Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: tigerdragon on February 26, 2008, 08:19:30 PM

Title: cab archive is corrupted
Post by: tigerdragon on February 26, 2008, 08:19:30 PM
When i run virus scan i get message: c:\windows software distribution\download .........unable to scan: CAB archive is corrupted. I tried system restore, windows repair an even reinstalled windows OS. Every time i download updates  AVAST reports corrupted files. Any ideas? :-\
Title: Re: cab archive is corrupted
Post by: Lisandro on February 27, 2008, 12:02:56 AM
Files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.
It just can't be scanned by avast. Maybe corrupted, maybe just packed in a different way that avast can't unpack.
Title: Re: cab archive is corrupted
Post by: avvidro on February 28, 2008, 03:22:39 PM
Hey, but they should can be scanned. This happens with me, (and all btw I suppose) when I make boot scanning. And I think I have a clue of the reason. Igor, please look here. In my case, it usually happens with cabs and zips of driver files. Avast says many of them are corrupted with different message codes. And I verify and none of them is. It seems that when Avast tries to unpack them, if DLLs, VXDs and the like actually exists, Avast doesn't manage to unpack because it would cause a replacement of them, so thereby Windows stops its operation.
Well, I may be talking an ammount of bulls**t, but it deserves to be investigated.

Long live (cycle) to Avast!
Title: Re: cab archive is corrupted
Post by: igor on February 28, 2008, 04:10:03 PM
Well, there's nothing to say without more information (such as the list of full filenames and corresponding error codes).

In any case, avast! certainly doesn't unpack archives into the system folder - that would be rather strange  ;D
So no, the content is irrelevant.
Title: Re: cab archive is corrupted
Post by: MikeBCda on February 28, 2008, 06:20:58 PM
Normally if you have archive-checking active, avast will unpack each archive (assuming it can) into avast's own temp folder so the contents can be scanned.

And while there are rare exceptions, normally avast will delete the temp copies from that folder once the scanning's done.
Title: Re: cab archive is corrupted
Post by: spiRits3033 on March 01, 2008, 02:38:20 AM
I commonly get these errors when I scan inside compressed files.. I never really thought twice about it, assuming avast just couldn't unpack the files.
Title: Re: cab archive is corrupted
Post by: windward on March 09, 2008, 08:01:46 PM
I've got the same problemwhen I scan: CAB archive is corrupted. The Action box doesn't give an action (all choices are grayed out.)

The files are: dxdiagn.dll, dxdiagn.dl_, dsg.sy_, dsmasf.dl_, dstrans.dl_, earl.ac_, efsadu.dl_, els.dl_, encapi.dl_, encdec.dl_, ep9res.dl_.

When I boot my computer, a black command like box comes up with different headings on each boot. The heading that came up just now is: c:\windows\system32\gbfv.exe and then a message saying that "file encountered a problem and needs to close. We are sorry for the inconvenience."  ::) )
Title: Re: cab archive is corrupted
Post by: Lisandro on March 09, 2008, 08:43:23 PM
Strange... you seem to be infected. I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware (http://www.superantispyware.com) and/or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
6. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or, better, submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
Title: Re: cab archive is corrupted
Post by: DavidR on March 09, 2008, 08:46:51 PM
You shouldn't take any action as it isn't reporting the file is infected, just that it couldn't be scanned.

The command window entry is because you the file has been removed or is missing, probably malware as a google search for gbfv.exe returns only one hit (suspicious if it is a legit file) and that is in relation to another suspect file that has an association with gbfv.exe. See http://spywarefiles.prevx.com/RRFJDJ9325501/AESY.EXE.html (http://spywarefiles.prevx.com/RRFJDJ9325501/AESY.EXE.html).

So somewhere in the registry there is a run command which can't find the file and that is why the command window remains open.

You could search for gbfv.exe in the registry and remove the entry but it is probably best to use another program, HiJackThis) if you don't like tinkering in the registry.

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis (http://filehippo.com/download_hijackthis/) - HJT Information HiJackThis Tutorial (http://www.bleepingcomputer.com/forums/tutorial42.html).
Post the contents of the HJT log here, you may need to split it over two or more posts if it is too large.
Title: Re: cab archive is corrupted
Post by: windward on March 10, 2008, 12:55:45 AM
Here is my Hijack log. Now the computer will allow me onto the Internet once and then even though I can ping sites it won't display the pages...
The scan shows nothing...
Thanks for your help!
Jim  ???


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:03 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\Isass.exe
C:\WINDOWS\System32\jwdy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_cq/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINDOWS\System32\jwdy.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [9836a9fd] rundll32.exe "C:\WINDOWS\System32\ypqgudaa.dll",b
O4 - HKLM\..\Run: [BM9b059a61] Rundll32.exe "C:\WINDOWS\System32\evjgsyrj.dll",s
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205011171833
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205021643420
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

--
End of file - 6538 bytes
Title: Re: cab archive is corrupted
Post by: DavidR on March 10, 2008, 01:36:16 AM
You need a firewall that provides outbound protection and the XP firewall doesn't cut it (zero outbound protection).

