ms installer is dead, because of virus. What to do?

[Sandzzz]

Hi guys!

I just ran out of my trial for the Kaspersky Antivirus and the very first moment after uninstalling the KAV my PC fell terribly ill. windows explorer has gone mad, doing all kinds of bizzare stuff, no address bar, even though it is marked as being displayed, all start menu items are shown like they are dead links - IT'S TERRIBLE, no folder changes are saved etc. etc. etc. I tried reinstalling the KAV but it keeps saying that my ms installer is inactive, either because I run my XP in safe mode (which is BS) or because the service is shut down (I have opened the services and didn't find one that was called ms installer), so it refused to install. Then I downloaded the completely USELESS AVG antivirus and ran a full 3 hour computer scan only to get 10 tracking cookies as scanning result. Laughable software. Really bad. Imagine running your AVG antivirus and at the same time every time you open a folder getting dialog boxes saying your PC is horribly infected and click on the free-antivirus . com or smth. like that to download the software that removes the f crap.
Then I downloaded Bitdefender and I had the same problem with the installer not working.
WHAT SHOULD I DO to find and kill both the virus and MF who created it?
Please people, help with this problem.

Thank you so much!

 

[acewarlock]

Have you tried using the restore to a date before you installed the free AV?




This is a Signature and not part of the answer, it appears on every reply.

This is an Analogy so don't take it personally as some have.

Why change the engine if all you need is to change the spark plugs.

 

[Sandzzz]

Yes acewarlock, I did try that - the system restore function.
I click it, aaand nothing happens. Forgot to mention that.

 

[BadBigBen]

Do an online viral scan:

TrendMicro Housecall:

http://housecall65.trendmicro.com/

Download HiJackThis, run a scan with log and paste it here for our discernment...

HiJackThis

http://www.trendsecure.com/portal/de/tools/security_tools/hijackthis

PS: AntiViral software is there to get rid of Virii, most will not even touch SpyWare, some trojans, or worms... In various tests AVG and KAV are about equal, each having their strengths and weaknesses... see:

http://www.av-comparatives.org/

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[Sandzzz]

I cannot install HiJackThis, I cannot install anything, my installer is dead.

 

[linney]

Perhaps AVG didn't find any Spyware or Virus, for the simple reason that you don't have any? Perhaps the problem was caused by the removing of Kaspersky and the uninstaller program?

See if the Windows Installer service is not disabled or missing from Services. Look under "Windows Installer" not MS Installer.


Windows Installer Error Messages

http://msdn2.microsoft.com/en-us/library/aa372835.aspx

See if unregistering and re-registering the the installer helps.

"Error 1719. The Windows Installer service could not be accessed" error message when you try to add or remove a program

http://support.microsoft.com/default.aspx?scid=kb;en-us;315346&Product=winxp#kb1

As to System Restore, sometimes when it fails to function in Normal Mode it may work from Safe Mode.




Try running ChkDsk to check your drive for errors. Right-click your Drive icon/ Properties/ Tools/ Error Checking. Select both boxes.

Run the System File Checker program from the Run Box by typing.....Sfc /Scannow in it and have your XP CD handy.

If they don't work you could try repairing windows by running it over itself. You will lose all your windows updates but your files will be untouched.

How to Perform an In-Place Upgrade (Reinstallation) of Windows XP (Q315341)

http://support.microsoft.com/support/kb/articles/q315/3/41.asp

 

[BadBigBen]

I cannot install HiJackThis

HJT does NOT need to be installed, period !!!

You DL it and run it from a folder on the DESKTOP (for example)... BUT if you prefer to go through the ordeal of REINSTALLING XP, then knock yourself out and don't let me stop you...

Good night (it's almost 1 am in Germany)

PS: I know that all this is frustrating to you, and has you teed off to the max, but that still is not a reason to use the kind of language...

I will rip his balls off and shove them up his bitch ass.

just tone it down a bit...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[BadBigBen]

Oh, just found this on GOOGLE...

Free-viruscan.com Removal Tool

http://www.zimbio.com/Spyware/articles/826/Free+viruscan+com+Removal+Tool

A guide and tutorial on using ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

read the last POST on this thread:

[Help] infected: free-viruscan.com

http://forums.spybot.info/showthread.php?p=207531

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[linney]

See if there is anything here that might help you remove it?

Help] infected: free-viruscan.com

http://forums.spybot.info/showthread.php?t=30154

http://www.google.com/search?q=free...t:*&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1

When you Surf are you surfing as an Admin, or as is recommended, a limited user? This Hijack apparently creates this .dll, C:\Windows\system32\f_view.dll, which a limited user ought not to be able to do so?


The Windows Installer Service is set at Manual by default, not Automatic.

 

[Sandzzz]

Badbigben,

Thank you very much for your replies,
This is what I get whenever I doubleclick the hijackthis.exe:
msvbvm60.dll was not found. Reinstalling the app may help.
I am currently googling that free-viruscan thing and I am glad too see that I am not alone (Ok, you don't like rough language, I apologize for that, I won't write those things again on this forum, I am fine swearing aloud.)

If someone finds other info on removing that stuff, please let me know.
Thank you!

