« previous next »
Pages: [1] 2   Go Down

Author Topic: Expertise required: Full post on the problem of "Avast is not a win32"  (Read 8543 times)

0 Members and 1 Guest are viewing this topic.

fixidea

  • Guest
Expertise required: Full post on the problem of "Avast is not a win32"
« on: February 18, 2008, 03:26:18 PM »
Here is, in 3 posts below this one, the result of the scan given after execution of combo-fix.
Is there a way out of this problem ?

Thanks a lot.
Logged

fixidea

  • Guest
scan part 1/3
« Reply #1 on: February 18, 2008, 03:28:01 PM »
Here is the result from ComboFix, the post is in two part due to 10000 characters limitations

Avast and other antivirus are still blocked in execution and the message is still the same.

What is the next step ?

Thanks a lot.

AQ.

ComboFix 08-02-16.2 - SHIVA007 2008-02-18 21:00:05.4 - NTFSx86
Microsoft Windows XP Professionnel  5.1.2600.2.1252.1.1036.18.2545 [GMT 1:00]
Endroit: C:\Documents and Settings\SHIVA007\Bureau\ANTIVIRUS & Co\Combo-Fix.exe

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((((((((((((((   Autres suppressions   ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\SysPr.prx
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\plugin1.dat
C:\WINDOWS\system32\SysPr.prx

.
(((((((((((((((((((((((((((((   Fichiers cr‚‚s 2008-01-18 to 2008-02-18  ))))))))))))))))))))))))))))))))))))
.

