Solve : Very bad virus or worm - can't use my computer anymore?

1.	Solve : Very bad virus or worm - can't use my computer anymore?
Answer» I have a weird behavior on my computer, I can't run anything for more than a few SECONDS before the computer start hanging. I used Norton and i saw something weird: "censored.exe". I did a search and I tried a fix for this worm but it was not FOUND. I don't know where to start and I can't run anything without the computer hanging. Please help. Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 8:28:14 PM, on 21/06/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Documents and Settings\Patrick\Desktop\HiJackThis_v2.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.rdl/INTEGRATION_BAND_SEARCHBAR_HTML R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\JAVA\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_b.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Chercher avec Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.rdl/INTEGRATION_MENU_SEARCHEXT O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE O9 - Extra 'Tools' menuitem: Démarrer Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142141247138 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 7688 bytes Well, I don't really see anything too bad in your log. Let's try a couple of things. Although no symptoms of it show up in your log, you APPEAR to have the W32.Zotob worm. Download AVG Anti-Spyware, update it, and run a full scan in Safe Mode. If you have to, you can download AVG and its updates on another computer and transfer them via CD. Also, you may want to check out the following page... http://www.symantec.com/security_response/writeup.jsp?docid=2005-082317-0232-99&tabid=3 Close all windows (except for HijackThis) and mark the following entry... O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_b.exe Click on Fix Checked and then delete C:\WINDOWS\system32\Ir32_b.exe in Safe Mode. I would also like for you to download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.Thank you for your help. If you have other suggestions, remember I can't use normal mode for more than a few seconds. - AVG won't start on that computer. I tried in Safe mode too. I tried to uninstall it but I get an error message. - I did a full scan with Norton in safe mode. Nothing found. - I looked for censored.exe, it's not there. - O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_b.exe is not there anymore. Maybe because I did a system restore? Combofix: "Administrator" - 2007-06-24 11:49:17 - ComboFix 07-06-23.5 - Service Pack 2 NTFS [SAFE MODE] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\msxml3a.dll ((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 ))))))))))))))))))))))))))))))) 2007-06-24 11:4949,152--a------C:\WINDOWS\nircmd.exe 2007-06-24 11:37524,288--ah-----C:\DOCUME~1\ADMINI~1.PAT\NTUSER.DAT 2007-06-24 11:25d--------C:\Program Files\Norton Internet Security 2007-06-24 11:00624,784--a------C:\WINDOWS\system32\SymNeti.dll 2007-06-24 08:46d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft(2) 2007-06-21 18:25786,432--a------C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-06-21 18:164,075,520--a------C:\DOCUME~1\Patrick\ntuser.dat 2007-06-21 18:16233,472--a------C:\DOCUME~1\LOCALS~1\ntuser.dat 2007-06-18 17:23d--------C:\WINDOWS\system32\SoftwareDistribution 2007-06-16 16:25dr-h-----C:\DOCUME~1\Patrick\APPLIC~1\CrystalSpace 2007-06-16 15:55d--------C:\Program Files\The Adventure Company 2007-06-10 10:44d--------C:\WINDOWS\SxsCaPendDel 2007-06-03 19:45143,360--a------C:\WINDOWS\system32\unzip32.dll 2007-06-03 19:45d--------C:\Program Files\IceChat7 2007-06-03 19:45d--------C:\DOCUME~1\Patrick\APPLIC~1\IceChat (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-24 15:27:10--------d-----wC:\Program Files\Common Files\Symantec Shared 2007-06-24 15:25:30--------d-----wC:\Program Files\Symantec 2007-05-24 11:20:54--------d-----wC:\Program Files\3DO 2007-05-16 15:12:02683,520----a-wC:\WINDOWS\system32\inetcomm.dll 2007-05-14 00:09:23--------d-----wC:\Program Files\QuickTime 2007-05-14 00:08:28--------d-----wC:\Program Files\Apple Software Update 2007-05-12 17:35:43--------d--h--wC:\Program Files\InstallShield Installation Information 2007-05-12 13:26:41--------d-----wC:\Program Files\Ubisoft 2007-05-08 11:16:43--------d-----wC:\Program Files\SlySoft 2007-04-25 14:21:15144,896----a-wC:\WINDOWS\system32\schannel.dll 2007-04-24 10:50:02--------d-----wC:\Program Files\Website Downloader 2007-04-18 16:12:232,854,400----a-wC:\WINDOWS\system32\msi.dll 2007-04-17 02:47:3633,624----a-wC:\WINDOWS\system32\wups.dll 2007-04-17 02:45:541,710,936----a-wC:\WINDOWS\system32\wuaueng.dll 2007-04-17 02:45:48549,720----a-wC:\WINDOWS\system32\wuapi.dll 2007-04-17 02:45:42325,976----a-wC:\WINDOWS\system32\wucltui.dll 2007-04-17 02:45:36203,096----a-wC:\WINDOWS\system32\wuweb.dll 2007-04-17 02:45:2892,504----a-wC:\WINDOWS\system32\cdm.dll 2007-04-17 02:45:2053,080----a-wC:\WINDOWS\system32\wuauclt.exe 2007-04-17 02:45:2043,352----a-wC:\WINDOWS\system32\wups2.dll 2007-04-07 16:26:4348,776----a-wC:\WINDOWS\system32\S32EVNT1.DLL 2007-03-30 10:10:5537,540----a-wC:\WINDOWS\system32\Ir32_a.