Fix:
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

See, http://www.liutilities.com/products/wintaskspro/processlibrary/ddcman/ (http://www.liutilities.com/products/wintaskspro/processlibrary/ddcman/) probable adware/spyware "This process monitors your browsing habits and distributes the data back to the author's servers for analysis."

C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\system32\Isass.exe


Note the spelling 'I' not 'l' (Lsass.exe) and there is already a correct entry for (C:\WINDOWS\system32\lsass.exe already), see http://www.liutilities.com/products/wintaskspro/processlibrary/isass/ (http://www.liutilities.com/products/wintaskspro/processlibrary/isass/)

Suspect:
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINDOWS\System32\jwdy.exe - Zero hits on google for the file name, suspicious in its own right.

O4 - HKLM\..\Run: [9836a9fd] rundll32.exe "C:\WINDOWS\System32\ypqgudaa.dll",b
O4 - HKLM\..\Run: [BM9b059a61] Rundll32.exe "C:\WINDOWS\System32\evjgsyrj.dll",s
Title: Re: cab archive is corrupted
Post by: windward on March 10, 2008, 02:54:16 AM
I have to admit I am like a child with a loaded gun. I know enough to be dangerous as they say. Anyway, I tried to do everything you asked although I couldn't get online.

At least the computer rebooted after I did what I did. At least now I seem to be able to get online. I ran Ccleaner and go rid of some opening startup entries.

What do you suggest for a firewall?

Here is the new hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:54 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_cq/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

--
End of file - 4809 bytes

Thanks for your time!
Jim
Title: Re: cab archive is corrupted
Post by: oldman on March 10, 2008, 07:19:04 AM
You had signs of some nasty infections. HJt will only remove the reg keys, not the files. Your log doesn't look quite right. We can have a deeper look with this scanner if you like.

DavidR can handle your firewall solution.

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Title: Re: cab archive is corrupted
Post by: DavidR on March 10, 2008, 06:08:16 PM
As far as firewalls go, the most common ones being used by forum members are Comodo Firewall Plus, PC Tools firewall, Zone Alarm free. I don't feel ZA is as good as the other two as it restricts the strength of its outbound (anti-leak) function. This may possibly be in the hope of your purchasing the Pro version, there are then some things you need to do to get ZA Pro and avast Web Shield to work together.

There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0 (http://forum.avast.com/index.php?topic=30808.0)
See http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php (http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php).
Title: Re: cab archive is corrupted
Post by: windward on March 10, 2008, 09:06:12 PM
I downloaded DSS.exe but it keeps crashing. It goes through the whole process and is about to end when I get the message "dss.exe has encountered a problem and needs to close." The technical information is:
Error signature AppName dss.exe AppVer 3.2.8.1 ModName ntdll.dll
ModVer 5.1.2600.2180 Offset: 0001012b

