Can't install removal tools

I'm following the "READ & RUN ME FIRST"
WindowsXPcleaningProcedure
First instillation is SuperAntiSpyware.
I get a "Windows Installer" pop-up box that says,
"The system administrator has set policies to prevent this instillation"
I'm in Safe Mode and logged in as Administrator.
Same thing happens if I'm not in Safe Mode.
I seem to have at least Smitfraud and Vundo present...and likely more.
Thanks for the help.

 

Hi Stuzphat,
Welcome to MajorGeeks!

Complete whatever you can of the instructions and then tell us what happens. If you have Vista, remember to have UAC turned off.

abri

 

I ran all the tools except the SUPERAntiSpyware that it wouldn't let me install.
Still has problems.
Does it make any difference running these tools in Safe Mode vs. Standard Windows XP?

 

Hi Stuzphat,
It doesn't help to run things in safe mode, because the malware files tend to show up more easily when they're loaded. You have a lot of malware on your computer still. It takes awhile for us to look through the logs and get a set of instructions put together for you. Please use your computer as little as possible during this time and don't reboot unnecessarily. Thanks for being patient.

One thing I noticed is that Spybot's Teatimer is not disabled. This feature has the function of preventing changes and will therefore prevent any changes we try to make. It needs to be disabled. Here are the instructions for that:

To begin with, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

abri

 

Thank you for the reply.
I thought I had disabled the tea timer before running the different apps.
After your last instructions, I opened Spybot (1.5), Tools,Resident, and found that the box labeled Resident "Tea-Timer"(Protection of over-all system settings) was indeed Unchecked. Makes me go hmmmmmm.

 

Hi Stuzphat,

hmmm is right. I have three instances of it running in your logs. There are only two explanations. It was disabled after you ran the logs. Or ... it's showing as disabled when it's not. To avoid this problem, please go to add/remove programs and uninstall Spybot. You can put it back on later.

Also, while you're in add/remove programs, please uninstall the following:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1


While you're doing that, I'll keep working on the next instructions.

abri

 

Hi Stuzphat,

After you complete the instructions in Post 6, please continue with these. Spybot must be uninstalled to avoid any complications with Teatimer.

1) Please disable your guest account if this hasn't already been done.


2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {11B97F56-931A-4CBC-ADBE-A98C9FA61D27} - blank (file missing)
O2 - BHO: {bc99bfee-cf28-4f7b-7994-e2371ef93232} - {23239fe1-732e-4997-b7f4-82fceefb99cb} - C:\WINDOWS\system32\xellwoho.dll
O2 - BHO: (no name) - {40C241D8-A456-4D0A-928D-700E8AE308B6} - (no file)
O2 - BHO: (no name) - {5221A780-B1A5-4360-AEF5-6C105CC04735} - blank (file missing)
O2 - BHO: (no name) - {84138373-F8B6-4249-9BCC-814B52CA58FE} - C:\WINDOWS\system32\efcDSljH.dll (file missing)
O2 - BHO: (no name) - {91B6ABD0-88F4-4EC5-9CED-48CDBB12BB62} - C:\WINDOWS\system32\ddcdbCSK.dll (file missing)
O2 - BHO: (no name) - {97CA784D-6F5A-4F81-9216-75C8249DF572} - C:\WINDOWS\system32\tuvWNFUN.dll
O2 - BHO: (no name) - {C6415EC3-0C14-4D64-842A-76125E3A7D0F} - blank (file missing)
O2 - BHO: (no name) - {D744D377-9882-4A11-A31E-D55471BE8770} - C:\WINDOWS\system32\tuvTljji.dll (file missing)
O2 - BHO: (no name) - {F0C113EF-76DE-4424-BAFB-C2FE35F0992D} - C:\WINDOWS\system32\nnnnLbcD.dll (file missing)
O2 - BHO: (no name) - {FA152763-365E-4457-8867-3A428DFC517B} - blank (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BM273103a5] Rundll32.exe "C:\WINDOWS\system32\kujfdjcl.dll",s
O4 - HKLM\..\Run: [24023039] rundll32.exe "C:\WINDOWS\system32\pqkcswut.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-57989841-861567501-682003330-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User '?')
O4 - HKUS\.DEFAULT\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Default user')


After you click fix, just close hijackthis.

4) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\WINDOWS\system32\pqkcswut.dll
C:\WINDOWS\system32\kujfdjcl.dll
C:\WINDOWS\system32\ddcdbCSK.dll
C:\WINDOWS\system32\tuvTljji.dll
C:\WINDOWS\system32\tuvWNFUN.dll
C:\WINDOWS\system32\nnnnLbcD.dll
C:\WINDOWS\system32\efcDSljH.dll
C:\WINDOWS\BM273103a5.txt
C:\WINDOWS\BM273103a5.xml
C:\WINDOWS\system32\kujfdjcl.dll
C:\WINDOWS\system32\pqkcswut.dll
C:\WINDOWS\system32\xellwoho.dll
C:\WINDOWS\system32\NUFNWvut.ini
C:\WINDOWS\system32\NUFNWvut.ini2
C:\WINDOWS\system32\tuwsckqp.ini
C:\WINDOWS\system32\tuvWNFUN.dll
C:\WINDOWS\system32\nscompat.tlb
C:\WINDOWS\system32\amcompat.tlb
C:\WINDOWS\system32\wisjbmbq.dll
C:\WINDOWS\system32\tofriehc.dll
C:\WINDOWS\system32\vntiho05\vntiho051080.exe
C:\WINDOWS\system32\vntiho18\vntiho182328.exe
C:\WINDOWS\system32\Ntrights.exe
C:\~registry.reg
C:\deltmpx.bat
C:\~deltmpx.bat
C:\~deltmpx.vbs