2008-02-18 19:18 . 2008-02-18 19:20   <REP>   d--------   C:\Documents and Settings\SHIVA007\Application Data\wsInspector
2008-02-18 19:16 . 2008-02-18 19:17   <REP>   d--------   C:\Program Files\Startup Inspector for Windows
2008-02-18 17:13 . 2008-02-18 17:13   <REP>   d--------   C:\Program Files\Innovative Solutions
2008-02-18 17:11 . 2008-02-18 17:11   <REP>   d--------   C:\Program Files\Driver Magician Lite
2008-02-18 14:55 . 2008-02-18 14:55   <REP>   d--------   C:\Peter
2008-02-18 14:20 . 2008-02-18 15:55   <REP>   d--------   C:\Program Files\Easy File Sharing Web Server
2008-02-18 14:18 . 2008-02-18 14:19   1,223,913   --a------   C:\WINDOWS\system32\issass.exe
2008-02-18 14:18 . 2008-02-18 14:18   33,952   --a------   C:\WINDOWS\system32\drivers\oreans32.sys
2008-02-17 20:31 . 2008-02-17 20:31   123   --a------   C:\WINDOWS\rootkitno.ini
2008-02-17 20:30 . 2008-02-17 20:30   <REP>   d--------   C:\RootkitNO
2008-02-17 18:37 . 2008-02-17 18:37   30,946   --a------   C:\WINDOWS\system32\drivers\Partizan.sys
2008-02-17 18:37 . 2008-02-17 18:37   25,088   --a------   C:\WINDOWS\system32\Partizan.exe
2008-02-17 18:36 . 2005-04-03 14:02   8,944   --a------   C:\WINDOWS\system32\drivers\UnHackMeDrv.sys
2008-02-17 18:35 . 2008-02-17 18:43   <REP>   d--------   C:\Program Files\UnHackMe
2008-02-17 14:54 . 2008-02-17 14:54   <REP>   d--------   C:\Muestras
2008-02-17 14:42 . 2008-02-17 18:49   124,890   --a------   C:\WINDOWS\system32\drivers\SROSA.SYS.del
2008-02-17 14:33 . 2008-02-18 16:34   <REP>   d--------   C:\Program Files\SUPERAntiSpyware
2008-02-17 14:33 . 2008-02-17 14:33   <REP>   d--------   C:\Documents and Settings\SHIVA007\Application Data\SUPERAntiSpyware.com
2008-02-17 14:33 . 2008-02-17 14:33   <REP>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-17 03:27 . 2008-02-17 03:27   <REP>   d--------   C:\Documents and Settings\SHIVA007\Application Data\Bitdefender
2008-02-17 03:27 . 2008-02-17 14:33   81,984   --a------   C:\WINDOWS\system32\bdod.bin
2008-02-17 03:24 . 2008-02-17 03:24   <REP>   d--------   C:\Program Files\Softwin
2008-02-17 03:24 . 2008-02-17 11:19   <REP>   d--------   C:\Documents and Settings\All Users\Application Data\BitDefender
2008-02-17 03:23 . 2008-02-17 03:24   <REP>   d--------   C:\Program Files\Fichiers communs\Softwin
2008-02-17 00:29 . 2008-02-17 00:29   <REP>   d--------   C:\Program Files\Lavasoft
2008-02-17 00:29 . 2008-02-17 14:32   <REP>   d--------   C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-02-17 00:29 . 2008-02-17 00:29   <REP>   d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-17 00:05 . 2008-02-17 00:05   <REP>   d--------   C:\WINDOWS\system32\xircom
2008-02-17 00:05 . 2008-02-17 00:05   <REP>   d--------   C:\Program Files\microsoft frontpage
2008-02-15 23:19 . 2007-12-04 14:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-02-15 23:19 . 2004-01-09 10:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-02-15 23:19 . 2007-12-04 13:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2008-02-15 23:19 . 2007-12-04 15:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-15 23:19 . 2007-12-04 15:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-15 23:19 . 2007-12-04 15:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-15 23:19 . 2007-12-04 15:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-15 23:19 . 2007-12-04 15:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-15 18:52 . 2008-02-15 18:52   <REP>   d--------   C:\Program Files\Astro Gemini Software
2008-02-15 18:52 . 2007-01-17 12:57   528,384   --a------   C:\WINDOWS\system32\Astro Gemini Screensaver Manager.scr
2008-02-15 18:39 . 2008-02-15 23:05   876,645   --a------   C:\WINDOWS\track.mus