Don't know whether this will help, but here is the txt file that was going to accompany the report sent to Microsoft about the crash:
<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="dss.exe" FILTER="GRABMI_FILTER_PRIVACY">
    <MATCHING_FILE NAME="avast.exe" SIZE="19738872" CHECKSUM="0x8E0CD568" BIN_FILE_VERSION="4.7.1098.0" BIN_PRODUCT_VERSION="4.7.1098.0" PRODUCT_VERSION="4.7.1098.0" FILE_DESCRIPTION="ALWIL Software Setup Engine" PRODUCT_NAME="ALWIL Software Security" FILE_VERSION="4.7.1098.0" ORIGINAL_FILENAME="setup.exe" INTERNAL_NAME="avast.setup" LEGAL_COPYRIGHT="Copyright (c) 2006 ALWIL Software" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="4.7.1098.0" UPTO_BIN_PRODUCT_VERSION="4.7.1098.0" LINK_DATE="01/24/2008 15:45:13" UPTO_LINK_DATE="01/24/2008 15:45:13" VER_LANGUAGE="Language Neutral [0x0]" />
    <MATCHING_FILE NAME="CCleaner.exe" SIZE="816368" CHECKSUM="0x627C034A" BIN_FILE_VERSION="2.5.0.555" BIN_PRODUCT_VERSION="2.5.0.555" PRODUCT_VERSION="2, 5, 0, 555" FILE_DESCRIPTION="CCleaner" COMPANY_NAME="Piriform Ltd" PRODUCT_NAME="CCleaner" FILE_VERSION="2, 5, 0, 555" ORIGINAL_FILENAME="ccleaner.exe" INTERNAL_NAME="ccleaner" LEGAL_COPYRIGHT="Copyright 2005-2008 Piriform Ltd" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xCB06B" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.5.0.555" UPTO_BIN_PRODUCT_VERSION="2.5.0.555" LINK_DATE="02/20/2008 13:34:38" UPTO_LINK_DATE="02/20/2008 13:34:38" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="dss.exe" SIZE="686630" CHECKSUM="0xE1ED9520" BIN_FILE_VERSION="3.2.8.1" BIN_PRODUCT_VERSION="3.2.8.1" FILE_DESCRIPTION="" FILE_VERSION="3, 2, 8, 1" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x0" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.2.8.1" UPTO_BIN_PRODUCT_VERSION="3.2.8.1" LINK_DATE="09/10/2007 14:57:50" UPTO_LINK_DATE="09/10/2007 14:57:50" VER_LANGUAGE="English (United Kingdom) [0x809]" />
    <MATCHING_FILE NAME="Firefox Setup 2.0.0.12.exe" SIZE="6029648" CHECKSUM="0xB5EA58E9" BIN_FILE_VERSION="4.42.0.0" BIN_PRODUCT_VERSION="4.42.0.0" PRODUCT_VERSION="4.42" FILE_DESCRIPTION="Firefox" COMPANY_NAME="Mozilla" PRODUCT_NAME="Firefox" FILE_VERSION="4.42" ORIGINAL_FILENAME="7zS.sfx.exe" INTERNAL_NAME="7zS.sfx" LEGAL_COPYRIGHT="Mozilla" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x5CBA55" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="4.42.0.0" UPTO_BIN_PRODUCT_VERSION="4.42.0.0" LINK_DATE="08/15/2006 22:27:50" UPTO_LINK_DATE="08/15/2006 22:27:50" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="HJTInstall.exe" SIZE="812344" CHECKSUM="0x500A3516" BIN_FILE_VERSION="1.0.0.1" BIN_PRODUCT_VERSION="1.0.0.1" PRODUCT_VERSION="2.00.2" FILE_DESCRIPTION="HijackThis" COMPANY_NAME="Trend Micro Inc." PRODUCT_NAME="HijackThis" FILE_VERSION="2.00.2" ORIGINAL_FILENAME="HJTInstall.exe" INTERNAL_NAME="HJTInstall.exe" LEGAL_COPYRIGHT="(c) TrendMirco Inc.  All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xD44EE" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.0.1" UPTO_BIN_PRODUCT_VERSION="1.0.0.1" LINK_DATE="06/07/2007 17:00:02" UPTO_LINK_DATE="06/07/2007 17:00:02" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="Hot Deals from Compaq.exe" SIZE="53248" CHECKSUM="0x388D2684" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="03/22/2002 21:47:30" UPTO_LINK_DATE="03/22/2002 21:47:30" />
    <MATCHING_FILE NAME="IE7-WindowsXP-x86-enu.exe" SIZE="15452536" CHECKSUM="0x7EC64198" BIN_FILE_VERSION="6.2.29.0" BIN_PRODUCT_VERSION="6.2.29.0" PRODUCT_VERSION="6.2.0029.0" FILE_DESCRIPTION="Self-Extracting Cabinet" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="6.2.0029.0 (SRV03_QFE.031113-0918)" ORIGINAL_FILENAME="SFXCAB.EXE" INTERNAL_NAME="SFXCAB.EXE" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xEBD30A" LINKER_VERSION="0x50002" UPTO_BIN_FILE_VERSION="6.2.29.0" UPTO_BIN_PRODUCT_VERSION="6.2.29.0" LINK_DATE="06/28/2005 16:55:01" UPTO_LINK_DATE="06/28/2005 16:55:01" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="SkypeSetup.exe" SIZE="22690600" CHECKSUM="0x8001B6C1" BIN_FILE_VERSION="3.6.0.248" BIN_PRODUCT_VERSION="3.6.0.0" PRODUCT_VERSION="3.6" FILE_DESCRIPTION="Skype. Take a deep breath " COMPANY_NAME="Skype Technologies S.A." PRODUCT_NAME="Skype" FILE_VERSION="3.6.0.248" ORIGINAL_FILENAME="SkypeSetup.exe" INTERNAL_NAME="SkypeSetup.exe" LEGAL_COPYRIGHT="(c) Skype Technologies S.A." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x15A6FD9" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.6.0.248" UPTO_BIN_PRODUCT_VERSION="3.6.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="WindowsXP-KB835935-SP2-ENU.exe" SIZE="278927592" CHECKSUM="0x3342D95E" BIN_FILE_VERSION="5.5.1005.0" BIN_PRODUCT_VERSION="5.5.1005.0" PRODUCT_VERSION="5.5.1005.0" FILE_DESCRIPTION="Self-Extracting Cabinet" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.5.1005.0 (SRV03_QFE.031113-0918)" ORIGINAL_FILENAME="SFXCAB.EXE" INTERNAL_NAME="SFXCAB.EXE" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x10A08D60" LINKER_VERSION="0x50002" UPTO_BIN_FILE_VERSION="5.5.1005.0" UPTO_BIN_PRODUCT_VERSION="5.5.1005.0" LINK_DATE="07/16/2004 17:39:54" UPTO_LINK_DATE="07/16/2004 17:39:54" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="ntdll.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
    <MATCHING_FILE NAME="ntdll.dll" SIZE="708096" CHECKSUM="0x9D20568" BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180" PRODUCT_VERSION="5.1.2600.2180" FILE_DESCRIPTION="NT Layer DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME="ntdll.dll" INTERNAL_NAME="ntdll.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xAF2F7" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2180" LINK_DATE="08/04/2004 07:56:36" UPTO_LINK_DATE="08/04/2004 07:56:36" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
    <MATCHING_FILE NAME="kernel32.dll" SIZE="984576" CHECKSUM="0xF0B331F6" BIN_FILE_VERSION="5.1.2600.3119" BIN_PRODUCT_VERSION="5.1.2600.3119" PRODUCT_VERSION="5.1.2600.3119" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.3119 (xpsp_sp2_gdr.070416-1301)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xF9293" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.3119" UPTO_BIN_PRODUCT_VERSION="5.1.2600.3119" LINK_DATE="04/16/2007 15:52:53" UPTO_LINK_DATE="04/16/2007 15:52:53" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>
Title: Re: cab archive is corrupted
Post by: oldman on March 10, 2008, 09:11:19 PM
Hi, I was hoping that DSS would run. We'll use a diffent one.