 

[linney]

Did you check that link I posted where the fellow reckoned he removed the malware. Did you just run the IE page to free-viruscan, or did you end up downloading their free virus scanner intentionally?

msvbvm60.dll is downlaodable or can be copied from another XP machine's C:/Windows/System32 folder.

http://www.google.com/search?q=msvb...-au&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1

 

[BadBigBen]

Ok, you don't like rough language, I apologize for that

I really do not care, but others might, and there is no need to apologize, I know how frustrating this can be... been there and beyond...

when I replied (I was a bit rough there aswell), Germany had just lost the European Masters in Football (Soccer for the Americans out there), also I had a presentation in the morning to take care off, so I was a bit gruffy...

once you get HJT running, with Linney's help, we can deal with the culprit, once downloaded place a copy of the file under the system32 folder (c:\windows\system32), and if that does not work place it also into the Folder from where you started HJT... getting a log is essential in cleaning your PC...

If you have a chance search the Spyware Forum here: forum760 , look at Pechenegs responses/posts (I consider him to be the resident guru on malware infections here on Tek-Tips), they are invaluable when it comes to cleaning malware of all sorts...





Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[tjbradford]

if you have the msvbvm60.dll file then place it into the windows\system32 folder and run the hijack this again also if your running it from a zipped folder you might get the same response even tho the dll file is in the same folder.

 

[Sandzzz]

Ok, people, here is my log file created by Hijackthis:
I hope this will contribute to solving my big problem.
Badbigben, I was supporting DE as well, and I was VERY angry when it'd lost.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:13 PM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\Philips\SPC220NC\Monitor.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WinView plugin - {8AE578E0-6DF5-41E0-869F-F65A32D2F6BD} - C:\WINDOWS\system32\xmlwin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\Philips\SPC220NC\Monitor.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Yahoo! Desktop Search System Tray.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
O4 - Startup: Yahoo! Desktop Search.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP Premium\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP Premium\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 6152 bytes

 

[2ffat]

Well, according to HijackThis.de, the only items it flagged are:

C:\WINDOWS\Philips\SPC220NC\Monitor.exe

Unknown
O2 - BHO: WinView plugin - {8AE578E0-6DF5-41E0-869F-F65A32D2F6BD} - C:\WINDOWS\system32\xmlwin.dll

O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\Philips\SPC220NC\Monitor.exe

Another thing to check for is a RootKit. There are several programs out there that check for rootkits. Some like RootKitRevealer don't require installation. See faq760-6534 for more listings.


James P. Cottingham
-----------------------------------------
[sup]I'm number 1,229!
I'm number 1,229![/sup]

 

[donb01]

Go to

http://www.pandasoftware.com

using Internet Explorer and get their free version of ActiveScan and run it on your computer. It is based on an ActiveX control and does not need to be installed, and will still run when many other AV products fail. It will remove some crap, and others it might ask you to register for $10, but who cares if you want it gone.

Then go into Control Panel and Add/Remove Programs. Scroll down to the bottom of the list and look for Windows Installer 3.1. Delete it. Then reboot your computer and go into windows update. It will tell you it has to download new components in order to do its job, etc. Go ahead and do that, and it will re-download and reinstall Windows Installer 3.1

That worked for most of my stuff, but I still have one application I can't reinstall because it uses the "Installshield Wizard" which is corrupted and I haven't figured out how to fix that problem yet.

I got the Tanatos virus and I still don't know how, because I run 2 different AV/Spyware programs on this box and it happened during Memorial Day weekend when I wasn't even here. I suspect it came in on a local network share (my PC serves data to a local application), but still don't know how it slipped through the cracks.

 

[wahnula]

Windows Installer 4.5 is now available.

Tony

Users helping Users...

 

[BadBigBen]

You seem to be hit by a SmitFraud type deal there. The following, pointed out by 2ffat, can be ignored:

O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\Philips\SPC220NC\Monitor.exe

that is your WebCam software, made by Philips Electronics Netherland...

the following, also pointed out by 2ffat needs to be deleted:

O2 - BHO: WinView plugin - {8AE578E0-6DF5-41E0-869F-F65A32D2F6BD} - C:\WINDOWS\system32\xmlwin.dll

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) --- YAHOO who needs it?


once we have the bugger, you may decide to get rid of Yahoo Toolbar (same goes for Google if you have it or plan on it), I've had nothing but problems with those two in the past (customer PC's)...


Download the following and run it from the Desktop:

SD-Fix

http://download.bleepingcomputer.com/andymanchesta/SDFix.exe

Double click on SDFix.exe and choose the desktop as to the location where it should be extracted. Restart your computer in safe mode by following the procedure as follows:

     * Restart your computer
     * After hearing the computer beep at the start but before the Windows icon appears (right after POST), tap the F8 key.
     * a menu of options should appear.
     * Choose the first option for running Windows in Safe Mode, then press Enter.
     * Select your account. (if you have autologon then ignore this one)

Then follow the list of instructions below:

     * Open the folder SDFix that has been created on the desktop and double click on [b]RunThis.bat[/b] to start the script.
     * Confirm with Y to begin the cleaning process.
     * It will remove services and registry entries of some trojans found and then ask you to press a button to restart.
     * Press any key to restart the PC.
     * Your system will take longer to boot than usual because SDFix will continue to run and delete files.
     * After the Desktop appears, the tool will finish its work and display [b]Finished[/b].
     * Press any key to end the execution of the script and load the icons on your desktop.
     * SDFix report will open on screen (Report.txt).
     * Finally, copy / paste the file content Report.txt in your next reply on the forum.

Translated from French...

also this might be of interest to you aswell:

System Error! Virus alert window directs to web page.

http://forum.aumha.org/viewtopic.php?f=27&p=192730

also CTFMON.EXE is part of OFFICE, but it can be turned off if you so choose, read:

CTFMON Remover

http://www.gerhard-schlager.at/en/projects/ctfmonremover/

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."