Ran virtumonde removal but still have problems

First of all let me say thank you for helping me.

About three days ago McAfee popped up saying it was stopping some trojan scripts. Then I had Antivirus2008pro popup as well as slow browsing and various popups to sites that were selling stuff or had lame quizzes etc. I ran spyhunter, spyware doctor, ad-aware, and trojan remover but kept getting trojan virtumonde returning. Then something called winspyware protect popped up like Antivirus2008pro had. After searching I found your forum and followed the cleaning procedure (except no ccleaner because it cannot be downloaded, but I cleaned everything using disk cleanup, McAfee quickclean and Norton cleanup), which found other malwares like zlob and malwarrior.

After using all of the spyware removal programs, I have not had a popup recently, and browsing speed is fine, but I now have the system32 folder popping up on boot and there is about a 10 second delay when I start Interner Explorer. The program comes up, but there is a blank white screen for about 10 seconds where the web page should be seen. Also, after clicking on a file or opening a directory, several times I have gotten an error message that explorer needs to shut down. Each time the desktop comes back and everthing appears fine.

Because of these strange new issues I am concerned that I may still be infected. I am going to post my logs. Thanks again for reviewing them.

 

My other logs:

 

I also just noticed that I now have two start menu icons for internet explorer and outlook, when I used to have only one of each. (Getting stranger by the minute).

Also I am running SmitFraudFix because one program found zlob. I'm attaching the first log here. Also, I ran vundofix before but forgot to post the log, so here it is.

 

SmitFraudFix log after cleaning

 

Hi gankin247,
Welcome to Major Geeks!

You have a number of different kinds of problems, but the first one to deal with is that you have two antivirus programs running on your computer. Since you have Norton System Works, if you have an up-to-date version of Symantec, I recommend that you keep it and uninstall McAfee. To do this, use the McAfee Consumer Product Removal Tool (SymNRT)

If you do not have a current version of Symantec, then I recommend removing Symantec from your computer. This is more problematic, because if you use the Norton Removal Tool, it will remove all the various programs associated with it, some of which you may be using. Please let me know if you have any questions about this.

If Spyware Doctor is not a paid version, please uninstall it.

After you do the above, please run CCleaner.

Once you've completed the above, I will give you some instructions for removing some remaining malware from your computer.

Thanks.
abri

 

abri,

Symantec was not current, so I removed it. I also removed spyware doctor and ran ccleaner (I was able to download it directly from their website).

BTW - I now only have one start menu icon for internet explorer and outlook. I don't know when it changed back.

Thanks again.

 

Hi gankin247,

I need a fresh set of the MGlogs. Please go to the MGTools folder under C:\ and find the file called GetLogs.bat. Double-click on this and allow it to run to completion. It will say something like, Hit any key ...

After you finish, please come back here and use the Manage Attachments button down below the reply window to find the MGlogs.zip and upload them. This will give me the current status of your computer.

abri

 

Here are the new logs. I renamed them mglogs2.

 

Hi gankin247,

Please continue as follows. If you can't do something, just make a note of it to tell me later and continue on.


1) Please disable your guest account if this hasn't already been done.

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Go to start> control panel> administrative tools> services> scroll down to "Automatic LiveUpdate Scheduler" and double click it. On the right side of the "startp type" box, click the down arrow, click disable> apply> ok.

Then repeat this for the following:

LiveUpdate - Symantec Corporation
LiveUpdate Notice Service Ex (LiveUpdate Notice Ex)
Service: LiveUpdate Notice Service - Symantec Corporation

When you finish, exit administrative tools.

4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - (no file)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

Does the following program need to load at startup? If not, please fix it as well.

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

After you click fix, just close hijackthis.

5) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DIRLOOK::
C:\Documents and Settings\John J Doe\My Documents\Simply Super Software
C:\Documents and Settings\John J Doe\Application Data\Simply Super Software

FILELOOK::
C:\Program Files\uninstall.dat
C:\Program Files\Uninstall.exe

FILE::
C:\WINDOWS\S6E744B1B.tmp
C:\WINDOWS\system32\CcbacMoq.ini

FOLDER::
C:\Program Files\Enigma Software Group

REGISTRY::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^John J Doe^Start Menu^Programs^Startup^Adobe Gamma.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger.


Let me know how things are running now?

abri

 

OK....

Since using XP home I disabled guest account by typing cmd.exe and then using net user guest /active:no

Then ran disable messenger.

Everything for step 3 was fine.