Please download ComboFix from Here (http://subs.geekstogo.com/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
-----------------------------------------------------------
-----------------------------------------------------------
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Title: Re: cab archive is corrupted
Post by: windward on March 11, 2008, 02:17:19 AM
I tried to attach the Combo fix and Hijack logs however the rtx format was refused. Here they are again as txt files.
Thanks!
Jim

Note: I am not using the affected machine because I don't want to go to the Internet until this problem is fixed. I.e., it wasn't hooked to the Internet when either of these programs were run.

Note 2: I tried to download Spyware Doctor yesterday and the machine went crazy. After throwing myself of the 18th story lanai, I uninstalled it and the machine came back to life. Yea!  :)
Title: Re: cab archive is corrupted
Post by: oldman on March 11, 2008, 07:30:55 AM
My,my there was some stuff hiding in there. Dss does go on line for file verification, perhaps that was the problem. Regardless, let's carry on.

You have at least one remote access critter on your computer. So good choice in staying off the net. Please use a cd if possible to transfer programs to the infected computer. After running the following two fixes, you should be able to go on the net to post the logs/results.

* Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install.  The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool.  Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.  Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.  When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log



* Open HJT, run a system scan only, check mark these lines if present

O20 - Winlogon Notify: yayvssr - yayvssr.dll (file missing)

Close all other browsers/windows, click fix, close HJT.


Please follow all previous instructions regarding security programs.


* Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
File::
C:\WINDOWS\system32\dnaetsjx.exe
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\whmaxusn.exe
C:\WINDOWS\system32\cehoeu.exe
C:\WINDOWS\system32\dxysktqf.exe
C:\WINDOWS\system32\fcpftfn.exe
C:\1.vbs
C:\WINDOWS\system32\amaw.exe
C:\WINDOWS\system32\oayac.exe
C:\WINDOWS\system32\cxupaguk.exe
C:\WINDOWS\system32\exurhklj.exe
C:\WINDOWS\system32\fwbfxsei.dll
C:\WINDOWS\system32\exurhklj.exe
C:\WINDOWS\system32\eksr.exe
C:\WINDOWS\system32\kltwcqo.exe
C:\WINDOWS\system32\hszvrs.exe
C:\WINDOWS\system32\jwdy.exe
C:\WINDOWS\system32\gbfv.exe

DirLook::
C:\e9907a5f6dfc19d5f1d6

Regisrty::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\jwdy.exe"=-



This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.



Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\mpgvl.exe
C:\WINDOWS\.compaq.bak
C:\WINDOWS\nsreg.dat


scroll down a bit and click "send file", wait for the results and post then in your next reply.

* Please try to turn on the windows firewall before going on the internet. If you are unable to do so, please follow these instructions.

Download the Registry Search Tool from here:
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:(copy and paste is fine).

EnableFirewall

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.

Try to turn the firewall on.


In your next reply, I will need the SDfix results, the combofix.txt, virustotal results, firewall fix results(if used), and a new HJT log(ran after everything else).

Thanks

ps: at least the 02 lines are visible now.
Title: Re: cab archive is corrupted
Post by: windward on March 11, 2008, 09:00:13 AM
Here are four of the files you wanted. More coming.
Aloha,
Jim  :)
Title: Re: cab archive is corrupted
Post by: windward on March 11, 2008, 09:02:58 AM
Boy! I hope I did everything OK. Here is the latest Hijack log and SDFix results.
Thanks again for your help!!!!!
Jim  :)

PS - If I missed sending something, please let me know.
Title: Re: cab archive is corrupted
Post by: oldman on March 11, 2008, 09:08:59 AM
Wrong combofix log. It's the same one you posted earlier. It should be located at C:\combofix. They will have a .txt extention,  a number and a time date stamp. CF kinda does things backwards. The older log will have the highest number.

I must say you surprized with your speed. Any inprovement?

