Very bad virus or worm - can't use my computer anymore

[wolfi]

I have a weird behavior on my computer, I can't run anything for more than a few seconds before the computer start hanging. I used Norton and i saw something weird: "*censored*.exe". I did a search and I tried a fix for this worm but it was not found. I don't know where to start and I can't run anything without the computer hanging. Please help.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:28:14 PM, on 21/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Documents and Settings\Patrick\Desktop\HiJackThis_v2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.rdl/INTEGRATION_BAND_SEARCHBAR_HTML
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_b.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Chercher avec Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.rdl/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: D駑arrer Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142141247138
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7688 bytes

[CBMatt]

Well, I don't really see anything too bad in your log.  Let's try a couple of things.

Although no symptoms of it show up in your log, you appear to have the W32.Zotob worm.  Download AVG Anti-Spyware, update it, and run a full scan in Safe Mode.  If you have to, you can download AVG and its updates on another computer and transfer them via CD.

Also, you may want to check out the following page...
http://www.symantec.com/security_response/writeup.jsp?docid=2005-082317-0232-99&tabid=3

Close all windows (except for HijackThis) and mark the following entry...
O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_b.exe

Click on Fix Checked and then delete C:\WINDOWS\system32\Ir32_b.exe in Safe Mode.


I would also like for you to download ComboFix and save it to your desktop.  Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says.  Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt.  Go ahead and post that here.  Note: Don't click on the window while it's running; this may cause stalls.

[wolfi]

Thank you for your help. If you have other suggestions, remember I can't use normal mode for more than a few seconds.

- AVG won't start on that computer. I tried in Safe mode too.  I tried to uninstall it but I get an error message.

- I did a full scan with Norton in safe mode. Nothing found.

- I looked for *censored*.exe, it's not there.

- O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_b.exe is not there anymore. Maybe because I did a system restore?


Combofix:

"Administrator" - 2007-06-24 11:49:17 - ComboFix 07-06-23.5 - Service Pack 2  NTFS  [SAFE MODE]


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\msxml3a.dll


(((((((((((((((((((((((((   Files Created from 2007-05-24 to 2007-06-24  )))))))))))))))))))))))))))))))


2007-06-24 11:49   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-24 11:37   524,288   --ah-----   C:\DOCUME~1\ADMINI~1.PAT\NTUSER.DAT
2007-06-24 11:25   <DIR>   d--------   C:\Program Files\Norton Internet Security
2007-06-24 11:00   624,784   --a------   C:\WINDOWS\system32\SymNeti.dll
2007-06-24 08:46   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft(2)
2007-06-21 18:25   786,432   --a------   C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-21 18:16   4,075,520   --a------   C:\DOCUME~1\Patrick\ntuser.dat
2007-06-21 18:16   233,472   --a------   C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-06-18 17:23   <DIR>   d--------   C:\WINDOWS\system32\SoftwareDistribution
2007-06-16 16:25   <DIR>   dr-h-----   C:\DOCUME~1\Patrick\APPLIC~1\CrystalSpace
2007-06-16 15:55   <DIR>   d--------   C:\Program Files\The Adventure Company
2007-06-10 10:44   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2007-06-03 19:45   143,360   --a------   C:\WINDOWS\system32\unzip32.dll
2007-06-03 19:45   <DIR>   d--------   C:\Program Files\IceChat7
2007-06-03 19:45   <DIR>   d--------   C:\DOCUME~1\Patrick\APPLIC~1\IceChat


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-24 15:27:10   --------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-06-24 15:25:30   --------   d-----w   C:\Program Files\Symantec
2007-05-24 11:20:54   --------   d-----w   C:\Program Files\3DO
2007-05-16 15:12:02   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-05-14 00:09:23   --------   d-----w   C:\Program Files\QuickTime
2007-05-14 00:08:28   --------   d-----w   C:\Program Files\Apple Software Update
2007-05-12 17:35:43   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-05-12 13:26:41   --------   d-----w   C:\Program Files\Ubisoft
2007-05-08 11:16:43   --------   d-----w   C:\Program Files\SlySoft
2007-04-25 14:21:15   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-24 10:50:02   --------   d-----w   C:\Program Files\Website Downloader
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36   33,624   ----a-w   C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54   1,710,936   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42   325,976   ----a-w   C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20   53,080   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20   43,352   ----a-w   C:\WINDOWS\system32\wups2.dll
2007-04-07 16:26:43   48,776   ----a-w   C:\WINDOWS\system32\S32EVNT1.DLL
2007-03-30 10:10:55   37,540   ----a-w   C:\WINDOWS\system32\Ir32_a.exe