In step 4 I could not check any of the 4 "O23" entiries you listed, all having to do with Symantec, because they were not listed. I left the abobe "O4" entry because I did not know if it needed to run at startup and I often save/convert doc files to pdf.

In step 5 I ran combofix twice because McAfee popped up wanting to block a PUP and then, just as combofix was shutting down and restarting the computer, a pop up came up asking if I wanted to allow the registry changes, but the computer shut down before I could click yes. So I disabled McAfee and ran the program again to be sure all changes did occur.

Ran ccleaner.

However in step 7 you asked me to attach mglogs.zip along with the Avenger, but I don't know what the Avenger is. Please let me know so I can get it to you.

As for how the machine is running, there is still a delay on starting IE. The delay is now shorter, about 4 seconds, but it is there.

Thanks.

 

OK, I found the Avenger and ran it, but I didn't have any scripts to put in so I ran a rootkit scan and it did not find anything. Do you want me to cut and paste the combofix code you gave me into the Avenger? If not, what do I do to get a log from the Avenger?

BTW - I still have 4-5 second delay upon starting IE. It just stays blank, both the webpage viewing area and the address bar, for about 4-5 seconds, then browses normally. I never had this condition before the malware.

Thanks again.

 

Hi gankin247,

Please open Windows Explorer and delete the following:

C:\WINDOWS\NewCameraPics.zip
C:\WINDOWS\game.exe

Also, do you know what the following two items are that are directly under C:\Program Files? If you don't know, please delete them. If you do know, do you need them? If not, please delete them.C:\Program Files\Uninstall.exe
C:\Program Files\uninstall.dat


Regarding the webpage loading delay:
1. What browser addons do you have?
2. What happens if you disable them all?
3. Does the same thing happen with another browser like Firefox?
4. Do you have the same problem in Safe Mode?


There are still a few Norton entries left, so I would like for you to run the Norton Removal Tool (SymNRT).

Run CCleaner and reboot your computer.

Please check to make sure the two entries you deleted from Windows Explorer are still gone.

Let me know how this goes.
abri

 

Deleted each of the four files and now IE starts perfect. Thank you very much. I also ran the norton removal program.

But I have two new issues....

While I was awaiting your reply I though it might be a good idea to utilize the McAfee firewall, instead of the windows firewall because McAfee has the outbound as well as inbound. After I installed it, (only virusscan was installed before) I received error messages saying the firewall had encountered a problem and had to shut down. After researching the issue I decided to try and uninstall the firewall but, to my amazement, you cannot uninstall only the firewall, you have to uninstall and reinstall the entire program! Absolutely rediculous.

So after uninstalling and reinstalling I began getting error messages again, this time saying Mcafee hackerwatch or Mcafee systemguards had encountered a problem and had to shut down. The program restarts the processes automatically, but inevitably the same errors occur again. I tried uninstalling and reinstalling, but it has not helped.

You had mentioned something about keeping Norton over McAfee. Is it your opinion that Norton is better? Why do you feel the way you do?

As for the next problem, while waiting for your reply I also had the same idea you had regarding browser addons and other programs possibly slowing my computer, so I uninstalled several programs that did something at startup. When I try to uninstall Superantispyware (using the add/remove programs in the control panel) I get a message saying "Error 1606. Could not access network location :." I researched this and found it is likely due to a registry error, but the error message does not give the exact place in the registry that is having a problem. I ran the registry cleaner in cccleaner as well as Tweaknow extreme scan, and while both found various errors that may or may not have had anything to do with superantispyware, the fixes have not enabled me to remove the program.

Any ideas on what could be going on, or if it is malware related? If you think it is not malware related, could you point me to a majorgeeks forum better suited to handling my new issues.

Thanks again.

 

Hi gankin247,

I'm a proponent of using System Restore whenever it looks like there's a software problem occuring just after a new installation. If your system restore is enabled and you can get back to that point just prior to installing the McAfee firewall and just after removing the entries that were giving you problems, please try that. It will probably be one single restore point you'll have to identify and it should be the one just before the one that has McAfee Firewall in the name. Your computer usually sets a restore point when you install a new piece of software, so you're looking for the one just before that. When you click on the highlighted dates, you'll see some of them have different names. If you've never done this before, go to Start / All Programs / Accessories / System Tools / System Restore
check the box to Restore my computer to an earlier time and click on Next. You'll see a calendar with highlighted dates. Choose one of the dates just preceeding these problems and allow your system to return to that date. See if the problem goes away.