2008-02-15 18:39 . 2008-02-15 18:39   271   --a------   C:\WINDOWS\WinterTunnel-2007.set
2008-02-15 18:38 . 2008-02-15 18:52   <REP>   d--------   C:\Program Files\Space Tunnels 3D Screensaver
2008-02-15 18:38 . 2007-04-17 16:15   7,078,400   --a------   C:\WINDOWS\system32\Space Tunnels 3D Screensaver.scr
2008-02-15 18:38 . 2005-04-08 15:02   92,728   --a------   C:\WINDOWS\system32\attach.bass
2008-02-15 18:38 . 2007-01-30 15:42   3,250   --a------   C:\WINDOWS\system32\SpaceTunnels3DScreensaver.html
2008-02-15 12:15 . 2008-02-15 12:15   <REP>   d--------   C:\Program Files\Space Plasma 3D Screensaver
2008-02-13 22:15 . 2008-02-13 22:16   <REP>   d--------   C:\Program Files\TreePadBIZ_7
2008-02-13 19:45 . 2008-02-13 19:45   <REP>   d--------   C:\Program Files\Remote
2008-02-13 19:44 . 2006-08-10 03:31   198,144   ---------   C:\WINDOWS\system32\_psisdecd.dll
2008-02-13 19:35 . 2008-02-13 19:35   <REP>   d--------   C:\Program Files\EMTEC
2008-02-13 19:14 . 2008-02-13 19:14   <REP>   d--------   C:\Documents and Settings\SHIVA007\Contacts
2008-02-13 19:00 . 2008-02-13 19:10   <REP>   d--------   C:\Program Files\MSN Messenger
2008-02-13 10:00 . 2008-02-13 10:00   <REP>   d--------   C:\Program Files\PowerQuest
2008-02-13 09:51 . 2008-02-13 09:55   <REP>   d--------   C:\Program Files\Ontrack
2008-02-06 00:04 . 2004-10-29 19:12   17,024   --a------   C:\WINDOWS\system32\drivers\usbohci.sys
2008-02-04 03:03 . 2004-10-29 19:11   43,136   --a------   C:\WINDOWS\system32\drivers\sbp2port.sys
2008-02-03 14:13 . 2008-02-03 14:13   <REP>   d--------   C:\Documents and Settings\SHIVA007\Application Data\AdobeUM
2008-02-03 14:13 . 2008-02-03 14:13   <REP>   d--------   C:\Documents and Settings\SHIVA007\Application Data\AdobeAUM
2008-02-01 16:30 . 2008-02-01 16:30   <REP>   d--------   C:\Program Files\Bonjour
2008-02-01 02:19 . 2008-02-01 02:33   <REP>   d--------   C:\Program Files\Total Video Converter
2008-02-01 01:24 . 2008-02-01 01:24   <REP>   d--------   C:\Program Files\Combined Community Codec Pack
2008-02-01 01:22 . 2008-02-01 01:22   <REP>   d--------   C:\Program Files\Real Alternative
2008-02-01 01:22 . 2008-02-01 01:22   <REP>   d--------   C:\Program Files\QuickTime Alternative
2008-02-01 01:22 . 2006-09-01 16:14   65,536   --a------   C:\WINDOWS\system32\QuickTimeVR.qtx
2008-02-01 01:22 . 2006-09-01 16:14   49,152   --a------   C:\WINDOWS\system32\QuickTime.qts
2008-02-01 01:20 . 2008-02-01 01:20   <REP>   d--------   C:\Program Files\Amadis Software
2008-02-01 01:20 . 2006-11-07 11:22   719,872   --a------   C:\WINDOWS\system32\devil.dll
2008-02-01 01:20 . 2006-12-31 10:16   313,344   --a------   C:\WINDOWS\system32\avisynth.dll
2008-01-30 15:18 . 2008-01-30 15:18   <REP>   d--------   C:\Documents and Settings\SHIVA007\Application Data\CyberLink
2008-01-30 15:03 . 2008-02-13 20:40   <REP>   d--------   C:\Documents and Settings\All Users\Application Data\CyberLink
2008-01-30 14:53 . 2008-02-13 19:43   <REP>   d--------   C:\Program Files\CyberLink
2008-01-30 14:53 . 2001-03-08 18:30   24,064   ---------   C:\WINDOWS\system32\msxml3a.dll
2008-01-30 14:14 . 2008-01-30 14:14   <REP>   d--------   C:\WINDOWS\system32\URTTEMP
2008-01-30 14:14 . 2007-01-26 02:04   196,096   --a------   C:\WINDOWS\system32\macd32.dll
2008-01-30 14:14 . 2007-01-26 02:04   138,752   --a------   C:\WINDOWS\system32\mase32.dll
2008-01-30 14:14 . 2007-01-26 02:04   136,192   --a------   C:\WINDOWS\system32\mamc32.dll
2008-01-30 14:14 . 2004-07-02 17:28   84,992   --a------   C:\WINDOWS\system32\ATL70.DLL
2008-01-30 14:14 . 2007-01-26 02:04   57,856   --a------   C:\WINDOWS\system32\masd32.dll
2008-01-30 14:14 . 2007-01-26 02:04   27,648   --a------   C:\WINDOWS\system32\ma32.dll
Logged

