music and videos?

Many thanks again

Matthew
 
Matthew, in the future, please don't include .doc files. They can present a danger to us opening them.

The malware is in the restore points. Do not use the System Restore feature. When the system is clean, we have you drop the old restore points and set a new, clean one.

At the beginning of this thread, I had you run HijackThis only to see how many AV programs were running- but that is not a malware cleaning. The cleaning includes running Malwarebytes and Superantispyware: The second program finds and removes the Tracking Cookies.

To prevent them in the future:
Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865
Easy List: http://easylist.adblockplus.org/

You can now delete all the quarantined items from the AV scan.

I don't see any homepage set up in the HijackThis log.

Special Consideration: I suspect you got the AskBar from a pre-checked download or update screen. Watch that carefully. You have to uncheck it before downloading. Most of us don't recommend using the AskBar. It tends to share many ads.

Here are the removal instructions:
How to completely remove the AskBar Toolbar:
(Credit to CoolBusterAtYourService
Part 1

  • 1. Open Firefox.
    2. Go to Tools \ Add-ons.
    3. Highlight "Askbar Toolbar" and then click Uninstall.
    4. Restart Firefox.

    Part 2
    After uninstalling AskBar in Firefox:
    1. Open CCleaner (if you don't have it yet, click HERE to download latest version).
    2. Click "Cleaner", click "Analyze" and then click "Run cleaner".
    3. Click "Registry" and then "Scan for Issues".
    4. You will see "Obsolete software key | AskBarDis | HKCU\Software\AskBarDis".
    5. Click "Fix selected issues...", close CCleaner.

    Part 3
    1. Open HijackThis (to 'do system scan only'
    2. Check the following entries if present:

    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

    Also delete if you see the following:
    O4 - HKLM\..\RunOnce: [AskSBar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3)

    3. Click "Fixed check"> Yes>m OK.
    4. Click "Main Menu", click "View the List of backups".
    5. Select / mark the same registry files which were deleted in Step number 3.
    6. In the right pane, click "Delete", or "Delete All" and then "Yes".
    7. Close HijackThis and you're done.

Optional: Run CCleaner once more before you restart computer.


When you have finished the above, please do the following:
Run Malwarebytes
Run Superantispyware
Rescan with HijackThis

Attach logs for all 3 programs.
 
Instructions followed

Hey Bobbye

Many thanks again for your comprehensive instructions. It has taken me some time to follow everything through! Everything seems to be working a lot better although I have not tried to install the mobile broadband software which was one of the original problems.

  • firefox
Firefox didn't give me the
option to just delete all third party cookies

  • askbar
could not find askbar toolbar in addons of firefox

  • asbardis
didn't find obsolete software key asbbardis in CCleaner but did find it in Hijack this O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

  • Hijack this
I only fixed the askbardis not all the other ones which were listed

I didn't find these
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O4 - HKLM\..\RunOnce: [AskSBar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3)

I ran MalwaryeBytes and Hijack this and am attaching logs. I could not find a way to attach a log of superantispyware so took a print screen but it is in word and you said don't attach docs....It found an adware tracking cookie and a trojan agent Gen Fakey.
Should I now download Java? Windows SP3?
What software programme would you recommend for downloading music or videos?

Many thanks again Bobbye - you rock :D
 
Regarding Firefox and Third Party Cookies:
Open Tools> Options> Privacy> UNCHECK 'accept third party Cookies'.

Open Tools> Options> Privacy> Show Cookies> Delete the ones you don't want.

If you do this regularly and prevent new 3rd party Cookies (those ad-ons help) then you'll only have a few new Cookies each time. So you can keep those that have registrations and passwords

Regarding Ask Bar> you got that because it was pre-checked on the Fox-It download screen. Got to watch that in downlaods and updates. More software companies are doing it and it's easier to prevent than remove.

Please reopen HijackThis to 'do system scan only'
Check the following if present:

O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)

Close all Windows and click on Fix Checked. (Note on abovr entry" FoxIt download had AsBar checked.

Still show a spyware entry: Please do a fulkkl system scan with your AV. Save and Attach log.

Then:please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Run Combo-Fix.exe and follow the prompts.
    (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
  • Wait for the scan to be completed.
  • If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give AV log and Combofix report. We'll close up and clean up if they are clean.
 
2 steps forward 1 step backwards

Hi Bobbye

Things seemed to be a lot better but now my wireless mouse and keyboard have stopped working and after changing batteries etc I assume it is something to do with the problems I have been experiencing.....
Anyway here are latest logs.


Regarding Firefox and Third Party Cookies:
Open Tools> Options> Privacy> UNCHECK 'accept third party Cookies'.

Open Tools> Options> Privacy> Show Cookies> Delete the ones you don't want.

OK I have done this and understand what you are asking.


Regarding Ask Bar> you got that because it was pre-checked on the Fox-It download screen. Got to watch that in downlaods and updates. More software companies are doing it and it's easier to prevent than remove.
So where do I uncheck this?

Please reopen HijackThis to 'do system scan only'
Check the following if present:

O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)

Close all Windows and click on Fix Checked. (Note on abovr entry" FoxIt download had AsBar checked.