I don't recommend using Norton over McAfee. Every company which has gone to Security Suites has done more damage to functionality than they have gained in protection. This may or may not be logical, since you would expect that pieces of software built by the same company would function together better than stand-alones. The only explanation I have, is that the original stand-alone products were specialty areas of each company, so that when they decided to go to security suites, they ended up developing tools which were not in their area of specialty.

The recommendations of this site are in How to Protect Yourself from Malware

Let me know if you're able to get things back using system restore.

abri

 

Unfortunately system restore did not work. In fact the point I restored to was actually worse, so I undid the change.

Well, I'm going to poke around some more to see if I can't figure out why some of my antivirus services won't stay running and why I can't remove some programs, but it is possible I will have to do a complete reinstall. I needed to buy a new drive anyway because my backup drive is full.

I ripped a large amount of vinyl to mp3. I read somewhere else on the majorgeeks site about not trusting files after a malware infection. Do you know if mp3 files can, in some way, infect a new installation if the new install is done on a new hard drive and the mp3 files are transferred from my current drive to a new drive? I know that roxio attached streams to some of my mp3 files (I can see this when I scan for viruses) and I read somewhere about streams potentially being used by trojans. Should I remove the streams?

Thanks again.

 

Hi gankin247,

Because the most recent problems happened after you installed the McAfee firewall, this makes me think they are software-related. I would like to look at your MGlogs.zip to make sure you actually fully removed whatever you put in. I've never given you the final cleanup instructions for all the tools and logs yet, so you should still have the C\MGTools\GetLogs.bat to get these. It may end up helping to completely uninstall and reinstall McAfee. If you do this, you should do it while disconnected from the internet so that your computer isn't connected without an antivirus program.

As for reformatting, it would be a good idea to scan all your drives with Running BitDefender Online Scan which requires the use of Internet Explorer with Active X enabled. This is a lengthy scan that will look at your archived data.

Also, it would be a good idea to check your computer for rootkits by using the link Running GMER to detect rootkits


You will have the most success with reformatting if you are as sure as possible that the data you want to transfer is clean.

Also, I would like to see what the scan is you mentioned that is picking up Roxio's streaming. I don't think this is a problem, but if you have something to show me on this, it would help. Are you getting that from McAfee?

Attach any logs you get from the above. The BitDefender instructions are very specific about getting the log because we want the html code in a .txt file. That will allow you to upload it to us as the .txt file and allow us to convert it back to html so we can read it.

abri

 

Logs are attached for all three programs. I hope the bitdefender scan saved properly for you as a txt file, even though it did not find anything.

The scan that picks up Roxio's streams is the McAfee virusscan. When you do a full scan, it lists the files it is checking. While scanning mp3 files, the file scan window in McAfee shows the mp3 file name, but also an extension on the end of the file that says something like roxio emc stream. I went ahead and deleted all streams on my computer using ADSspy.

Also, I have uninstalled, with the McAfee uninstall tool you showed me, and reinstalled McAfee, but the problem with the services having a problem and needing to shut down still persists.

Thanks.

 

Hello Chaslang,

Thank you for helping me. I believe that the malware has been removed, but I can't be sure because of issues with McAfee and SuperAntiSpyware.

When I try to uninstall superantispyware, I get an error message saying "Error 1606. Could not access network location :." My research indicates this might be a registry problem, but I have run registry repair software that have not fixed the issue.

As you suspected, I just learned McAfee is not uninstalling properly. I followed your instructions by first removing McAfee using add/remove programs. There were two entires, one for McAfee security center and one for McAfee quickclean 6.1. The security center uninstalled fine but when I attempted to remove quickclean, I got the same "Error 1606. Could not access network location :." message I get with superantispyware.

I then ran the mcafee removal tool, but quickclean is still listed in the add/remove programs.

I ran mgtools again and attached the logs.

 

Hi gankin247,

Microsoft has a page on this error at the following webpage.

http://support.microsoft.com/kb/315352

It seems to occur either if you've used Norton 2003 or if you did an upgrade from either Win98 or WinMil to WinXP. You can look at the below instructions in the box to see if this registry key exists and make the recommended change, or follow the instructions which are linked to in the above website to Symantec for removing Norton 2003.


Before you attempt any change to the registry, please make a backup of your registry by downloading and installing Erunt. Use it to create a backup of your registry.



Then, if you did an upgrade as mentioned above from Win98 or Win Millenium to WinXP, please follow the instructions in the box:

 

abri,

My windows was a clean install on a new hd. I also have never used Norton 2003, only 2001 and 2007.

