Author Topic: Avast installation corrupted Windows XP  (Read 2624 times)

Offline tatobo

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Avast installation corrupted Windows XP
« on: February 24, 2008, 12:31:49 AM »
Can someone please help this newbie? (New to this forum, not to computers) I suspected malware on my pc, uninstalled AVG and SpySweeper and installed Avast. At the initial boot scan the following were found and put in the chest:

File C:\Documents and Settings\Kian\Local Settings\Temp\D371.tmp is infected by Win32:Trojan-gen {Other}, Repair: Error 42060 {The file was not repaired.}, Moved to chest
File C:\Documents and Settings\Kian\Local Settings\Temp\ismupd1.exe is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP22\A0001688.exe is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\WINDOWS\system32\rpcrt3.dll is infected by Win32:Agent-QMC [trj], Moved to chest

Now Windows is corrupted: most services are stopped and can't be started manually, I can't copy/paste anything except text files like the one above, Word and Excel report problems, Windows Explorer has issues, system restore won't work, I have no access to my other computer via LAN even though I can access the Internet, etc., etc. Avast itself seems to have issues: I can't open the chest to restore the files because the RPC service is stopped, and I can't start it from the control panel. I still have SuperAntispyware on my pc, but it doesn't seem to be running, and Windows won't let me uninstall it anyway.

I checked previous posts and found something similar, but the lucky guy was able to copy/paste with a flash drive and move the chest files to another pc, which I'm not able to do (copy/paste won't work). Can anyone help me restore whatever was removed or corrupted during the installation? Thanks so much! (I can provide a HJT log if that will help.)

Offline CharleyO

  • avast! Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7102
  • Gender: Male
  • Be alert for error code - ID 10T
    • Personal Message (Offline)
Re: Avast installation corrupted Windows XP
« Reply #1 on: February 24, 2008, 07:56:43 AM »
***

Yes, please post a HJT log.


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
Re: Avast installation corrupted Windows XP
« Reply #2 on: February 24, 2008, 12:20:06 PM »
Avast itself seems to have issues: I can't open the chest to restore the files because the RPC service is stopped, and I can't start it from the control panel.
Some infections could do it... and avast can't cure itself (yet).

I still have SuperAntispyware on my pc, but it doesn't seem to be running, and Windows won't let me uninstall it anyway.
Can you run it?

I suggest a full computer on-line scanning:
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)
The best things in life are free.

Offline tatobo

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: Avast installation corrupted Windows XP
« Reply #3 on: February 24, 2008, 12:48:55 PM »
Thanks for the replies, the HJT log is below. My main concern is to get the computer functional again so that I can back everything up in case I have to do a complete reinstall of Windows. I'll try the suggested scans also.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:48 AM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\DOCUME~1\Kian\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-21-2266075044-3135658891-929149217-1005\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 (User '?')
O4 - HKUS\S-1-5-21-2266075044-3135658891-929149217-1005\..\Run: [SetDefaultMIDI] MIDIDef.exe (User '?')
O4 - HKUS\S-1-5-21-2266075044-3135658891-929149217-1005\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://msx.mlxchange.com/Control/FileCruiser.cab
O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://msx.mlxchange.com/Control/Specfile.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://msx.mlxchange.com/Control/SISC.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://msx.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://msx.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://msx.mlxchange.com/Control/LiteGrid.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://msx.mlxchange.com/4.2.04.18/Control/IRCSharc.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://msx.mlxchange.com/Control/AspCustomCtrls.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B60D2BCA-61F6-49F4-A4B6-881AEFF7ED13}: NameServer = 68.87.64.146,68.87.75.194
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Documents and Settings\Kian\My Documents\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 8547 bytes

Offline tatobo

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: Avast installation corrupted Windows XP
« Reply #4 on: February 26, 2008, 01:29:23 AM »
Update: Ran SUPERAntiSpyware, all it found was a bunch of cookies. Cannot run Kaspersky or any other online scan--the corrupted system will not allow me to perform certain Internet functions. Downloaded free trial of Kaspersky, but it warns that all other AV programs should be removed first.

Question: did running Avast place a needed system file in the chest that will be erased forever if I uninstall Avast? Any insights on my HJT log? Thanks!
« Last Edit: February 26, 2008, 01:41:44 AM by tatobo »

Offline CharleyO

  • avast! Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7102
  • Gender: Male
  • Be alert for error code - ID 10T
    • Personal Message (Offline)
Re: Avast installation corrupted Windows XP
« Reply #5 on: February 26, 2008, 06:33:26 AM »
***

I see nothing obviously wrong in your HJT log but I am no expert.

Hopefully, someone who is will jump in and offer another opinion.


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline TedNelly

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1530
  • Gender: Male
  • Trust No-One!
    • Personal Message (Offline)
Re: Avast installation corrupted Windows XP
« Reply #6 on: February 26, 2008, 06:45:25 AM »
like CharlyO I'm no HJT expert however
Just a couple of things
Are you using a firewall?
Sun Java Version should be -jre1.6.0_04 your version is jre1.6.0_03. Uninstall all older versions of Sun Java via Control Panel before update
« Last Edit: February 26, 2008, 06:55:52 AM by tednelly »
  XP Pro-SP3 still!? need to Upgrade!| Avast 9.0.2003 | Online Armor 6 Free | Firefox 26 / Do Not Track Plus / Pale Moon 24.0.2 | T-Bird 24 Beta2 | Spamihilator 1.5 | SpyWareBlaster 5.0 | MalwareBytes 1.75 | HostsMan 4.3.98 (HP Hosts + MDL) /

Offline MauriceW

  • Jr. Member
  • **
  • Posts: 44
  • Gender: Male
    • Personal Message (Offline)
Re: Avast installation corrupted Windows XP
« Reply #7 on: February 27, 2008, 12:19:52 AM »
tatobo,
Bad Luck - I doubt that your problems comes from !Avast installation.

I'm not an HJT expert but noted presence of %system%\rpcrt3.dll.
This is not in my XP Pro SP2 %system%

2) Google for "rpcrt3.dll" produces many hits
e.g.
1) "Rpcrt3.dll is Trojan/Backdoor from
http://greatis.com/appdata/d/r/rpcrt3.dll_Removal.htm.

See also at Sophos.com
http://www.sophos.com/security/analyses/trojbuzzita.html
and
http://www.sophos.com/security/analyses/trojbuzzitb.html

You should be able to get advice from these.
 
May be wise to reboot into Safe Mode

Hope this helps.

Maurice

P.S. If you are brave,
you could try searching registry for "rpcrt3,dll"
and after backup of any keys found to say a floppy disc
deleting ONLY them.
Win7 Home 4GB RAM on HPdv7 dual HD
Office2007; Regular ERUNT
Security:-  Avast! 5 , All browsing in Sandboxie 3.46 Occasional SAS, MBAM
OS fairly stable - no malware.

Offline Marc57

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1940
  • Gender: Male
  • KISS Rules The World!!!
    • KISS Army
    • Personal Message (Offline)
Re: Avast installation corrupted Windows XP
« Reply #8 on: February 27, 2008, 04:06:49 AM »
Have you tried to run System Restore to a restore point before all this happened?
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now