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {1E8A6170-7264-4D0F-BEAE-D42A53123C75}=C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll [2007-01-11 19:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41] "RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-12 20:29] "SoundMan"="SOUNDMAN.EXE" [2006-11-17 06:42 C:\WINDOWS\soundman.exe] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:59] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-13 19:11] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^gameutil.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gameutil.exe.lnk backup=C:\WINDOWS\pss\gameutil.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe Newly Created Service - COMHOST Contents of the 'Scheduled Tasks' folder 2007-06-13 10:33:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job ************************************************************************ catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-24 11:51:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Avg7Core] "ImagePath"="\SystemRoot\System32\Drivers\avg7core.sys" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Avg7UpdSvc] "ImagePath"="C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" Completion time: 2007-06-24 11:51:49 C:\ComboFix-quarantined-files.txt ... 2007-06-24 11:51 --- E O F --- Hi, wolfi. Sorry, I should have told you to enable hidden files and folders. Open a random folder (doesn't matter which one) and go to Tools > Folder Options. Click on the View tab and then check "Show hidden files and folders" and click OK. Try looking for censored.exe (perform a system-wide search if necessary) and C:\WINDOWS\system32\Ir32_b.exe. While you're at it, you should also look for C:\WINDOWS\system32\Ir32_a.exe. If you find any other files with similar names, please let me know. Go to Start > Accessories > System Tools > Disk Cleanup. Run the Disk Cleanup utility that comes up after putting a check next to these: Temporary Files Temporary Internet Files Recycle Bin Exactly what kind of error message do you get from AVG? Give SUPERAntiSpyware a try and see if that gives you any better results."Show hidden files and folders" was already selected. I did a search for censored.exe and it's not there but I can find Ir32_b.exe. and ir32_32.dll. What should I do with it? I can't find the uninstall tool for AVG anymore, but when I try to install again I get this message: "Some installation files are corrupt. Please download a fresh copy and retry installation." I tried SuperAntiSpyware... It won't run in normal mode (it's hanging) and it won't install in safe mode. (Message: "The system administrator has set policies to prevent this installation.") I really need something that can run in safe mode. Go ahead and delete those two files. Does your account have administrator privelages? You may want to take a look at the following page from the mothership... http://support.microsoft.com/kb/322963 Your Norton could possibly be related. However, because it's your only protection right now, I think we we should wait on the included workaround. Instead...if this is XP Professional, go to Start > Run and type in gpedit.msc and click OK. Go to Local Computer Policy > Computer Configuration > Windows Components > Windows Installer. On the list to the right, double-click Disable Windows Installer, click on Enable and click OK. If you are using XP Home, then go to Start > Run, type in regedit and click OK. Navigate to HKEY_CLASSES_ROOT\Installer\Products. Look for the program(s) you are trying to install and delete its folder. I believe the folder for SUPERAntiSpyware is 1FBBCDDC3072CB6439B8CB8CA1E1AEAA. Not sure about AVG...just check the ProductName of each one. NOTE: Before making changes to your registry, you should back it up with ERUNT! See if you can install the programs now. Also, give AVG's Anti-Spyware a try. Let me know how things go. Post an update along with a new HijackThis log.Ir32_b was not there anymore but Ir32_a was there. I deleted the files. I did what you said but I can't find 1FBBCDDC3072CB6439B8CB8CA1E1AEAA and I don't know how to find the right one. (I looked in the folders but I don't see any product name) I'm using XP Pro. I tried the program for Norton but I never had Norton in 2003 (I got this computer last year). I can't uninstall norton in safe mode and it won't uninstall in normal mode (it's telling me that another program is installing, right) So much fun. Thank you for your help, but I think it will be easier and FASTER to reinstall Windows completely. If you have XP Pro, then you should be able to use Group Policy Editor... Quote from: CBMatt on June 30, 2007, 08:59:59 PM Instead...if this is XP Professional, go to Start > Run and type in gpedit.msc and click OK. Go to Local Computer Policy > Computer Configuration > Windows Components > Windows Installer. On the list to the right, double-click Disable Windows Installer, click on Enable and click OK. Did you try these steps? And what about a new HijackThis log? IF if you have to reformat, do you have a way of backing up your important files?Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged. If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Answer»