I take it you got the firewall turned on?

Thanks
Title: Re: cab archive is corrupted
Post by: windward on March 11, 2008, 07:43:19 PM
Aloha!
I did indeed get the Windows Firewall up and running and will install one of the suggested ones as soon as you give the OK. Spyware Doctor seems to conflict with Avast. Do you have a suggestion on which spyware program to use? I noticed www.virustotal.com reported a possible Ghost infection?

I ran a new ComboFix this a.m. and it is attached.


Thankks again for all your help!
Aloha,
Jim  :)
Honolulu, HI
Title: Re: cab archive is corrupted
Post by: Lisandro on March 11, 2008, 07:56:59 PM
Quote from: windward on March 11, 2008, 07:43:19 PM
Spyware Doctor seems to conflict with Avast.
Do you have a suggestion on which spyware program to use?
It shouldn't... But if you want another one, I suggest SUPERantispyware (http://www.superantispyware.com) and/or Spyware Terminator (http://www.spywareterminator.com/).
Title: Re: cab archive is corrupted
Post by: oldman on March 11, 2008, 08:37:41 PM
Hi, things improving?

Yes, we are going to remove that one right now. It's too bad you didn't find the combofix lod, as I had a command in it to show the contents os a folder. No matter, I will include it in this one also, so hang onto this log.  ;)

Did you uninstall/disable compaq monitoring tool?

There is another file/folder I'm checking out, just because of it time stamp.

Please follow all previous instructions regarding security programs.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
File::
C:\WINDOWS\system32\mpgvl.exe
C:\WINDOWS\system32\Isass.exe

DirLook::
C:\e9907a5f6dfc19d5f1d6


This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Title: Re: cab archive is corrupted
Post by: windward on March 11, 2008, 10:58:12 PM
Boy! You folks get an A+++++ in my book! Here is the latest ComboFix file.
Shall I go to www.virustotal.com and submit those files again, or no need?
Thanks,
Jim  :)
Title: Re: cab archive is corrupted
Post by: oldman on March 11, 2008, 11:43:05 PM
No, no need to re submit the files. We turffed one and the other two showed clean.

Can I get you to give DSS another go?

So far it looks good. What about this ?
"Did you uninstall/disable compaq monitoring tool?"

I asked because you have a legit service with a missing file. If you've removed it we can take care of the redundant service.
Title: Re: cab archive is corrupted
Post by: windward on March 12, 2008, 12:03:16 AM
Hi again!
fyi - DSS wouldn't run so I downloaded it again. It ran fine after downloading to the same computer. The other version I downloaded to another computer and then transferred via removable drive. Anyway...here it is:

I don't know anything about the Compaq tool you are mentioning. Perhaps the virus disabled it or something?

Aloha,
Jim

Deckard's System Scanner v20071014.68
Run by Richard T on 2008-03-11 12:52:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Title: Re: cab archive is corrupted
Post by: oldman on March 12, 2008, 12:44:17 AM
This looks good. I f you want to remove that service here's the instructions.

Open HJT, run a system scan only, check mark these lines if present

O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)

Close all other browsers/windows, click fix, close HJT.

Click the start button, click run. In the run box copy and paste these lines, one at a time, hitting enter after each.

sc stop msCMTSrvc
sc delete msCMTSrvc



You also removed some legitamate HJT entries

backup-20080309-151052-359 O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dl
backup-20080309-151053-191 O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
backup-20080309-151053-213 O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
backup-20080309-151053-756 O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
backup-20080309-151054-364 O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll


You can restore those. Open HJT click the view backup button. Check mark them, click restore.

As for Wildtangent, they have cleaned up their act alot. It will come bundled with some Games/movies. It does not have to run at start up. You can leave those line out. Or you can just uninstall it via add/remove.


I just have to comment. I don't think I've ever seen java that old.
JavaSoft\JRE\1.3.1 We'll take care of that duriing the clean up.

So do what you have do with the above, then procede with the clean up of the tools.



* Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u


* Please download
 OTMoveIt2 by OldTimer. (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe)


Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

* Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

* Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

* Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u5-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.


* Clear the java cache

http://www.java.com/en/download/help/5000020300.xml


* Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/

* DavidR gave you links for firewalls.

* Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/)
Title: Re: cab archive is corrupted
Post by: windward on March 12, 2008, 02:44:13 AM
I think I did everything correctly up until installing Java. I keep getting the message that the "Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode (I'm not) or if Installer is not correctly Installed."
This is the file on my Desktop I am trying to install: jre-6u5-windows-i586-p.exe.
I deleted all Java, Sun, etc. from the computer. Neither of the files you mentioned were in the Program Files directory.
I did download the "Sun Download Manager" but deleted it.
Jim  ???
Title: Re: cab archive is corrupted
Post by: windward on March 12, 2008, 02:57:04 AM
I did a boot scan using Avast and this is the report. Don't know if it'll be a help or not:

