# Solved: Windows Installer not working (also)



## Soddit (Nov 28, 2006)

Hi. I've got the same problem with an almost identical analysis of the Installer path. I've also tried to reintall using Installer 3.1 but without success - it tells me it's installed but the troublesome .tmp file is still in place when I access Properties of Windows Installer.
All suggestions gratefully received! Thanks


----------



## Soddit (Nov 28, 2006)

Hi JsntgRvr
Thanks. Will do.Some further info: ran KB315346 - what should be windows\system32 in the value path is a .tmp file. However when I change it and restart in safe mode to try to register the .exe file it says it can't find it. And here is the oddity - I then lose internet access.Fortunately created a restore point so nothing lost.Many thanks


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Soddit* 

Did you search for *msiexec.exe*?


----------



## Soddit (Nov 28, 2006)

Hello JStngRvr
Thanks for the prompt sms.. indeed I searched for msiexec.exe and found it - noted the location.Found the value data line in regedit - it was incorrect with C:\DOCUME 1\user\LOCALS 1\Temp\IXP000.tmp MsiExec.exe/V. Changed it to the correct path and closed regedit. Fine so far - restarted in safe mode - typed msiexec/regserver and it comes back to say it cannot find it. Restart again in normal mode - cannot access my modem so back to restore point.Very baffled now!


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Soddit* 

Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run *FileFind*, please do the following:
Click on *FileFind.exe*
In the box labeled "*Directory*"
Enter: *C:\* (The drive letter where the system is installed)

In the box labeled "*File*"
Enter: *msiexec.exe*

Now click on the "*Search*" button
Once the utility has found the files click on "*Export*"
A Notepad will open up. Please copy the entire contents of the Notepad and paste them here.
NOTE: The notepad is saved on your *C:\ *drive as "*Export.txt*"
*
I need you to run the installer.bat above.*


----------



## Soddit (Nov 28, 2006)

C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msiexec.exe - 77312 Bytes
C:\WINDOWS\$NtServicePackUninstall$\msiexec.exe - 63488 Bytes
C:\WINDOWS\ServicePackFiles\i386\msiexec.exe - 77312 Bytes
C:\WINDOWS\system32\msiexec.exe - 78848 Bytes

I think this is what you asked for - hope it assists! Many thanks


----------



## JSntgRvr (Jul 1, 2003)

Check Post 7 and run the bat file


----------



## JSntgRvr (Jul 1, 2003)

Your thread has been moved to a new thread

Here is the file to run.


----------



## Soddit (Nov 28, 2006)

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSIServer
NextInstance	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSIServer\0000
Service	REG_SZ	MSIServer
Legacy	REG_DWORD	0x1
ConfigFlags	REG_DWORD	0x0
Class	REG_SZ	LegacyDriver
ClassGUID	REG_SZ	{8ECC055D-047F-11D1-A537-0000F8753ED1}
DeviceDesc	REG_SZ	Windows Installer

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer
Type	REG_DWORD	0x120
Start	REG_DWORD	0x3
ErrorControl	REG_DWORD	0x1
ImagePath	REG_EXPAND_SZ	C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\MsiExec.exe /V
DisplayName	REG_SZ	Windows Installer
ObjectName	REG_SZ	LocalSystem
FailureActions	REG_BINARY	0000000000000000010000000300000048004F000100000060EA000000000000000000000000000000000000
FailureCommand	REG_SZ	"" 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Security
Security	REG_BINARY	01001480900000009C000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020060000400000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D01020001010000000000050B00000000001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Enum
0	REG_SZ	Root\LEGACY_MSISERVER\0000
Count	REG_DWORD	0x1
NextInstance	REG_DWORD	0x1

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSIServer
NextInstance	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSIServer\0000
Service	REG_SZ	MSIServer
Legacy	REG_DWORD	0x1
ConfigFlags	REG_DWORD	0x0
Class	REG_SZ	LegacyDriver
ClassGUID	REG_SZ	{8ECC055D-047F-11D1-A537-0000F8753ED1}
DeviceDesc	REG_SZ	Windows Installer