Also the error messages I get only say "Error 1606. Could not access network location :." and do not list any path, directory location or registry location after the word location in the error message, just ":.". This obviously makes solving this problem very difficult because the computer is not telling us what exact location it is trying to access.

I followed the instructions on this webpage http://www.pcfixreview.com/blog/2007/11/14/error-1606/ but all of my registry entries were OK, so there was nothing to do.

I am going to try something of a brute force method here. I am going to delete all of the directories manually, then run my registry cleaner software that will hopefully clean out all of the entries that will no longer point to valid files. Maybe that will work because I am completely unable to find a fix for this problem.

BTW - thanks for trying to help me and keep letting me know if you have any ideas. I'll let you know how my method works.



Thanks for trying abri, but the error message I get does not

 

It didn't work. Same errors.

 

Hi gankin247,

Please don't delete directories without checking first if this is a good idea.


Please download/unzip/install Dial-a-Fix from here:
http://djlizard.net/software/Dial-a-fix-v0.60.0.24.zip
Launch the program,place a check in the 'MSI' box 'Fix Windows Installer'.
Then click on 'GO' at the bottom.
Restart your pc when Dial-a-Fix has done.

If the problem persists,try this:
Download/install Windows Installer 3.1 Redistributable (v2):
http://www.microsoft.com/downloads/details...;displaylang=en
Scroll down to 'Files in This Download'.
Click the 'Download' button for 'WindowsInstaller-KB893803-v2-x86.exe'.
Restart your pc when its installed.

After you've tried the above, if neither of these allows you to uninstall without getting this error, then I would like for you to continue as follows:

In post 12 which had the posting date 6/20, I had you delete four files after which you no longer had any problems using Internet Explorer. The problems you had with McAfee followed this. Do you have a restore point that would preceded the deletion of these four files? To check this, go to Start / All Programs / Accessories / System Tools / System Restore. Check the box to restore computer to an earlier time and click on next. Look at the calendar and see if there might be a restore point just before you deleted those four files. If so, try to return the computer to that time. If you're able to do this, then as a test, try to uninstall SuperAntiSpyware (or some program giving you the error) and see if you still get the same error message.

Let me know how this goes.

abri

 

Nothing worked.

I used dial-a-fix but the programs still would not uninstall.

I tried the windows installer but got an error message saying the installer I have is a newer version and it would not install.

I do not have a system restore point that far back. Of the four files, game.exe was definately a malware component. I don't recall about the other three. It would be strange that a program would put it's uninstaller in the program files directory and not in it's own subdirectory.

Thanks again for trying.

 

Hi gankin247,

There's a new one for XP SP3. See if this will work:

Go to: http://www.microsoft.com/downloads/...6F-60B6-4412-95B9-54D056D6F9F4&displaylang=en

Scroll down until you come to Files in this download and locate the following.

x86 Platform: WindowsXP-KB942288-v3-x86.exe

It's the last one in the list - 3.2 MB Over to the right, you'll see the download button.

Let me know how this goes.
abri

 

It still did not work. This one installed fine, but I still get the same error message when I go to uninstall.

I really appreciate how much you have tried. Are we at the point where we have to throw our hands up and blame it on Bill Gates? rolleyes

 

no ...
we are at the point where we have to get chaslang. :-D

He has requested a copy of the following:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

You can get this as follows:
Go to Start / Run and type in regedit and click on okay. In the registry editor that opens, follow the correct pathway until you get to Shell Folders. Highlight ShellFolders and go up to File and in the dropdown menu select export. Export the key to the desktop. Give it the name ShellFolders. If you simply store it, it will store as a .reg file which you can't upload here unless you zip it. You can also change the save as type to .txt.

abri

 

OK, registry file uploaded.

 

No, same error:cry

 

The program installed and uninstalled fine.

Unfortunately when I ran spywareblaster, it indicated many active X infections, including vundo variant, zlob, smitfraud, etc.

I am going to run all of the removal procedures again to be safe.

 

superantispyware doesn't run, as we know

spybot and malwarebytes found nothing

I don't know if combofix found anything (it did reboot) so log is attached

new mglogs also attached

first smitfraudfix rapport log (pre-clean) attached

 

New rapport and gmerlog.

I'm not sure if either found anything.

I think I may have misunderstood spywareblaster. I think it was saying it could protect against those active x issues, not that I actually had the issues.

Oops.