03/08/2008 07:05
Scan of all local drives
File C:\WINDOWS\system32\msCMTsrvc.exe is infected by Win32:Trojan-gen {VC}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Deleted

Number of searched folders: 3035
Number of tested files: 39507
Number of infected files: 1

----------------------------------------
03/09/2008 09:13
Scan of all local drives
File C:\Documents and Settings\Richard T\Local Settings\Application Data\Mozilla\Firefox\Profiles\ivhcykon.default\Cache\DD23C54Bd01\i386\dxdiagn.dl_\dxdiagn.dll Error 42127 {CAB archive is corrupted.}
File C:\Documents and Settings\Richard T\Local Settings\Application Data\Mozilla\Firefox\Profiles\ivhcykon.default\Cache\DD23C54Bd01\i386\dxdiagn.dl_ Error 42127 {CAB archive is corrupted.}

Number of searched folders: 3388
Number of tested files: 183176
Number of infected files: 0

----------------------------------------
03/09/2008 12:08
Scan of all local drives
File C:\Documents and Settings\Richard T\Local Settings\Application Data\Mozilla\Firefox\Profiles\ivhcykon.default\Cache\DD23C54Bd01\i386\dxdiagn.dl_\dxdiagn.dll Error 42127 {CAB archive is corrupted.}
File C:\Documents and Settings\Richard T\Local Settings\Application Data\Mozilla\Firefox\Profiles\ivhcykon.default\Cache\DD23C54Bd01\i386\dxdiagn.dl_ Error 42127 {CAB archive is corrupted.}

Number of searched folders: 3487
Number of tested files: 227063
Number of infected files: 0

----------------------------------------
03/11/2008 13:26
Scan of all local drives

Number of searched folders: 4904
Number of tested files: 268783
Number of infected files: 0
Title: Re: cab archive is corrupted
Post by: oldman on March 12, 2008, 03:52:18 AM
Well we now know why it was missing.Too bad you deleted it instead of moving to the chest.

Don't worry about the archive corrupted, avast probably just can't unpack it.

I'll see what I can find out about the installer error.

 
Title: Re: cab archive is corrupted
Post by: oldman on March 12, 2008, 04:07:41 AM
Let's check this first

1. Click Start, click Run, type services.msc in the Open text box, and then click OK. 
2. In the Services (Local) list, right-click Windows Installer, and then click Properties. 
3. If the Startup type drop-down list is set to a value of Disable, select the Manual option from the Startup type drop-down list, and then click OK. 
4. Click the File menu, and then click Exit
Title: Re: cab archive is corrupted
Post by: windward on March 12, 2008, 04:15:46 AM
It listed at manual (not disable or automatic.) It is listed as 'Stopped."

On the 'Logon' tab, the box that says "Allow service to interact with desktop." is not checked. Should that be checked? I am trying to install from the desktop.

I don't understand instruction #4. I don't see anything marked 'File.'

Aloha,
Jim  ???

Title: Re: cab archive is corrupted
Post by: oldman on March 12, 2008, 04:32:11 AM
Let me go see if I can find some screen shots. I don't have that on this old system. BRB
Title: Re: cab archive is corrupted
Post by: windward on March 12, 2008, 04:37:39 AM
Would you like me to send you some screen shots?
Jim
Title: Re: cab archive is corrupted
Post by: oldman on March 12, 2008, 04:45:47 AM
I found some. In the dropdown menu the service should be set to manual.

Click ok at the bottom of that screen it will take you back to the services screen. On that page you will find the file , exit.

I don't believe it should be set to interact with the desk top.
Title: Re: cab archive is corrupted
Post by: windward on March 12, 2008, 05:55:31 AM
It still didn't work...
I found these instructions:
http://support.microsoft.com/kb/315346
Should I follow them? or do you think there is still a virus in the computer?
Thanks again!!!!
Jim  :)
Title: Re: cab archive is corrupted
Post by: oldman on March 12, 2008, 09:14:44 AM
Yes, follow those instructions. I was going to post that link, but got called away.

The best I can tell, from your logs, your computer is clean. However, it is possible there is an infected file. I reviewed your logs and it seems this same problem happened before, when you tried to install some video drivers.

I'm going to suggest an online scan.

Using Internet Explorer browser only, go to ESET Online Scanner website:

http://www.eset.com/onlinescan/

Accept the Terms of Use and press Start button;


Approve the install of the required ActiveX Control, then follow on-screen instructions;


(OPTIONAL, We can remove anything found later if you wish)
Enable (check) the Remove found threats option, and run the scan.


After the scan completes, the Details tab in the Results window will display what was found and removed. At this time, the scanner does not produce a detailed report. That is a planned, future feature. If needed, you should be able to find a file named log.txt in your folder C:\Program Files\EsetOnlineScanner
Look at contents of this file using Notepad or Wordpad. Please post the results.