I have a weird behavior on my computer, I can't run anything for more than a few SECONDS before the computer start hanging. I used Norton and i saw something weird: "*censored*.exe". I did a search and I tried a fix for this worm but it was not FOUND. I don't know where to start and I can't run anything without the computer hanging. Please help.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:28:14 PM, on 21/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Documents and Settings\Patrick\Desktop\HiJackThis_v2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.rdl/INTEGRATION_BAND_SEARCHBAR_HTML
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\JAVA\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_b.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Chercher avec Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.rdl/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Démarrer Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142141247138
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7688 bytes
Well, I don't really see anything too bad in your log. Let's try a couple of things.

Although no symptoms of it show up in your log, you APPEAR to have the W32.Zotob worm. Download AVG Anti-Spyware, update it, and run a full scan in Safe Mode. If you have to, you can download AVG and its updates on another computer and transfer them via CD.

Also, you may want to check out the following page...
http://www.symantec.com/security_response/writeup.jsp?docid=2005-082317-0232-99&tabid=3

Close all windows (except for HijackThis) and mark the following entry...
O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_b.exe

Click on Fix Checked and then delete C:\WINDOWS\system32\Ir32_b.exe in Safe Mode.

I would also like for you to download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.Thank you for your help. If you have other suggestions, remember I can't use normal mode for more than a few seconds.

- AVG won't start on that computer. I tried in Safe mode too. I tried to uninstall it but I get an error message.

- I did a full scan with Norton in safe mode. Nothing found.

- I looked for *censored*.exe, it's not there.

- O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_b.exe is not there anymore. Maybe because I did a system restore?

Combofix:

"Administrator" - 2007-06-24 11:49:17 - ComboFix 07-06-23.5 - Service Pack 2 NTFS [SAFE MODE]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\msxml3a.dll

((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 )))))))))))))))))))))))))))))))

2007-06-24 11:4949,152--a------C:\WINDOWS\nircmd.exe
2007-06-24 11:37524,288--ah-----C:\DOCUME~1\ADMINI~1.PAT\NTUSER.DAT
2007-06-24 11:25d--------C:\Program Files\Norton Internet Security
2007-06-24 11:00624,784--a------C:\WINDOWS\system32\SymNeti.dll
2007-06-24 08:46d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft(2)
2007-06-21 18:25786,432--a------C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-21 18:164,075,520--a------C:\DOCUME~1\Patrick\ntuser.dat
2007-06-21 18:16233,472--a------C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-06-18 17:23d--------C:\WINDOWS\system32\SoftwareDistribution
2007-06-16 16:25dr-h-----C:\DOCUME~1\Patrick\APPLIC~1\CrystalSpace
2007-06-16 15:55d--------C:\Program Files\The Adventure Company
2007-06-10 10:44d--------C:\WINDOWS\SxsCaPendDel
2007-06-03 19:45143,360--a------C:\WINDOWS\system32\unzip32.dll
2007-06-03 19:45d--------C:\Program Files\IceChat7
2007-06-03 19:45d--------C:\DOCUME~1\Patrick\APPLIC~1\IceChat

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-24 15:27:10--------d-----wC:\Program Files\Common Files\Symantec Shared
2007-06-24 15:25:30--------d-----wC:\Program Files\Symantec
2007-05-24 11:20:54--------d-----wC:\Program Files\3DO
2007-05-16 15:12:02683,520----a-wC:\WINDOWS\system32\inetcomm.dll
2007-05-14 00:09:23--------d-----wC:\Program Files\QuickTime
2007-05-14 00:08:28--------d-----wC:\Program Files\Apple Software Update
2007-05-12 17:35:43--------d--h--wC:\Program Files\InstallShield Installation Information
2007-05-12 13:26:41--------d-----wC:\Program Files\Ubisoft
2007-05-08 11:16:43--------d-----wC:\Program Files\SlySoft
2007-04-25 14:21:15144,896----a-wC:\WINDOWS\system32\schannel.dll
2007-04-24 10:50:02--------d-----wC:\Program Files\Website Downloader
2007-04-18 16:12:232,854,400----a-wC:\WINDOWS\system32\msi.dll
2007-04-17 02:47:3633,624----a-wC:\WINDOWS\system32\wups.dll
2007-04-17 02:45:541,710,936----a-wC:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48549,720----a-wC:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42325,976----a-wC:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36203,096----a-wC:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:2892,504----a-wC:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:2053,080----a-wC:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:2043,352----a-wC:\WINDOWS\system32\wups2.dll
2007-04-07 16:26:4348,776----a-wC:\WINDOWS\system32\S32EVNT1.DLL
2007-03-30 10:10:5537,540----a-wC:\WINDOWS\system32\Ir32_a.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}=C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll [2007-01-11 19:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-12 20:29]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 06:42 C:\WINDOWS\soundman.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-13 19:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^gameutil.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gameutil.exe.lnk
backup=C:\WINDOWS\pss\gameutil.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapFax]
C:\Program Files\Classic PhoneTools\CapFax.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RedLine Taskbar]
C:\Program Files\RedLine\Taskbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-13 10:33:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 11:51:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Avg7Core]
"ImagePath"="\SystemRoot\System32\Drivers\avg7core.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Avg7UpdSvc]
"ImagePath"="C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe"