FOLDER::
C:\Temp
C:\~NoHijack_Log
C:\~nohijack
C:\WINDOWS\system32\vntiho05
C:\WINDOWS\system32\1064a
C:\WINDOWS\system32\at1
C:\WINDOWS\system32\hI2
C:\WINDOWS\system32\vntiho18
C:\Program Files\Vcsron

REGISTRY::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11B97F56-931A-4CBC-ADBE-A98C9FA61D27}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{23239fe1-732e-4997-b7f4-82fceefb99cb}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{40C241D8-A456-4D0A-928D-700E8AE308B6}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5221A780-B1A5-4360-AEF5-6C105CC04735}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84138373-F8B6-4249-9BCC-814B52CA58FE}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{91B6ABD0-88F4-4EC5-9CED-48CDBB12BB62}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97CA784D-6F5A-4F81-9216-75C8249DF572}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C6415EC3-0C14-4D64-842A-76125E3A7D0F}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D744D377-9882-4A11-A31E-D55471BE8770}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0C113EF-76DE-4424-BAFB-C2FE35F0992D}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FA152763-365E-4457-8867-3A428DFC517B}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"BM273103a5"=-
"24023039"=-


[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


5) Now run CCleaner at the default setting with the Windows tab as the top one.


6) If you have not yet rebooted since uninstalling the old Java programs, please do that now. Then install the current version of Sun Java from: Sun Java Runtime Environment You must reboot between uninstalling the old versions and installing the new ones.


7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

As I try to Uninstall I get a "Windows Installer" box that says, "The Windows Installer Service could not be accessed. This can occur if you are running in Windows in safe mode, or if th Windows Installer is not correctly installed. Contact your support personnel for assistance."
I am in Windows "normal mode"

 

hmmmm ...

Oh, and one other note ... you did disable Teatimer Before you ran the logs, right? That's important, because if not, then the logs would be false and we'd be wasting a lot of time.

Was Spybot disabled before you went to add/remove programs? Is there an icon in the lower right hand corner of the screen where you can right-click and look for anything that can be disabled?

If that doesn't help, see if you get any further with these instructions:

Windows Installer CleanUp Utility

How to RemoveSpybot S&D by psu.edu

If not, then see if this helps:

How to uninstall - Spybot S&D

Let me know if any of the above work.

abri

 

My first step was to control panel / add-remove programs. I tried to uninstall J2SE and Java items and I got the Windows Installer Not Accessible. I moved to SpyBot, selected uninstall and it went through the removal/uninstall process with no problem. (I also manually removed SpyBot's program files and Documents & Settings files.)
Then back to J2SE and Java items for removal and again I get Installer Not Accessible.
Before proceeding with MGTools,ComboFix and CCleaner should I make sure J2SE and Java are uninstlled/removed?
Trying to Remove Guest User....Run/control userpasswords2/user name: Guest.... it will not allow removal but I can change Guest's Group Properties to "Restricted User"
Please advise. Thank you.

 

Hi Stuzphat,

Just disable the Guest account. You don't need to remove it.

Go ahead with the other instructions and after you completely finish them, then try uninstalling the old Java versions again.

If you get the same error message, try running the
Windows Installer CleanUp Utility again and then see if they'll let you.

Attach the logs and let me know how this all goes.
abri

 

The system is running much better.
I am still unable to remove/uninstall J2SE or Java (get message: windows installer not correctly installed)
I've not installed SunJava yet.

 

I downloaded and installed Windows Installer 4.5 (WindowsXP-KB942288-v3-x86.exe)
I have now removed/uninstalled J2SE and Java Items. I have done the install of SunJava from your page.
Things seem to run for the most part.
Some "damage" from the malware seems to be that RealPlayer will play an mp3 or mpg but Windows Media Player10 will not. Doing a codec update (WM9Codecs.exe) didn't help.

 

Hi Stuzphat,
Did you try going to add/remove programs, and then clicking on the button to add/remove Windows Components. In the list uncheck Windows Media Player and then click on next. This will remove Windows Media Player. Reboot and then go through the same process, only this time add it. See if this helps.

If this problem continues, please start a thread in the Software Forum to see what might be wrong there. You don't seem to have SP3 on your computer yet, so after you have things working and have set a new restore point, you need to download and install SP3 from Microsoft.

You put a lot of logs and tools on your computer for your work here. I want to give you the instructions for removing those now.

abri

 

Hello abri
It's been 3 weeks now and all is still working well ...as far as no malware issues.
My audio has been left MIA but I'm taking that up in Software Forum.
Thanks again for you able bodied assistance!

Stuzpht