Thanks

ps pauuse avast standard shield during the scan, resume it afterwards.
Title: Re: cab archive is corrupted
Post by: windward on March 12, 2008, 10:37:08 AM
Aloha!
I haven't tried to re-intall the Installer, but I did the scan. I don't think it found anything! Yea!
Here is the log (attached.)
Thanks for all your help once again. You write great instructions!
Aloha,
Jim  :)
Title: Re: cab archive is corrupted
Post by: oldman on March 12, 2008, 10:45:46 AM
The scan log good.  :D

Good luck with the installer. Post back on how you make out. Someone will always be here.

You may want to use this before you go into th registry, just in case. Don't be to alarmed by the write up.  ;)
Title: Re: cab archive is corrupted
Post by: windward on March 12, 2008, 11:10:59 AM
I tried re-registering the Installer and it worked! Java is now up-to-date!!!! Yea!

I'm about to download OpenOffice.

I still hve to follow the rest of your clean-up directions, but it looks as though my friend can have his computer back tomorrow! Yea! again!!

Drop me a line if you ever get to Hawaii and I'll give you a tour around the Island!

Aloha,
Jim


PS - I hate to ask you another question, but do you recommend Ccleaner.exe? I did it on my computer and it seemed to work fine.
Title: Re: cab archive is corrupted
Post by: oldman on March 12, 2008, 11:25:39 AM
Good, happy you got it.

re: ccleaner

Some reccommend it others don't. Just be careful with registry part of it, it may do damage. Actually I wouldn't use that part.

I usually use the one I posted earlier or ATF I'll give you the link and instructions.

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 onlyATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserFirefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[/list]If you use Opera browserOpera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[/list]Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If I do get there, I may just take you up on that.  8)

One thing, please remove your email address, or you will get swamped with spam.

Take care and keep safe.  ;D
Title: Re: cab archive is corrupted
Post by: windward on March 12, 2008, 11:31:15 AM
Will do and thanks again!!!
Jim  :)
Title: Re: cab archive is corrupted
Post by: oldman on March 12, 2008, 11:39:18 AM
No problem and you are welcome. It was great working with you.  :D
Title: Re: cab archive is corrupted
Post by: windward on March 13, 2008, 06:56:39 AM
Hi Oldman!
(Are you really an 'old' man? Or just knowledge wise?) (I'm 61  :'(  )
One finaly comment. I put Comodo firewall on the system. It sure does slow the whole computer down a lot!!!!
Jim  :-\
Title: Re: cab archive is corrupted
Post by: oldman on March 13, 2008, 07:35:56 AM
Hmm... comodo shouldn't make that much of a differenc. I put it on one a while back, hardly any difference. Which version did you use? I see a lot recommending 2.4

http://forum.avast.com/index.php?topic=33530.msg280989#msg280989

Link for version 2.4

http://www.personalfirewall.comodo.com/download_firewall.html#fw2.4
Title: Re: cab archive is corrupted
Post by: windward on March 13, 2008, 10:22:21 AM
Comodo Firewall Pro 3.0 - Download
Comodo Firewall Pro 3.0 - Latest and greatest version of this superb firewall
32-bit Setup (Available in English language only)
Click here to download
Size: 20.0 MB (21,014,784 bytes)
MD5: 320c74fa6f8296a00f7a820589a01d87
SHA1: 4c386d2ea2db711ccaa656a610a435dae24f8391
Title: Re: cab archive is corrupted
Post by: DavidR on March 13, 2008, 12:40:13 PM
I believe there are modules in the latest comodo firewall that would run be default that could be disabled, sorry I can't be much practical help as I don't use comodo firewall.
Title: Re: cab archive is corrupted
Post by: psw on March 13, 2008, 01:47:52 PM
Quote from: DavidR on March 13, 2008, 12:40:13 PM
I believe there are modules in the latest comodo firewall that would run be default that could be disabled, sorry I can't be much practical help as I don't use comodo firewall.
Yes, Defense+ can be disabled. But there are crossrefereces between Defense+ settings and firewall settings. So manual firewall settings adjustment is required in this case.
Title: Re: cab archive is corrupted
Post by: malcolmp on March 28, 2008, 10:56:06 PM
My routine avast! weekly scan today gives this result:

C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENUN\Data1.cab\AXE8SharedExpat.dll   Unable to scan CAB archive is corrupted
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENUN\Data1.cab\Bib,dll_NON_OPT   Unable to scan CAB archive is corrupted
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENUN\Data1.cab\/rdrNsgSplash.pdf   Unable to scan CAB archive is corrupted
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENUN\Data1.cab\pdfshell.dll   Unable to scan CAB archive is corrupted
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENUN\Data1.cab\ImageViewer.API_NON_OPT   Unable to scan CAB archive is corrupted
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENUN\Data1.cab\SVGCore.DLL   Unable to scan CAB archive is corrupted
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENUN\Data1.cab\svgrsrc.dll2   Unable to scan CAB archive is corrupted
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENUN\Data1.cab\SVGViewer.dict2   Unable to scan CAB archive is corrupted
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENUN\Data1.cab\ddrvSOFT.x3d   Unable to scan CAB archive is corrupted
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENUN\Data1.cab\Psapi.Dll   Unable to scan CAB archive is corrupted
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENUN\Data1.cab\DataMatrix.pmp   Unable to scan CAB archive is corrupted

I've read some of the forum posts on this subject, but don't understand them enough to know if I should be concerned about the above scan result or not?