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}=C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll [2007-01-11 19:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-12 20:29]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 06:42 C:\WINDOWS\soundman.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-13 19:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^gameutil.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gameutil.exe.lnk
backup=C:\WINDOWS\pss\gameutil.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapFax]
C:\Program Files\Classic PhoneTools\CapFax.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RedLine Taskbar]
C:\Program Files\RedLine\Taskbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-13 10:33:01  C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 11:51:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Avg7Core]
"ImagePath"="\SystemRoot\System32\Drivers\avg7core.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Avg7UpdSvc]
"ImagePath"="C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe"

Completion time: 2007-06-24 11:51:49
C:\ComboFix-quarantined-files.txt ... 2007-06-24 11:51

   --- E O F ---

[CBMatt]

Hi, wolfi.  Sorry, I should have told you to enable hidden files and folders.  Open a random folder (doesn't matter which one) and go to Tools > Folder Options.  Click on the View tab and then check "Show hidden files and folders" and click OK.

Try looking for *censored*.exe (perform a system-wide search if necessary) and C:\WINDOWS\system32\Ir32_b.exe.  While you're at it, you should also look for C:\WINDOWS\system32\Ir32_a.exe.  If you find any other files with similar names, please let me know.

Go to Start > Accessories > System Tools > Disk Cleanup.  Run the Disk Cleanup utility that comes up after putting a check next to these:

Temporary Files
Temporary Internet Files
Recycle Bin


Exactly what kind of error message do you get from AVG?  Give SUPERAntiSpyware a try and see if that gives you any better results.

[wolfi]

"Show hidden files and folders" was already selected. I did a search for *censored*.exe and it's not there but I can find Ir32_b.exe. and ir32_32.dll. What should I do with it?

I can't find the uninstall tool for AVG anymore, but when I try to install again I get this message: "Some installation files are corrupt. Please download a fresh copy and retry installation."

I tried SuperAntiSpyware... It won't run in normal mode (it's hanging) and it won't install in safe mode. (Message: "The system administrator has set policies to prevent this installation.") I really need something that can run in safe mode.

[CBMatt]

Go ahead and delete those two files.

Does your account have administrator privelages?  You may want to take a look at the following page from the mothership...
http://support.microsoft.com/kb/322963

Your Norton could possibly be related.  However, because it's your only protection right now, I think we we should wait on the included workaround.  Instead...if this is XP Professional, go to Start > Run and type in gpedit.msc and click OK.  Go to Local Computer Policy > Computer Configuration > Windows Components > Windows Installer.  On the list to the right, double-click Disable Windows Installer, click on Enable and click OK.


If you are using XP Home, then go to Start > Run, type in regedit and click OK.  Navigate to HKEY_CLASSES_ROOT\Installer\Products.  Look for the program(s) you are trying to install and delete its folder.  I believe the folder for SUPERAntiSpyware is 1FBBCDDC3072CB6439B8CB8CA1E1AEAA.  Not sure about AVG...just check the ProductName of each one.

NOTE:  Before making changes to your registry, you should back it up with ERUNT!


See if you can install the programs now.  Also, give AVG's Anti-Spyware a try.


Let me know how things go.  Post an update along with a new HijackThis log.

[wolfi]

Ir32_b was not there anymore but Ir32_a was there.  I deleted the files.

I did what you said but I can't find 1FBBCDDC3072CB6439B8CB8CA1E1AEAA and I don't know how to find the right one. (I looked in the folders but I don't see any product name) I'm using XP Pro. I tried the program for Norton but I never had Norton in 2003 (I got this computer last year). I can't uninstall norton in safe mode and it won't uninstall in normal mode (it's telling me that another program is installing, right) So much fun.

Thank you for your help, but I think it will be easier and faster to reinstall Windows completely. 

[CBMatt]

If you have XP Pro, then you should be able to use Group Policy Editor...

Instead...if this is XP Professional, go to Start > Run and type in gpedit.msc and click OK.  Go to Local Computer Policy > Computer Configuration > Windows Components > Windows Installer.  On the list to the right, double-click Disable Windows Installer, click on Enable and click OK.

Did you try these steps?

And what about a new HijackThis log?

IF if you have to reformat, do you have a way of backing up your important files?

[CBMatt]

Due to lack of feedback, I am closing this topic.  If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.