fixidea

  • Guest
Scan 2/3
« Reply #2 on: February 18, 2008, 03:28:47 PM »
2008-01-30 14:12 . 2008-01-30 14:19   <REP>   d--------   C:\Documents and Settings\All Users\Application Data\Pinnacle Studio
2008-01-30 14:10 . 2008-01-30 14:18   <REP>   d--------   C:\Program Files\Pinnacle
2008-01-30 14:10 . 2008-01-30 14:19   <REP>   d--------   C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-01-30 14:09 . 2008-01-30 14:09   <REP>   d--------   C:\Documents and Settings\SHIVA007\Application Data\InstallShield
2008-01-28 22:21 . 2008-01-28 22:21   <REP>   d--------   C:\Program Files\MSXML 6.0
2008-01-28 01:02 . 2008-01-28 01:02   <REP>   d--------   C:\Documents and Settings\SHIVA007\Application Data\Druide
2008-01-28 01:00 . 2008-01-28 01:00   <REP>   d--------   C:\Program Files\Druide
2008-01-28 01:00 . 2008-01-28 02:46   242   --a------   C:\WINDOWS\Antidote.ini
2008-01-28 01:00 . 2008-01-28 01:00   0   --a------   C:\WINDOWS\PROTOCOL.INI
2008-01-28 00:59 . 1999-03-23 09:12   304,128   --a------   C:\WINDOWS\unin040c.exe
2008-01-27 17:22 . 2008-01-27 17:22   <REP>   d--------   C:\Program Files\Reallusion
2008-01-27 17:22 . 2008-01-27 17:22   <REP>   d--------   C:\Program Files\Fichiers communs\Reallusion
2008-01-27 17:22 . 2008-01-27 17:22   <REP>   d--------   C:\Documents and Settings\All Users\Application Data\Reallusion
2008-01-27 16:53 . 2008-02-01 01:22   <REP>   d--------   C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-26 19:06 . 2008-01-26 19:06   <REP>   d--------   C:\Program Files\MSBuild
2008-01-26 19:06 . 2008-01-26 19:06   <REP>   d--------   C:\Program Files\Microsoft Works
2008-01-26 19:01 . 2008-01-26 19:10   <REP>   d--------   C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-26 19:00 . 2008-01-26 19:00   <REP>   dr-h-----   C:\MSOCache
2008-01-26 18:40 . 2008-01-26 18:40   <REP>   d--------   C:\Program Files\PhotoArtist 2
2008-01-26 18:40 . 2008-01-26 18:40   3,240   --a------   C:\WINDOWS\jkffrc64.ini
2008-01-26 18:40 . 2008-01-26 18:40   1,430   --a------   C:\WINDOWS\cbtp_d.ini