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIServer
Type	REG_DWORD	0x120
Start	REG_DWORD	0x3
ErrorControl	REG_DWORD	0x1
ImagePath	REG_EXPAND_SZ	C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\MsiExec.exe /V
DisplayName	REG_SZ	Windows Installer
ObjectName	REG_SZ	LocalSystem
FailureActions	REG_BINARY	0000000000000000010000000300000048004F000100000060EA000000000000000000000000000000000000
FailureCommand	REG_SZ	"" 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIServer\Security
Security	REG_BINARY	01001480900000009C000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020060000400000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D01020001010000000000050B00000000001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIServer\Enum
0	REG_SZ	Root\LEGACY_MSISERVER\0000
Count	REG_DWORD	0x1
NextInstance	REG_DWORD	0x1

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MSIServer
NextInstance	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MSIServer\0000
Service	REG_SZ	MSIServer
Legacy	REG_DWORD	0x1
ConfigFlags	REG_DWORD	0x0
Class	REG_SZ	LegacyDriver
ClassGUID	REG_SZ	{8ECC055D-047F-11D1-A537-0000F8753ED1}
DeviceDesc	REG_SZ	Windows Installer

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MSIServer
Type	REG_DWORD	0x120
Start	REG_DWORD	0x3
ErrorControl	REG_DWORD	0x1
ImagePath	REG_EXPAND_SZ	C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\MsiExec.exe /V
DisplayName	REG_SZ	Windows Installer
ObjectName	REG_SZ	LocalSystem
FailureActions	REG_BINARY	0000000000000000010000000300000048004F000100000060EA000000000000000000000000000000000000
FailureCommand	REG_SZ	"" 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MSIServer\Security
Security	REG_BINARY	01001480900000009C000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020060000400000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D01020001010000000000050B00000000001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000


----------



## JSntgRvr (Jul 1, 2003)

Post a Hijackthis log, please


----------



## Soddit (Nov 28, 2006)

Thanks - will have to be tomorrow as it is sack time here!. Many thanks for your help


----------



## Soddit (Nov 28, 2006)

Change of plan...could not leave it there..
Logfile of HijackThis v1.99.1
Scan saved at 10:10:11 PM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Steganos Internet Anonym VPN\SVPNStarter.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\packager.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smiliner.com/pics/n_psa_n177us.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\\RegistryController.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InternetWasherPro] C:\PROGRA~1\INTERN~2\iw.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - res://C:\Program Files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O16 - DPF: {F0E42D60-368C-11D0-AD81-00A0C90DC8D9} (Snapshot Viewer Control 9.0) - http://www.icao.int/anb/ais/reports/Snapview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B948EAF-509D-4B9B-BB3D-A4E53511906E}: NameServer = 212.19.48.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0260D72-14F5-4572-8C39-5FF721186616}: NameServer = 195.229.241.222 213.42.20.20
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\MsiExec.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Steganos VPN Starter Service (SVPNStarter) - Unknown owner - C:\Program Files\Steganos Internet Anonym VPN\SVPNStarter.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Soddit* 

*This fix is for Windows XP.*

_*Note: This fix was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

Please create a Restore point:

Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "Before VirusScan", then click *Create*.

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

_ Modification of the registry can be *EXTREMELY* dangerous if you do not know exactly what you are doing so follow the steps that are listed below *EXACTLY*. if you cannot preform some of these steps or if you have *ANY* questions please ask *BEFORE* proceeding._

*Backing Up Your Registry*
Go *Here* and download *ERUNT* 
_(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)_
Install *ERUNT* by following the prompts 
_(use the default install settings but say no to the portion that asks you to add *ERUNT* to the start-up folder, if you like you can enable this option later)_
Start *ERUNT* 
_(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)_
Choose a location for the backup 
_(the default location is C:\WINDOWS\ERDNT which is acceptable)._
Make sure that at least the first two check boxes are ticked 
Press *OK*
Press *YES* to create the folder.
*Registry Modifications*

Download the enclosed file. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, *Installer.reg* . Once extracted, double click on the *Installer.reg* file and select *Yes* when prompted to merge it into the registry.

*Restart the computer and test *(Remove and reinstall a program that you rarely use).

Let me know the outcome.


----------



## Soddit (Nov 28, 2006)

Hi JstngRvr
Thought we had it sorted...downloaded your installer file and restarted. The path for windows installer is now correct and I started it into manual and auto.HOWEVER when I try to install Acrobat reader 8 it advises the installer cannot be accessed. When I try to install windows update KB927978 I have the same message .


----------



## Soddit (Nov 28, 2006)

Here's the latest Hijackthis log... error code 0x641 from the attempt at KB927978 update which again failed:-
Logfile of HijackThis v1.99.1
Scan saved at 9:08:08 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Steganos Internet Anonym VPN\SVPNStarter.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smiliner.com/pics/n_psa_n177us.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\\RegistryController.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InternetWasherPro] C:\PROGRA~1\INTERN~2\iw.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - res://C:\Program Files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O16 - DPF: {F0E42D60-368C-11D0-AD81-00A0C90DC8D9} (Snapshot Viewer Control 9.0) - http://www.icao.int/anb/ais/reports/Snapview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B948EAF-509D-4B9B-BB3D-A4E53511906E}: NameServer = 212.19.48.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0260D72-14F5-4572-8C39-5FF721186616}: NameServer = 213.42.20.20 195.229.241.222
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Steganos VPN Starter Service (SVPNStarter) - Unknown owner - C:\Program Files\Steganos Internet Anonym VPN\SVPNStarter.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Soddit* 

*Reboot into safe mode.*

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Go to *Start*->*Run*, type (or copy and paste)-> *msiexec /regserver* and click *Ok*.

Restart the computer.

Go to *Start*->*Run*, type *services.msc* and click *Ok*.

Scroll down to *Windows Installer *and right click on it. Select *Properties.* Make sure the service is set to *Manual*. Select the *Dependencies *tab. Make sure the* RPC *appears as a dependency. Close the properties window.

Scroll up to *Remote Pprocedure Call*. There are two entries. Right click on both entries. Make sure they are set as *Automatic *and that both are running.

If the settings look in order, and the issue persists, download the enclosed folder and extract its contents to the desktop. It is a batch file, *MsiQuery.bat*. Once extracted double click on it and post the report it produces.

Keep me ported on all your experiences.


----------



## Soddit (Nov 28, 2006)

Latest. Came to fire up the PC this morning and ..no internet access. Laptop ( not involved with all this) accessed internet fine. Used restore point to before installation of your installer file and.....all fine again. So back to where I started!Thanks.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Soddit* 

You must have a bug in the computer.

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.

 Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## Soddit (Nov 28, 2006)

Sorry for the delay - the irritation of having to work. Here is the SD Fix Log first - the Hijackthis follows in the next reply

SDFix: Version 1.62

Thu 01/25/2007 - 16:03:22.40

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Files Found..

Alternate Streams Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*isabled:Microsoft Management Console"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\Documents and Settings\user\NetHood\ftp.aircraftloadcontrol.com\Desktop.ini
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT633.tmp

Finished


----------



## Soddit (Nov 28, 2006)

And the next

Logfile of HijackThis v1.99.1
Scan saved at 4:27:21 PM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Steganos Internet Anonym VPN\SVPNStarter.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.smiliner.com/pics/n_psa_n177us.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft

Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF

Converter 2.0 Professional\PDFConv\\RegistryController.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software

Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital

Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InternetWasherPro] C:\PROGRA~1\INTERN~2\iw.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - res://C:\Program

Files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) -

https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -

http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O16 - DPF: {F0E42D60-368C-11D0-AD81-00A0C90DC8D9} (Snapshot Viewer Control 9.0) -

http://www.icao.int/anb/ais/reports/Snapview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B948EAF-509D-4B9B-BB3D-A4E53511906E}: NameServer =

212.19.48.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0260D72-14F5-4572-8C39-5FF721186616}: NameServer =

195.229.241.222 213.42.20.20
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation -

C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation -

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Steganos VPN Starter Service (SVPNStarter) - Unknown owner - C:\Program

Files\Steganos Internet Anonym VPN\SVPNStarter.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Soddit* 

Those logs look clear.

Please run the batch file included with the Installer.zip attached to Post #8 and follow the instructions on Post #16.

Let me see those reports.


----------



## Soddit (Nov 28, 2006)

Hi
The report from the post No 8 installer file first


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSIServer
NextInstance	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSIServer\0000
Service	REG_SZ	MSIServer
Legacy	REG_DWORD	0x1
ConfigFlags	REG_DWORD	0x0
Class	REG_SZ	LegacyDriver
ClassGUID	REG_SZ	{8ECC055D-047F-11D1-A537-0000F8753ED1}
DeviceDesc	REG_SZ	Windows Installer

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSIServer\0000\Control
ActiveService	REG_SZ	MSIServer

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer
Type	REG_DWORD	0x20
Start	REG_DWORD	0x2
ErrorControl	REG_DWORD	0x1
ImagePath	REG_EXPAND_SZ	C:\WINDOWS\system32\msiexec.exe /V
DisplayName	REG_SZ	Windows Installer
ObjectName	REG_SZ	LocalSystem
DependOnService	REG_MULTI_SZ	RpcSs\0\0
DependOnGroup	REG_MULTI_SZ	\0
Description	REG_SZ	Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Security
Security	REG_BINARY	01001480900000009C000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020060000400000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D01020001010000000000050B00000000001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Enum
0	REG_SZ	Root\LEGACY_MSISERVER\0000
Count	REG_DWORD	0x1
NextInstance	REG_DWORD	0x1

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSIServer
NextInstance	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSIServer\0000
Service	REG_SZ	MSIServer
Legacy	REG_DWORD	0x1
ConfigFlags	REG_DWORD	0x0
Class	REG_SZ	LegacyDriver
ClassGUID	REG_SZ	{8ECC055D-047F-11D1-A537-0000F8753ED1}
DeviceDesc	REG_SZ	Windows Installer

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSIServer\0000\Control
ActiveService	REG_SZ	MSIServer

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIServer
Type	REG_DWORD	0x20
Start	REG_DWORD	0x2
ErrorControl	REG_DWORD	0x1
ImagePath	REG_EXPAND_SZ	C:\WINDOWS\system32\msiexec.exe /V
DisplayName	REG_SZ	Windows Installer
ObjectName	REG_SZ	LocalSystem
DependOnService	REG_MULTI_SZ	RpcSs\0\0
DependOnGroup	REG_MULTI_SZ	\0
Description	REG_SZ	Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIServer\Security
Security	REG_BINARY	01001480900000009C000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020060000400000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D01020001010000000000050B00000000001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIServer\Enum
0	REG_SZ	Root\LEGACY_MSISERVER\0000
Count	REG_DWORD	0x1
NextInstance	REG_DWORD	0x1

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MSIServer
NextInstance	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MSIServer\0000
Service	REG_SZ	MSIServer
Legacy	REG_DWORD	0x1
ConfigFlags	REG_DWORD	0x0
Class	REG_SZ	LegacyDriver
ClassGUID	REG_SZ	{8ECC055D-047F-11D1-A537-0000F8753ED1}
DeviceDesc	REG_SZ	Windows Installer

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MSIServer
Type	REG_DWORD	0x20
Start	REG_DWORD	0x2
ErrorControl	REG_DWORD	0x1
ImagePath	REG_EXPAND_SZ	C:\WINDOWS\system32\msiexec.exe /V
DisplayName	REG_SZ	Windows Installer
ObjectName	REG_SZ	LocalSystem
DependOnService	REG_MULTI_SZ	RpcSs\0\0
DependOnGroup	REG_MULTI_SZ	\0
Description	REG_SZ	Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MSIServer\Security
Security	REG_BINARY	01001480900000009C000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020060000400000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D01020001010000000000050B00000000001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000


----------



## Soddit (Nov 28, 2006)

Hi. Very strange now..