My system runs Windows 2000 Prof.
I also routinely run UniBlue Registry scans and fixes.
Your advice please?

Title: Re: cab archive is corrupted
Post by: Lisandro on March 28, 2008, 10:59:41 PM
Don't worry about that files. They're inert.
By the way, Acrobat 7 was updated to Acrobat 8 ;)
Title: Re: cab archive is corrupted
Post by: malcolmp on March 28, 2008, 11:22:21 PM
Thank  you - I hadn't expected so speedy a reply.
And I'll upgrade Adobe.
Title: Re: cab archive is corrupted
Post by: Lisandro on March 29, 2008, 02:23:55 PM
Quote from: malcolmp on March 28, 2008, 11:22:21 PM
Thank  you - I hadn't expected so speedy a reply.
Be used to avast forum speed ;)
Title: Re: cab archive is corrupted
Post by: powerpack on April 10, 2009, 07:35:35 PM
Hi,
I am a new user of AVAST Anti-Virus. I am witching it from AVG. And now I am comfortable with Avast and it works good for me.
But, I have a question about scan result that was found after boot scan this morning.
Here is the result:

04/10/2009 01:32
Scan of all local drives


Scanning aborted
Number of searched folders: 35
Number of tested files: 233
Number of infected files: 0

----------------------------------------
04/10/2009 09:03
Scan of all local drives

File C:\Users\Jay Mataji\Desktop\Downloads\Commandos.3.DB\Commandos.3.DB\Coman3.Install\Commandos3Alt.exe\%MAINDIR%\Data\Wofip\Main_Release.bik Error 42146 {Installer archive is corrupted.}
File C:\Windows\Downloaded Installations\{AD501749-CD49-499A-AD54-51DC42A57434}\PC Suite for Sony Ericsson.msi\Data1.cab\sync.chm4\$FIftiMain Error 42136 {CHM archive is corrupted.}
File C:\Windows\Downloaded Installations\{AD501749-CD49-499A-AD54-51DC42A57434}\PC Suite for Sony Ericsson.msi\Data1.cab\sync.chm11\$FIftiMain Error 42136 {CHM archive is corrupted.}
File C:\Windows\Downloaded Installations\{AD501749-CD49-499A-AD54-51DC42A57434}\PC Suite for Sony Ericsson.msi\Data1.cab\sync.chm22\$FIftiMain Error 42136 {CHM archive is corrupted.}
File C:\Windows\Downloaded Installations\{BD6D62DE-DA03-4C1A-A312-C31F814B768F}\PC Suite for Sony Ericsson.msi\Data1.cab\sync.chm4\$FIftiMain Error 42136 {CHM archive is corrupted.}
File C:\Windows\Downloaded Installations\{BD6D62DE-DA03-4C1A-A312-C31F814B768F}\PC Suite for Sony Ericsson.msi\Data1.cab\sync.chm11\$FIftiMain Error 42136 {CHM archive is corrupted.}
File C:\Windows\Downloaded Installations\{BD6D62DE-DA03-4C1A-A312-C31F814B768F}\PC Suite for Sony Ericsson.msi\Data1.cab\sync.chm22\$FIftiMain Error 42136 {CHM archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\0ac704fbc981242e850776ac903a6621\BITA899.tmp\mpasdlta.vdm Error 42127 {CAB archive is corrupted.}
Number of searched folders: 16860
Number of tested files: 578418
Number of infected files: 0

 ??? Now, I wonder if you give some comments of this corrupted Archives. What should be proper step for it and what exactly it is for?
I have vista home 32bits system and also used Spybot-Search and destroys, Malwarebytes-Antimalware, and ccleaner frequently.

Thanks in advance.
Title: Re: cab archive is corrupted
Post by: DavidR on April 10, 2009, 08:03:04 PM
I think that has been done in this topic already as it would apply to any archive file (compressed file as the .cab ia a cabinet file, an archive).

The correct step is do nothing, as I doubt you have a means of actually checking if the "Data1.cab" with in yer another archive file .msi "PC Suite for Sony Ericsson.msi" and even if you found it to be corrupt there is little you could do short of removing and downloading the suite installation file \PC Suite for Sony Ericsson.msi\ again.

Even then it may turn out the same as has been said before it could simply mean avast is unable to unpack that .cab file possibly because it is within yet another archive.
Title: Re: cab archive is corrupted
Post by: Lisandro on April 12, 2009, 10:34:03 PM
Quote from: powerpack on April 10, 2009, 07:35:35 PM
Now, I wonder if you give some comments of this corrupted Archives. What should be proper step for it and what exactly it is for?
Files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.
Also, the packaging of the file could have some error, or use a non-standard pattern...