Virus... Windows Installer not working

O

Oblivion

New Member
Hey guys...

my friends computer has multiple virus' and i am trying to get rid of them. The only problem is windows installer doesnt work so i cant download any antivirus software... does anyone know what i can do to get rid of them?

just incase it helps here is my HJT just incase there is some stuff you guys see that i can delete...


Logfile of HijackThis v1.99.1A
Scan saved at 3:01:41 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\System32\Rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\444.471
C:\Program Files\eUNISOL\Magic Restore\7.0\Nmdeputy.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ry\Local Settings\Temporary Internet Files\Content.IE5\MK09209Z\hijackthis_sfx[1].exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: (no name) - {B7DA14DA-A66C-DDB4-119B-A48F00212E94} - C:\WINDOWS\system32\dazu.dll (file missing)
O2 - BHO: gooochi browser optimizer - {d3f99892-cb66-e83c-4241-bc4deb46ce6b} - C:\WINDOWS\system32\{5966896e-234b-e7f8-8178-f60a45df5740}.dll
O2 - BHO: (no name) - {EE994965-A581-D20A-F831-FEEA189E29C7} - C:\WINDOWS\system32\ghzqnb.dll (file missing)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C4A8~1\Bar888.dll (file missing)
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKLM\..\Run: [706B96E8] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKLM\..\Run: [{A8-82-22-28-ZN}] c:\windows\system32\dwdsregt.exe CORN003
O4 - HKLM\..\Run: [{b1e069f3-7f73-5388-e88e-7995e59d8427}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{5966896e-234b-e7f8-8178-f60a45df5740}.dll" DllStart
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Bebs] "C:\DOCUME~1\Ry\APPLIC~1\RACLE~1\taskmgr.exe" -vt ndrv
O4 - HKCU\..\Run: [Fjpqche] C:\WINDOWS\system32\s?curity\??oolsv.exe
O4 - HKCU\..\Run: [mmuz] C:\PROGRA~1\COMMON~1\mmuz\mmuzm.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Ptvdpi] "C:\Documents and Settings\Ry\Application Data\W?nSxS\w?auclt.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Ry\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Ry\Application Data\Microsoft\Windows\dyeqop.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\Ry\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [Yvpumvs] "C:\Documents and Settings\Ry\My Documents\?racle\?vchost.exe"
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\pwinpsdm.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\asysiz.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\dsysiz.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147323885755
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - AppInit_DLLs: inicfg32.dll,avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000206 (file missing)
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HID Output Service (HODSrv) - Unknown owner - C:\WINDOWS\system32\hpsvc.exe (file missing)
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.471.exe (file missing)
O23 - Service: Nmdeputy - Unknown owner - C:\Program Files\eUNISOL\Magic Restore\7.0\Nmdeputy.exe" /NormalStart /"C:\Program Files\eUNISOL\Magic Restore\7.0\SpStart.exe" -AutoUninstall (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\mlsdf8hdawrlg.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Print Spooler Service (y8jo8goe) - Unknown owner - C:\WINDOWS\system32\sklrr7y84223.exe (file missing)



Thanks Guys
 
Sounds more like adware or spyware for what is seen there with one look. The addon toolbars for IE love to attract things. Your log shows the latest AVG 8.0 is already on.

Two things to dump there are the Google updater and Limewire. If the MS messenger is not being used that can be disabled in the msconfig utility to eliminate one more process. But for actually seeing multiple viruses the usual advice is to see the entire hard drive wiped cleaned if you are unable to see anything totally removed.
 
PC eye said:
But for actually seeing multiple viruses the usual advice is to see the entire hard drive wiped cleaned if you are unable to see anything totally removed.
Click to expand...

Lol... sad.


Let's try to get rid of the viruses before wiping anything.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Wiping a drive is always a last resort. That's done when the drive is essentially bare with a recent install of Windows. Besides viruses however problems with bad ram can see a Windows installer fail.
 
PC eye said:
Wiping a drive is always a last resort. That's done when the drive is essentially bare with a recent install of Windows. Besides viruses however problems with bad ram can see a Windows installer fail.
Click to expand...