 

Hi gankin247,

I think you may have misunderstood it and I'm sorry for all the extra work you went to, but it won't hurt if chaslang looks at your GMER log. What language is your computer?

Everyone who reports on the error you're getting with your uninstalls, reports that there is a problem in the UserShellFolder with things being directed to the wrong place. Your folder has all the entries it is supposed to have and none extra.

Please try the following:

Go to Start / Run and copy/paste in sfc /scannow and see if any corrupted files are found. If found, you may need your windows cd so they can be fixed.

abri

 

Don't worry about the extra work, I think combofix found something but I'm not sure so please check the log if you have a chance.

I ran the sfc command but I don't know if it actually found any corrupt files. After entering the command it began scanning and about a minute later asked for the installation CD. The scan the proceeded at a very slow pace so I left my computer and when I returned the scan had completed but there does not appear to be any type of log created.

I then rebooted but both Mcafee and superantispyware still give the same error upon trying the uninstall them via the control panel.

I'm at a loss :cry

 

Hi gankin247,

I'm waiting for chas to take a look at this problem again, however I went back over the whole thread again, because I've noticed when we get stuck on a problem, it's helpful to review what the original problem was and what's been done so far.

Part of the problem that we have here is that we don't really know when the uninstaller error first started. The first thing you uninstalled, I believe, was Norton, and this was uninstalled without using the Norton Removal Tool and you did not get the Error 1606 at that time. So to begin with you installed a lot of programs for your work here but you only had by this time uninstalled Nortons.

I don't think at this point there was any concern that your uninstaller was not working for all your programs. What Chaslang demonstrated by having you install and uninstall Spyware Blaster, is that it is working for some programs even now.

The problem with the Error 1606 seems to have appeared for the first time on June 22nd (or June 21st depending on what time zone you live in) and occurred after you "uninstalled several programs that did something at startup. When I try to uninstall Superantispyware (using the add/remove programs in the control panel) I get a message saying "Error 1606. Could not access network location :." "


1) Is this when the problem appeared the first time?

2) If so, what programs did you uninstall? Do you remember?

3) Can you return to a restore point just preceding these uninstalls which you probably did on June 22 or June 21st? To check what restore points you have for those days, just go to Start / All Programs / Accessories / System Tools / System Restore and choose to return the computer to an earlier date. I know this didn't work the first time, but some restore points work better than others. It's not the case, that because one didn't work, none of them will work. See if you can find one from the 21st of June and try it.

If you are able to return to this restore point, then please reinstall SuperAntiSpyware over the existing one and see if it will uninstall properly this time.

abri

 

Thanks again for helping. Do you know if any of the windows protected files were corrupted?

When I try to re-install superantispyware, the installer immediately gives the same 1606 error and will not install the program.

You are correct in that we cannot nail down precisely when the uninstaller problems occured. The first program that was uninstalled was Norton and it was done without the removal tool.

Whether or not this this is where the problem began is unknown to us.

After having problems with McAfee after installing the firewall, I successfully deleted the following programs: Roxio Easy Media Creater 10, Ad-aware 2008, spyhunter security suite, malwarebytes and spybot. I then went to delete Superantispyware and this is the first time I got the 1606 error. It was later on that I noticed that McAfee quickclean was still listed in the add/remove programs after I had used the McAfee removal tool, and that attempting to remove it gave the 1606 error.

This is very strange because some programs install/uninstall fine, while two, Mcafee and superantispyware, do not. Is it possible that any one of the programs I removed could have caused the installer issue? I have since reinstalled malwarebytes and spybot, and they work fine. Should I try to reinstall the others and see what happens?

Thanks again.

 

Hi gankin247,

If any of the Windows protected files was corrupt, this should have been corrupted when you did the sfc /scannow.

It's a tricky problem and I'm glad it is only affecting those two programs at the moment. Several things are possible. It's possible that something happened when you uninstalled Norton. It could have also happened when you uninstalled those two uninstall files: C:\Program Files\Uninstall.exe andC:\Program Files\uninstall.dat It's possible that Avenger could have done something, although I've not seen Avenger give this particular result and I don't think it would cause problems on a straight scan of the kind you did. It's possible it occurred when you installed the McAfee firewall.

There is one user at this forum who's particularly tenacious at tracking down problems like this and his name is Chookers. If he's around, I would like to ask him to take a look at your thread and see if he has any thoughts on it.

In the meantime, I want to go back and look at the dates on those two uninstall files and see if they relate to some particular piece of software.

abri