.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 17:14   ---------   d-----w   C:\Program Files\Zoom Player
2008-02-18 16:53   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-18 16:20   ---------   d-----w   C:\Program Files\eMule
2008-02-17 02:39   ---------   d-----w   C:\Program Files\DAEMON Tools
2008-02-16 23:58   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Acronis
2008-02-15 18:52   ---------   d-----w   C:\Program Files\Alwil Software
2008-02-13 18:45   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-02-03 18:09   ---------   d-----w   C:\Program Files\Fichiers communs\Acronis
2008-02-03 18:09   ---------   d-----w   C:\Program Files\Acronis
2008-02-01 15:30   ---------   d-----w   C:\Program Files\Fichiers communs\Adobe
2008-02-01 00:22   ---------   d-----w   C:\Program Files\Media Player Classic
2008-01-29 11:03   ---------   d-----w   C:\Program Files\Fichiers communs\MAGIX Shared
2008-01-27 19:53   ---------   d-----w   C:\Documents and Settings\SHIVA007\Application Data\Alien Skin
2008-01-16 23:49   ---------   d-----w   C:\Program Files\Dvd-cloner
2008-01-16 23:19   ---------   d-----w   C:\Program Files\Fichiers communs\Macromedia
2008-01-16 23:18   ---------   d-----w   C:\Program Files\Macromedia
2008-01-16 12:09   ---------   d-----w   C:\Program Files\Tropical Fish 3D Screensaver
2008-01-15 23:36   ---------   d-----w   C:\Program Files\Spirit of Fire 3D Screensaver
2008-01-15 16:15   ---------   d-----w   C:\Program Files\ProtectDisc Driver Installer
2008-01-15 16:15   ---------   d-----w   C:\Documents and Settings\SHIVA007\Application Data\MAGIX
2008-01-15 16:14   ---------   d-----w   C:\Program Files\MAGIX
2008-01-15 16:14   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\MAGIX
2008-01-15 13:35   ---------   d-----w   C:\Program Files\Earth 3D Screensaver
2008-01-15 13:35   ---------   d-----w   C:\Program Files\3Planesoft Screensaver Manager
2008-01-15 13:32   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-15 12:53   ---------   d-----w   C:\Program Files\Smart PC Solutions
2008-01-15 12:25   ---------   d-----w   C:\Program Files\StartupStar
2008-01-15 12:23   ---------   d-----w   C:\Program Files\TaskCoach
2008-01-15 12:23   ---------   d-----w   C:\Documents and Settings\SHIVA007\Application Data\TaskCoach
2008-01-15 12:22   ---------   d-----w   C:\Documents and Settings\SHIVA007\Application Data\Media Player Classic
2008-01-15 12:18   ---------   d-----w   C:\Program Files\Winamp
2008-01-15 10:16   ---------   d-----w   C:\Documents and Settings\SHIVA007\Application Data\Winamp
2008-01-15 01:14   ---------   d-----w   C:\Program Files\Windows Media Connect 2
2008-01-15 00:13   ---------   d-----w   C:\Program Files\Everest Ultimate Edition 4.20.1170 (Standalone) + Serial
2008-01-14 17:52   ---------   d-----w   C:\Program Files\BulletProofSoft.com
2008-01-14 14:12   ---------   d-----w   C:\Program Files\Startup Mechanic
2008-01-14 13:08   ---------   d-----w   C:\Program Files\AKVIS
2008-01-14 04:58   ---------   d-----w   C:\Program Files\vp5e
2008-01-14 02:50   ---------   d-----w   C:\Documents and Settings\SHIVA007\Application Data\EBookSys
2008-01-14 02:49   ---------   d-----w   C:\Program Files\E-Book Systems
2008-01-14 02:34   ---------   d-----w   C:\Program Files\7artstudio
2008-01-14 00:46   ---------   d-----w   C:\Program Files\USBInfo
2008-01-14 00:45   73,216   ----a-w   C:\WINDOWS\ST6UNST.EXE
2008-01-14 00:45   249,856   ------w   C:\WINDOWS\Setup1.exe
2008-01-14 00:41   ---------   d-----w   C:\Documents and Settings\SHIVA007\Application Data\3D-Album-PS
2008-01-14 00:39   ---------   d-----w   C:\Program Files\3D-Album-PicturePlatinum
2008-01-14 00:35   ---------   d-----w   C:\Program Files\visviva
2008-01-14 00:35   ---------   d-----w   C:\Documents and Settings\SHIVA007\Application Data\visviva
2008-01-14 00:31   ---------   d-----w   C:\Program Files\Futuremark
2008-01-14 00:24   ---------   d-----w   C:\Program Files\DirectVobSub
2008-01-14 00:05   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-13 13:50   ---------   d-----w   C:\Program Files\Webteh
2008-01-13 02:53   ---------   d-----w   C:\Program Files\e-on software
2008-01-13 02:40   ---------   d-----w   C:\Program Files\Canon
2008-01-13 02:39   ---------   d-----w   C:\Documents and Settings\SHIVA007\Application Data\Canon
2008-01-13 02:10   ---------   d-----w   C:\Program Files\MirrorFolder
2008-01-13 02:10   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\MirrorFolder
2008-01-08 21:41   ---------   d-----w   C:\Program Files\AVSociety
2008-01-08 21:36   ---------   d-----w   C:\Documents and Settings\SHIVA007\Application Data\vlc
2008-01-08 21:34   ---------   d-----w   C:\Program Files\VideoLAN
2008-01-07 02:00   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-25 03:24   ---------   d-----w   C:\Program Files\Intel
2007-12-23 23:54   ---------   d-----w   C:\Program Files\Le Robert
2007-12-23 23:39   ---------   d-----w   C:\Program Files\LoveChess Age Of Egypt
2007-12-23 23:36   ---------   d-----w   C:\Program Files\DVD Shrink
2007-12-23 22:42   ---------   d-----w   C:\Program Files\D-Tools
2007-12-23 22:36   ---------   d-----w   C:\Program Files\SiSoftware
2007-12-23 22:33   ---------   d-----w   C:\Program Files\Inside the Cell 3D Screensaver
2007-12-23 22:31   639,224   ----a-w   C:\WINDOWS\system32\drivers\sptd.sys
2007-12-23 22:20   ---------   d-----w   C:\Program Files\Fichiers communs\Macrovision Shared
2007-12-23 22:13   ---------   d-----w   C:\Program Files\Abrosoft
2007-12-23 20:34   ---------   d-----w   C:\Documents and Settings\SHIVA007\Application Data\Nero
2007-12-23 20:24   ---------   d-----w   C:\Program Files\Logitech
2007-12-23 20:24   ---------   d-----w   C:\Program Files\Fichiers communs\Logitech
2007-12-22 13:49   395,744   ----a-w   C:\WINDOWS\system32\drivers\timntr.sys
2007-12-22 13:49   39,264   ----a-w   C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-12-22 13:48   114,048   ----a-w   C:\WINDOWS\system32\drivers\snapman.sys
2007-12-22 12:59   ---------   d-----w   C:\Program Files\Fichiers communs\Adobe Systems Shared
2007-12-22 12:59   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-22 12:22   ---------   d-----w   C:\Program Files\Ultra Fractal 4
2007-12-22 12:16   ---------   d-----w   C:\Program Files\MSXML 4.0
2007-12-22 09:47   ---------   d-----w   C:\Program Files\Analog Devices
2007-12-22 02:42   ---------   d-----w   C:\Documents and Settings\Administrateur\Application Data\Nero
2007-12-22 02:41   ---------   d-----w   C:\Program Files\Fichiers communs\Nero
2007-12-22 02:40   ---------   d-----w   C:\Program Files\Nero
2007-12-22 02:40   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Nero
2007-12-22 01:50   ---------   d-----w   C:\Documents and Settings\Administrateur\Application Data\Ultra Fractal 4
2007-12-21 23:44   ---------   d-----w   C:\Program Files\AxBx
2007-12-18 09:51   179,584   ----a-w   C:\WINDOWS\system32\drivers\mrxdav.sys
2006-06-23 06:48   32,768   ----a-r   C:\WINDOWS\inf\UpdateUSB.exe
Logged