I scanned and fixed as requested however i seem to have deleted the log. I ran another scan after doing panda quick scan and combo fix and and am attaching log.

Still show a spyware entry: Please do a fulkkl system scan with your AV. Save and Attach log.

I am not sure if the first sentence is a question or statement? How would I do know if spyware entry is shown? I am not sure what fulkkl means - I assume full. I ran Panda online full scan. It hadn't finished after 3 hours and then the computer started shutting down - like something had got into the sytem again. After restarting I ran quick scan which detected a cookie as the only infection - log attached.


Then:please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.


  • I tried to rename it with brackets around .exe but wouldn't allow me. Seemed to work fine as combo-fix.exe
    It asked me to download microsoft recovery console which I did.
    log posted

    Many thanks again for your help
 
Matthew, you still have significant problems. I'm going to see if touch can pick this thread up as I'll be off the cleaning for a while:

I've given you the short P2P Warning. You also use Azureus, now called Vuze : Bittorrent Client.

As for "I am not sure what fulkkl means"> it was suppose to be "full". Spell checked was asleep.
It should have been:
Please do a full system scan with your AV. Save and Attach log.

But you have globally open ports for BitComet> not good- either the ports or the program. File sharing and malware go hand in hand.
Close these ports in your firewall.
13220:TCP"= 13220:TCP:BitComet 13220 TCP
"13220:UDP"= 13220:UDP:BitComet 13220 UDP
"17479:TCP"= 17479:TCP:BitComet 17479 TCP
"17479:UDP"= 17479:UDP:BitComet 17479 UDP
"15109:TCP"= 15109:TCP:BitComet 15109 TCP
"15109:UDP"= 15109:UDP:BitComet 15109 UDP
"13814:TCP"= 13814:TCP:BitComet 13814 TCP
"13814:UDP"= 13814:UDP:BitComet 13814 UDP
"14141:TCP"= 14141:TCP:BitComet 14141 TCP
"14141:UDP"= 14141:UDP:BitComet 14141 UDP
"13415:TCP"= 13415:TCP:BitComet 13415 TCP
"13415:UDP"= 13415:UDP:BitComet 13415 UDP
"15100:TCP"= 15100:TCP:BitComet 15100 TCP
"15100:UDP"= 15100:UDP:BitComet 15100 UDP
"27589:TCP"= 27589:TCP:BitComet 27589 TCP
"27589:UDP"= 27589:UDP:BitComet 27589 UDP

I don't know what the installer problem is. The File extension MSP is for Microsoft Paint bitmap picture Apparently they were bad entries as Combofix deleted them.
 
Hi Bobbye

I've given you the short P2P Warning. You also use Azureus, now called Vuze : Bittorrent Client.

But you have globally open ports for BitComet> not good- either the ports or the program. File sharing and malware go hand in hand.
Close these ports in your firewall.
13220:TCP"= 13220:TCP:BitComet 13220 TCP
"13220:UDP"= 13220:UDP:BitComet 13220 UDP
"17479:TCP"= 17479:TCP:BitComet 17479 TCP
"17479:UDP"= 17479:UDP:BitComet 17479 UDP
"15109:TCP"= 15109:TCP:BitComet 15109 TCP
"15109:UDP"= 15109:UDP:BitComet 15109 UDP
"13814:TCP"= 13814:TCP:BitComet 13814 TCP
"13814:UDP"= 13814:UDP:BitComet 13814 UDP
"14141:TCP"= 14141:TCP:BitComet 14141 TCP
"14141:UDP"= 14141:UDP:BitComet 14141 UDP
"13415:TCP"= 13415:TCP:BitComet 13415 TCP
"13415:UDP"= 13415:UDP:BitComet 13415 UDP
"15100:TCP"= 15100:TCP:BitComet 15100 TCP
"15100:UDP"= 15100:UDP:BitComet 15100 UDP
"27589:TCP"= 27589:TCP:BitComet 27589 TCP
"27589:UDP"= 27589:UDP:BitComet 27589 UDP

I uninstalled bitcomet/vuze/azureus some days ago when advised to do so and there is nothing listed under add/remove programmes. I have now closed the ports.
It would be helpful to know whether I should install XP SP3 and what a recommended programme for downloading music/videos is.
Meannwhile I will run another full AV scan - hopefully it will be a lot quicker this time! I await further instructions :wave:

Matthew
 
panda anti virus log

Attached as promised. I tried to use search feature to find A0005785.exe trojan as panda was unable to disinfect - firefox wanted to close down once scan was completed.
 
Matthew, I am trying to get someone to take this thread over, so hold tight.

Do not use System Restore as the restore points are infected.
 
Anybody out there

:wave:

I am still in need of help. At the moment the two signifcant problems are:

  • wireless keyboard
This has stopped working and I assume to do with above problems

  • opening .xls
I had a problem with this on Friday - error message to do with a SKU? Looked up online. changed registry entry no and it worked fine. Today I am getting a message that a cab entry is missing. This is probably due to the Microsoft security updates I downloaded last week. I cannot use restore as it is showing no dates to restore to...

I have not attempted to use installer for the mobile broadband. Attached is hijack this log from today. Would really appreciate a hand to finish the job :)
 
Status
Not open for further replies.
Back