Completion time: 2007-06-24 11:51:49
C:\ComboFix-quarantined-files.txt ... 2007-06-24 11:51

--- E O F ---

Hi, wolfi. Sorry, I should have told you to enable hidden files and folders. Open a random folder (doesn't matter which one) and go to Tools > Folder Options. Click on the View tab and then check "Show hidden files and folders" and click OK.

Try looking for *censored*.exe (perform a system-wide search if necessary) and C:\WINDOWS\system32\Ir32_b.exe. While you're at it, you should also look for C:\WINDOWS\system32\Ir32_a.exe. If you find any other files with similar names, please let me know.

Go to Start > Accessories > System Tools > Disk Cleanup. Run the Disk Cleanup utility that comes up after putting a check next to these:

Temporary Files
Temporary Internet Files
Recycle Bin

Exactly what kind of error message do you get from AVG? Give SUPERAntiSpyware a try and see if that gives you any better results."Show hidden files and folders" was already selected. I did a search for *censored*.exe and it's not there but I can find Ir32_b.exe. and ir32_32.dll. What should I do with it?

I can't find the uninstall tool for AVG anymore, but when I try to install again I get this message: "Some installation files are corrupt. Please download a fresh copy and retry installation."

I tried SuperAntiSpyware... It won't run in normal mode (it's hanging) and it won't install in safe mode. (Message: "The system administrator has set policies to prevent this installation.") I really need something that can run in safe mode.
Go ahead and delete those two files.

Does your account have administrator privelages? You may want to take a look at the following page from the mothership...
http://support.microsoft.com/kb/322963

Your Norton could possibly be related. However, because it's your only protection right now, I think we we should wait on the included workaround. Instead...if this is XP Professional, go to Start > Run and type in gpedit.msc and click OK. Go to Local Computer Policy > Computer Configuration > Windows Components > Windows Installer. On the list to the right, double-click Disable Windows Installer, click on Enable and click OK.

If you are using XP Home, then go to Start > Run, type in regedit and click OK. Navigate to HKEY_CLASSES_ROOT\Installer\Products. Look for the program(s) you are trying to install and delete its folder. I believe the folder for SUPERAntiSpyware is 1FBBCDDC3072CB6439B8CB8CA1E1AEAA. Not sure about AVG...just check the ProductName of each one.

NOTE: Before making changes to your registry, you should back it up with ERUNT!

See if you can install the programs now. Also, give AVG's Anti-Spyware a try.

Let me know how things go. Post an update along with a new HijackThis log.Ir32_b was not there anymore but Ir32_a was there. I deleted the files.

I did what you said but I can't find 1FBBCDDC3072CB6439B8CB8CA1E1AEAA and I don't know how to find the right one. (I looked in the folders but I don't see any product name) I'm using XP Pro. I tried the program for Norton but I never had Norton in 2003 (I got this computer last year). I can't uninstall norton in safe mode and it won't uninstall in normal mode (it's telling me that another program is installing, right) So much fun.

Thank you for your help, but I think it will be easier and FASTER to reinstall Windows completely.

If you have XP Pro, then you should be able to use Group Policy Editor...
Quote from: CBMatt on June 30, 2007, 08:59:59 PM

Instead...if this is XP Professional, go to Start > Run and type in gpedit.msc and click OK. Go to Local Computer Policy > Computer Configuration > Windows Components > Windows Installer. On the list to the right, double-click Disable Windows Installer, click on Enable and click OK.

Did you try these steps?

And what about a new HijackThis log?

IF if you have to reformat, do you have a way of backing up your important files?Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Solve : Very bad virus or worm - can't use my computer anymore?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment