Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Install Mbam - File Cannot Be Opened For Tagging


  • This topic is locked This topic is locked
11 replies to this topic

#1 Johannes1961

Johannes1961

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:02 AM

Posted 06 September 2008 - 05:20 AM

Hi, currently doing prep work prior to running Hijack as instructed via quietman on another thread.

I wanted to run SuperAntispy & Mbam one more time before updating. Have done follwoing so far:

1.Cleaned temp internet files & temp files
2.run Adware
3.run Spybot
4. Tried to download Housecall & Panda AV products but sites were unavailable? Tried to install BitDefender but installation wouldn't complete successfully!
Reverted to reinstalling AVG 7.5 Internet Security (my original Av product - previously I did not install the AVG firewall & relied on the Windows Firewall haha!). Updated signature files and install AVG Firewall as well this time as a replacement for Windows Firewall. (This piece is slightly out of sequence of the prep instructions and I wonder if this is where my problems have come from?)

Had a number of error messages - one related to Teatime and couldn't download AVG8.0 update successfully. Called AVG here in the UK. They advised removing Mbam, SAS & spybot as some of the functionality of each was incorporated in AVG!!! mmmm not sure about this as whilst there may be overlap, they all appear to identify some different threats! Anyhow uninstalled Mbam, SAS & spybot. Rebooted. No error msgs now on login.

Ran AVG 7.5 successfully.

5. Ran McAfee Stinger

Now this is where I have hit problems.

Downloaded SAS & installed & ran in safe mode. log as follows:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/06/2008 at 10:24 AM

Application Version : 4.21.1004

Core Rules Database Version : 3552
Trace Rules Database Version: 1540

Scan type : Complete Scan
Total Scan Time : 01:34:52

Memory items scanned : 225
Memory threats detected : 0
Registry items scanned : 5380
Registry threats detected : 0
File items scanned : 106235
File threats detected : 10

Adware.Tracking Cookie
C:\Documents and Settings\Admin.MR_NUMPTY\Cookies\admin@adserver.toptenreviews[2].txt
C:\Documents and Settings\Admin.MR_NUMPTY\Cookies\admin@apmebf[2].txt
C:\Documents and Settings\Admin.MR_NUMPTY\Cookies\admin@www.googleadservices[1].txt
C:\Documents and Settings\Admin.MR_NUMPTY\Cookies\admin@www.googleadservices[3].txt
C:\Documents and Settings\Admin.MR_NUMPTY\Cookies\admin@www.googleadservices[4].txt
C:\Documents and Settings\Admin.MR_NUMPTY\Cookies\admin@www.googleadservices[5].txt
C:\Documents and Settings\Admin.MR_NUMPTY\Cookies\admin@www.halstats[1].txt
C:\Documents and Settings\David Hamer\Cookies\david_hamer@2o7[1].txt
C:\Documents and Settings\David Hamer\Cookies\david_hamer@ads.bleepingcomputer[2].txt
C:\Documents and Settings\David Hamer\Cookies\david_hamer@avgtechnologies.112.2o7[1].txt

Cleaned & rebooted to normal mode.
NEXT _ tried to reinstall mbam from original setup field download from the other night got msg.'cannot open file for tagging'

Decided to delete previous download & redownload.
I can download Download_mbam-setup.exe 126kB

But when I try to execute the file I get the message again 'cannot open file for tagging', and the installation goes not further!

I tried turning off the AVG firewall and attempting the installation again, but no joy. :thumbsup:

Your guidance most appreciated.

Thanks, David

Edited by Johannes1961, 06 September 2008 - 05:25 AM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 06 September 2008 - 07:04 AM

I can download Download_mbam-setup.exe 126kB

The most current version (1.26) of mbam-setup.exe is 2114 KB so you are not downloading the complete setup file, hence the error when trying to install. Try downloading from an alternative location.

http://www.malwaresupport.com/mbam/program/mbam-setup.exe
http://www.besttechie.net/tools/mbam-setup.exe
http://malwarebytes.gt500.org/mbam-setup.exe
http://www.download.com/Malwarebytes-Anti-...4-10804572.html
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.softpedia.com/get/Antivirus/Mal...i-Malware.shtml
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:02 AM

Posted 06 September 2008 - 07:53 AM

Yep, Got it. I downloaded from the hyperlink relating to the Antivirus2009 Hijack on the homepage. This worked. Scan is clean.

Thanks, For your response.

Backing up data and updating with windows security updates next.. what a marathon..

Cheers

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 06 September 2008 - 10:13 AM

Now perform a Quick Scan in normal mode with MBAM and follow these instructions. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:02 AM

Posted 13 September 2008 - 07:12 AM

Sorry for delay.

MBAM ran as follows:

Malwarebytes' Anti-Malware 1.26
Database version: 1119
Windows 5.1.2600 Service Pack 2

06/09/2008 11:47:17
mbam-log-2008-09-06 (11-47-17).txt

Scan type: Quick Scan
Objects scanned: 63065
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


All looks good.

However, as prep for the Hijack I just cant get the XP SP3 upgrade to take cleanly. That's why I wanted to run SAS & Mbam again to check if there was something stopping the upgrade from taking.

The symptoms are consistent as I've reverted back to SP2 using 'remove software' in control panel. I've applied SP3 3 times to date. ensuring that the screen saver doesn't kick in and that all spyware tracking programs, antivirus & firewall are disabled in the system tray. Only potential faff is that AVG seems to have an option to 'Quit Control Centre' I'm assuming that this is the same as switching the AV function off. Can't see how to do it otherwise.

Symptom on restart and logon is two dos windows open (cmd.exe), one closes after about 10 seconds the other remains open. It cannot be closed down.
If I try launching other programs such as IE or Safari, they don't launch. Mbam launches and I have run a scan. But if i try to browse the tabs in Mbam it becomes unstable.

I have done a hard reboot on the machine. DOS window doesn't reappear. Desktop appears stable. Mbam run as follows:

Malwarebytes' Anti-Malware 1.26
Database version: 1119
Windows 5.1.2600 Service Pack 3

13/09/2008 12:07:16
mbam-log-2008-09-13 (12-07-16).txt

Scan type: Quick Scan
Objects scanned: 73937
Time elapsed: 12 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




End of upgrade logfile shows following:

1026.657: Unregistration of sprecovr successful
1026.657: DoInstallation: Unregistering spuninst.exe for recovery successful
1030.047: IsRebootRequiredForFileQueue: In Service Pack mode; reboot is required.
1030.047: DoInstallation: A reboot is required to complete the installation of one or more files.
1030.047: DoInstallation: A reboot is required because the ProcessesToRunAfterReboot inf section was non-empty.
1030.047: DoInstallation: A reboot is required to complete the installation of one or more devices.
1030.047: In Function SetVolatileFlag, line 11741, RegOpenKeyEx failed with error 0x2
1030.047: In Function SetVolatileFlag, line 11758, RegOpenKeyEx failed with error 0x2
1030.157: DoInstallation: A reboot is required because the ProcessesToRunAfterReboot inf section was non-empty.
1030.657: RebootNecessary = 1,WizardInput = 1 , DontReboot = 1, ForceRestart = 0

Questions that come to mind : -

Have I really got SP3 loaded?

Why the cmd.exe windows on the desktop?

Why is the desktop so unstable after the upgrade?

What do the 'SetvolatileFlag' errors relate to?

Nothing is ever straight forward, is it? :thumbsup:

Hope you can help. Ta. David

Edited by Johannes1961, 13 September 2008 - 07:14 AM.


#6 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:02 AM

Posted 13 September 2008 - 08:04 AM

Just checked the start of the upgrade log for today's attempt to apply SP3. as follows:

7.313: 2008/09/13 10:46:43.203 (local)
7.313: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\update\update.exe (version 6.3.13.0)
7.422: Failed To Enable SE_SHUTDOWN_PRIVILEGE
7.438: Service Pack started with following command line: -z /DefaultUninstallNoPrompt /AcceptEulaNoPrompt /DefaultFinishNoPrompt /ParentInfo:eb1b6eaaa26abc49a0a73ba6c929841d
7.453: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2
7.500: CreateUserInterface: DefineInstallCustomUI returned 0x0
7.547: Return Value From OnACPower = 1
7.547: OnACPower returned value( 0x1 ) which is Equal To 0x1
7.547: Condition succeeded for section OnACPower.Section in Line 1 of PreRequisite
7.547: SOFTWARE\Microsoft\Shared Computer Toolkit is not Present
7.547: Condition succeeded for section SharedComputerTool.Section in Line 2 of PreRequisite
7.547: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB925877 is not Present
7.547: First Condition in RDPMUI.Section Succeeded
7.547: Condition succeeded for section RDPMUI.Section in Line 3 of PreRequisite
7.547: SYSTEM\WPA\Fundamentals is not Present
7.547: First Condition in Winflp.Section Succeeded
7.547: Condition succeeded for section Winflp.Section in Line 4 of PreRequisite
7.547: SYSTEM\WPA\WEPOS is not Present
7.547: First Condition in WEPOS.Section Succeeded
7.547: Condition succeeded for section WEPOS.Section in Line 5 of PreRequisite
7.547: Ident is Not Present
7.547: First Condition in MediaCenter.FreeStyleBlock.Section Succeeded
7.547: Condition succeeded for section MediaCenter.FreeStyleBlock.Section in Line 6 of PreRequisite
37.922: In Function TestVolatileFlag, line 11825, RegOpenKeyEx failed with error 0x2
37.922: In Function TestVolatileFlag, line 11857, RegOpenKeyEx failed with error 0x2
37.922: DoInstallation: CleanPFR failed: 0x2
37.922: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2
37.922: SetProductTypes: InfProductBuildType=BuildType.IC
37.953: SetAltOsLoaderPath: No section uses DirId 65701; done.
38.032: IncludeDirectoryIdFromInfSection: No DirId found for: DontRemoveOnUninst.DirId
38.078: SupplicantMode is Not Present
38.078: Fist Condition in Dot3svc.CheckSupplicantMode.Enabled Failed
38.078: Condition Check for Line 1 of Dot3svc.Automatic.ExtendedConditional returned FALSE
38.078: SupplicantMode is Not Present
38.078: First Condition in Dot3svc.CheckSupplicantMode.NotEnabled Succeeded

Lots of stuff 'failed'. But is this because the upgrade script is generic and for some machines stuff will fail???

Confused???

Regards, David

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 13 September 2008 - 02:46 PM

This forum is for malware removal assistance. Besides your issues with updating to SP3, how is your computer running? Are there any more signs of infection? If not, then you can start a new topic in the Windows XP forum for help with your upgrade. If there are more malware issues, then I suggest you concentrate on cleaning the system first.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:02 AM

Posted 15 September 2008 - 07:41 AM

Yeah, I understand your concerns ref. a malware call moving to an upgrade issue.

PC appears to be running ok. I'm running the AVG firewall and having it prompt me for any outbound requests. I simply deny any that I don't recognise and see if that causes any problems. HAd a new one this morning though. sprtcmd.exe. outbound on port 80. Any tips on what this might be?

Back to my overall objective. Following the multiple malware incidents, which you so kindly assisted me with; You suggested a reformat because of one of the infections (I think it was the tdss ), however I cannot do this due to it being a DELL with the restore partition. My next best option as I saw it was to get the active partition as clean as I could, give you guys the Hijack log to review and then once happy, restore from the hidden partition as per Dell instructions.

However, it's getting my active partition to a reliable state thats been the challenge. The SP3 upgrade (which applies all the SP3 security patches) has not gone smoothly.

What's your view? Should I run HIjack now and post the log. I seem to be at SP3 level and Mbam finds no issues on quick scan.

As a PS. is it worth me getting a registry cleaning tool like regcure or reg mechanic? Or do mbam & SAS do pretty much the same thing anyway?

Thanks. David

#9 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:02 AM

Posted 15 September 2008 - 08:09 AM

OK - I eat my own words...

My user account (administrator privileges) appears to function perfectly OK.
My Admin account the same.

HOWEVER...my wife's user account is unstable. The mouse point flickers and the desktop is unusable. Programs won't launch & I can't logoff or shutdown from the menu. There is also the Bogus 'VIRUS ALERT' msg in the bottom right hand corner.

I can logon to one daughters account. When I logoff I have to end the program sprtcmd.exe manually....

I can logon to my other daughter account. When I logoff I have to end Realplayer manually as it isn't being closed down by windows cleanly I guess. Point to note when I end realplayer manually, it logs off the account. I go back to my account and AVG firewall is asking me if I want to allow realplayer access to the internet. SO could Realplayer have been waiting on AVG, hence it not responding to the termination request from the user account logging off???

Just a thought?

I guess more work to do on this front then????

Thanks, David

Edited by Johannes1961, 15 September 2008 - 08:13 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 15 September 2008 - 08:13 AM

Should I run HIjack now and post the log.

Yes. Post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

As a PS. is it worth me getting a registry cleaning tool like regcure or reg
mechanic?

Registry cleaners are extremely powerful applications. There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system unbootable.

The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results". Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.

Ed Bott's Webog: Why I donít use registry cleaners
Do I need a Registry Cleaner?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:02 AM

Posted 15 September 2008 - 11:26 AM

Thanks Quietman. Have posted Hijack log as per your note. Thanks for considered feedback ref. Reg cleaners...

I guess I'll sit tight for now.

Thanks again for your assistance. David

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 15 September 2008 - 11:36 AM

You're welcome.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users