What the hell are you talking about?
If you have checked his log, he is infected. If you don't know how to help him, don't give the "wipe your hard-drive" advice anybody can give... Just wait for someone who can really help without him losing any file answer.
 
Last edited:
Punk said:
What the hell are you talking about?
If you have checked his log, he is infected. If you don't know how to help him, don't give the "wipe your hard-drive" advice anybody can give... Just wait for someone who can really help without him losing any file answer.
Click to expand...

he / she never knows what their talking about, posting lectures everytime you want to know something!
 
Hello, I had a look at your log.

Do the following:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.




Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 
PC eye said:
But for actually seeing multiple viruses the usual advice is to see the entire hard drive wiped cleaned if you are unable to see anything totally removed.
Click to expand...

Punk said:
Lol... sad.
Click to expand...

Punk said:
What the hell are you talking about?
If you have checked his log, he is infected. If you don't know how to help him, don't give the "wipe your hard-drive" advice anybody can give... Just wait for someone who can really help without him losing any file answer.
Click to expand...

cohen said:
he / she never knows what their talking about, posting lectures everytime you want to know something!
Click to expand...


I don't want to start anything, and i usually let this stuff just go but:
  • PC Eye did mention he was infected, not in the same context but still
  • PcEye DID mention that it was'usual' advice to say to wipe the hdd

But for actually seeing multiple viruses the usual advice is to see the entire hard drive wiped cleaned if you are unable to see anything totally removed.
Click to expand...

And he did mention to wipe the hdd if the viruses still continue to be on there.
 
Vizy93 said:
I don't want to start anything, and i usually let this stuff just go but:
  • PC Eye did mention he was infected, not in the same context but still
  • PcEye DID mention that it was'usual' advice to say to wipe the hdd



And he did mention to wipe the hdd if the viruses still continue to be on there.
Click to expand...

And how did that helped the victim?
 
Please drop it all of you. It doesn't look good.
Try helping the victim rather than arguing.
Get on with the fix.
 
adarsh said:
Please drop it all of you. It doesn't look good.
Try helping the victim rather than arguing.
Get on with the fix.
Click to expand...

Thank you!

Still waiting for the logs to continue. Unless he read PC_EYE's advice and wiped everything...
 
Punk said:
Thank you!

Still waiting for the logs to continue. Unless he read PC_EYE's advice and wiped everything...
Click to expand...

If you read the OP's first post you would know that the problem is simply not being able to install Windows? What method process determined a virus was even present to start with?

Bad ram, a hard drive with bad heads you can read from but not write to, a bad optical drive or a good len cleaner, a scratched up disk all those will hamper things. Combofix won't help with any of those. Plus AVG 8.0 on the supposedly infected system not sounding off if one or viruses got on?
 
PC eye said:
If you read the OP's first post you would know that the problem is simply not being able to install Windows? What method process determined a virus was even present to start with?

Bad ram, a hard drive with bad heads you can read from but not write to, a bad optical drive or a good len cleaner, a scratched up disk all those will hamper things. Combofix won't help with any of those. Plus AVG 8.0 on the supposedly infected system not sounding off if one or viruses got on?
Click to expand...

Windows Installer and Install the OS is two different thing ;)

http://en.wikipedia.org/wiki/Windows_Installer

hijackthis provides a log of files that are present on the computer at some usually infected place. Those are bad entries, I'll name a few:
O4 - HKLM\..\Run: [706B96E8] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKLM\..\Run: [{A8-82-22-28-ZN}] c:\windows\system32\dwdsregt.exe CORN003
O4 - HKLM\..\Run: [{b1e069f3-7f73-5388-e88e-7995e59d8427}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{5966896e-234b-e7f8-8178-f60a45df5740}.dll" DllStart
O4 - HKCU\..\Run: [Bebs] "C:\DOCUME~1\Ry\APPLIC~1\RACLE~1\taskmgr.exe" -vt ndrv
O4 - HKCU\..\Run: [Fjpqche] C:\WINDOWS\system32\s?curity\??oolsv.exe
O4 - HKCU\..\Run: [mmuz] C:\PROGRA~1\COMMON~1\mmuz\mmuzm.exe
 
Last edited:
You must log in or register to reply here.
Back
Top