Following the above I went to the post 16 procedure. When I tried to run misexec/regserver I got < Windows cannot find msiexec/regserver>. Did a search - here are the results

MSIEXEC/EXE 2F8A8CAE.pf C:\WINDOWS\Prefetch 41kb PF file
msiexec C:\windows\system32 77kb Application
msiexec C:WINDOWS\ServicePack Files\i386 76kb Application

I then went out of safe mode and found I had again lost internet access. Had to do a system restore to the point before I installed the file from post 8.

I did check the rest of the steps and selected Indows Installer to Manual in Properties. On the RPC Call entries one was not selected into Automatic so I did this and started it. The other was already running in Automatic.

However this did not result in any change when I tried to install a download programme - it still came back with Windows Installer not etc.


----------



## Soddit (Nov 28, 2006)

And here's the MsiQuery.zip report
! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\msiexec.exe
NoOpenWith	REG_SZ


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Soddit* 

Numerous entries in the registry are missing. Whatever hit your computer did a lot of damage. Lets try this fix:

Please create a Restore point and backup your registry:


Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "Before InstallFix", then click *Create*.


Go to *Start*->*Run*, Type *Regedit.exe * and click Ok.
The Registry Editor will be displayed.
Click on *My Computer * in the Editor to highlight it.
Select *Registry* from the *Menu*, then *Export*
Name the export *Backup*
Save it on C:\
 (Overwrite any existing one)

You now have a backup of your registry on C:\ (C:\Backup.reg).

Download the enclosed file. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, *Installfix.reg* . Once extracted, open the folder and double click on the *Installfix.reg* file and select *Yes* when prompted to merge it into the registry.

Restart the computer.

Let me know the outcome.


----------



## Soddit (Nov 28, 2006)

Hi. Done that. Here is the result of the latest MSI Query :

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\msiexec.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\msiexec.exe\shell
<NO NAME>	REG_SZ	Open,Repair,Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\msiexec.exe\shell\Open
<NO NAME>	REG_SZ	&Install
MUIVerb	REG_EXPAND_SZ	@%SystemRoot%\System32\msi.dll,-36

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\msiexec.exe\shell\Open\command
<NO NAME>	REG_EXPAND_SZ	"%SystemRoot%\System32\msiexec.exe" /i "%1" %*

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\msiexec.exe\shell\Repair
<NO NAME>	REG_SZ	Re&pair
MUIVerb	REG_EXPAND_SZ	@%SystemRoot%\System32\msi.dll,-37

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\msiexec.exe\shell\Repair\command
<NO NAME>	REG_EXPAND_SZ	"%SystemRoot%\System32\msiexec.exe" /f "%1" %*

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\msiexec.exe\shell\Uninstall
<NO NAME>	REG_SZ	&Uninstall
MUIVerb	REG_EXPAND_SZ	@%SystemRoot%\System32\msi.dll,-38

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\msiexec.exe\shell\Uninstall\command
<NO NAME>	REG_EXPAND_SZ	"%SystemRoot%\System32\msiexec.exe" /x "%1" %*

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msi.Package\DefaultIcon
<NO NAME>	REG_SZ	C:\WINDOWS\system32\msiexec.exe,0

Didn't have to go back to the restore point and I must say things seem to be running rather faster. BUT I had already downloaded ( and this is really what started all this! a Microsoft Security update KB 927978. This will still not install - still get the Code 0x641 message.Haven't tried any other so far. Is it possible the download installation is a separate problem altogether. Shall I post another HJT log?
Very many thanks for your help and patience... regards Soddit


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Soddit* 

There is a known issue with that update. You can read about it *Here*. But your computer also had an issue with Windows Installer, as entries were corrupted and missing in the registry.

Try to download and attempt to install any other updates from Microsoft, and lets see what it does. It may help if you turn OFF your antivirus while downloading and installing the update.

Keep me posted.


----------



## Soddit (Nov 28, 2006)

Hello JstngRvr

I was a little optimistic there - managed to download a minor MS amendment. Take your point about the 927978 update as well. However - apart from that - what fired all this up was trying to update Acrobat Reader Version 8 and Java Runtime Environment Verson 5.10. And both of these still produce exactly the same failure message as before< windows installer could not be accessed>. I checked to be sure that Windows Installer is started - it is and both RPC files are started. The problem is that I need both these updates for work AND I want to do a total backup to an external hard drive. But I don't want to back up this installer problem, or it will be with me for ever!


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Soddit* 


Open HijackThis, click Config, click Misc Tools
Click "*Open Uninstall Manager*"
Click "Save List" (generates *uninstall_list.txt*)
Click Save, copy and paste the results in your next post.


----------



## Soddit (Nov 28, 2006)

Thank you.Here is is....

Adobe Flash Player 9 ActiveX
Adobe Reader 6.0
Adobe Shockwave Player
ADSL USB MODEM
Adult PDF Password Recovery v2.1.0
AFPL Ghostscript 8.54
AFPL Ghostscript Fonts
ArcSoft PhotoImpression 3.0
Belarc Advisor 7.2
BHA B's Recorder GOLD 5.30
ccCommon
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Copy Utility
Dell ResourceCD
EPSON Photo Print
EPSON Smart Panel
EPSON TWAIN 5
GSview 4.8
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB928388)
hp deskjet 3600
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
Internet Washer Pro 3.05
Internet Worm Protection
iPod for Windows 2005-02-22
iTunes
J2SE Runtime Environment 5.0 Update 7
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Mozilla Firefox (1.5.0.9)
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
NVIDIA Windows 2000/XP Display Drivers
PCFriendly
PDF Password Remover v2.5
PowerDVD
QuickTime
Registry Mechanic 6.0
ScanSoft PDF Converter 2.0
ScanSoft PDF Create 2.0
ScanToWeb
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Skype 3.0
SoundMAX
SPBBC
Steganos Internet Anonym VPN
Symantec
Symantec Script Blocking Installer
SymNet
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Window Washer
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Soddi*t 

Please go to Start > Control Panel > *Add/Remove Programs* and remove the following (if present):

*Windows Installer 3.1 (KB893803)
*

Download the enclosed folder and extract its contents to the desktop. It contains a batch file. Once extracted double click on the batch file. The MSDOS window will flash for a second. That is normal.

Once done, download and install Windows Installer 3.1 from *Here*.

Follow the prompts and restart the computer when prompted.

Test and let me know the outcome.


----------



## Soddit (Nov 28, 2006)

Hi JSntgRvr

Done that. First results very optimistic....the Java update has installed. Windows SP3 has installed. The troublesome KB927978 has also installed. Will go through the rest tonight ( 0630 Sunday here now) and get back to you. Looking good . Very many thanks. Regards Soddit


----------



## JSntgRvr (Jul 1, 2003)

:up: :up: 

Keep me posted.


----------



## Soddit (Nov 28, 2006)

Hello JSntgrvr

I think you probably do understand everything! As far as I can tell your perservance has been completely successful.... I have completed all the installations I wanted and more besides. I am delighted and have made a suitable donation to the site. Off now to find a programme to install to back up to a external hard drive. Very many thanks. Regards,Soddit


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Soddit*. 

Congratulations.









The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you may get infected and how to keep yourself from getting infected .
*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

*SpywareBlaster* - Great prevention tool to keep nasties from installing on your system.

*SpywareGuard* - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

*IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*CleanUP*! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

Windows Updates - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about some great guidelines to follow to prevent future infections you can read *this* article by Tony Klein.

Click *Here* for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "*Solved*".

Best wishes!


----------