fixidea

  • Guest
scan 3/3
« Reply #3 on: February 18, 2008, 03:29:33 PM »
(((((((((((((((((((((((((((((((((   Point de chargement Reg   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ZipFile]
@={2D7E38A6-A604-45AE-9A87-4F5F25760650}

[HKEY_CLASSES_ROOT\CLSID\{2D7E38A6-A604-45AE-9A87-4F5F25760650}]
         C:\WINDOWS\System32\winsdrv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gestionnaire Antidote.exe"="C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe" [2004-06-24 02:10 702539]
"system32"="C:\WINDOWS\system32\issass.exe" [2008-02-18 14:19 1223913]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-10-31 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 21:34 868352]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-18 17:58 1185264]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-18 18:02 1961576]
"Acronis Scheduler2 Service"="C:\Program Files\Fichiers communs\Acronis\Schedule2\schedhlp.exe" [2006-10-17 11:47 87584]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 11:48 157592]
"MirrorFolderShell"="C:\WINDOWS\system32\mrfshl.exe" [2004-06-07 16:05 135168]
"NWEReboot"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-10-31 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\softkey32]
softkey32.dll 2004-08-17 06:52 8192 C:\WINDOWS\system32\softkey32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ      msv1_0 relog_ap

R0 MrFoldr;MirrorFolder real-time replication driver;C:\WINDOWS\system32\drivers\mrfoldr.sys [2004-06-07 16:05]
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2004-10-31 13:00]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-02-18 14:18]
R2 acedrv09;acedrv09;C:\WINDOWS\system32\drivers\acedrv09.sys [2007-06-18 14:10]
R2 acehlp09;acehlp09;C:\WINDOWS\system32\drivers\acehlp09.sys [2007-05-30 17:54]
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 09:50]
R3 mod7700;DiBcom S830 based TV tuner device;C:\WINDOWS\system32\Drivers\dvb7700all.sys [2007-01-30 05:10]
S0 stwlfbus;stwlfbus;C:\WINDOWS\system32\DRIVERS\stwlfbus.sys [2003-04-27 12:39]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 15:18]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-02-17 18:37]
S3 PciCon;PciCon;D:\PciCon.sys []
S3 ptiusbf;PTI USB Filter;C:\WINDOWS\system32\DRIVERS\PTIUSBF.SYS [2001-04-14 00:22]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-06-16 08:30]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2006-03-31 04:39]
S3 st3wolf;st3wolf;C:\WINDOWS\system32\DRIVERS\st3wolf.sys [2003-04-27 11:43]
S3 UPnPService;UPnPService;C:\Program Files\Fichiers communs\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 17:00]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 21:33:49
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************
.
--------------------- DLLs a charg‚ sous des processus courants ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\WinRAR\rarext.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Fichiers communs\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-02-18 21:37:14 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-18 20:37:12
ComboFix2.txt  2008-02-18 18:27:37
ComboFix3.txt  2008-02-18 18:08:55
ComboFix4.txt  2008-02-16 23:09:42
.
2008-02-17 12:49:32   --- E O F ---
Logged

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re: Expertise required: Full post on the problem of "Avast is not a win32"
« Reply #4 on: February 18, 2008, 04:30:21 PM »
Hm, there was a Bagle activ. In  my point of view i would format and reinstall XP. But maybe you will get some more replys saying you do not need to. You should at least change alle Passwords after cleaning or reinstall.

Please test the following files at Virustotal.com

C:\WINDOWS\system32\issass.exe
C:\WINDOWS\System32\winsdrv.dll (if you can find it)

BTW: I see Acronis true image. Maybe you have clean Backup?
Logged
MfG Ralf

marex86

  • Guest
Re: Expertise required: Full post on the problem of "Avast is not a win32"
« Reply #5 on: February 20, 2008, 01:47:27 PM »
Hello,

I have same problem as it is mentioned here, and few other topics

I have tried everything but without luck

C:\WINDOWS\System32\winsdrv.dll -  i cant find this one :S

C:\WINDOWS\system32\issass.exe (btw it is isass.exe) - tested this one on virustotal and it says it is clean, thought lately i saw this file isass.exe to have some high activity on my PC, he was taking to much of CPU % and thats when i suspected that i have some virus.

I have found it trough LAN drives scan from my another PC
And i found a lot of buggers:
Quote
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\c\documents and settings\marex86\local settings\temporary internet files\content.ie5\usz9ijbe\b64_1[2].jpg   642 KB
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\c\windows\system32\drivers\down\133671.exe   642 KB
Infected: Trojan program Trojan.Win32.Pakes.bwy   \\marex86\c\windows\system32\drivers\down\109546.exe   472.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\documents and settings\marex86\local settings\temporary internet files\content.ie5\bs39hp2e\b64_31[1].jpg   69.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\jjjjj\windows\system32\drivers\down\14647296.exe   69.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\windows\system32\drivers\down\15660953.exe   69.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\windows\system32\drivers\down\136718.exe   69.5 KB
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\c\documents and settings\marex86\local settings\temporary internet files\content.ie5\bs39hp2e\b64_1[1].jpg   642 KB
Infected: adware not-a-virus:AdWare.Win32.DealHelper.aj   \\marex86\c\documents and settings\marex86\desktop\tor & rar\usopen_widget.zip   2.9 MB
Infected: Trojan program Trojan.Win32.Pakes.bwy   \\marex86\c\windows\system32\drivers\down\107140.exe   472.5 KB
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\c\windows\system32\drivers\down\154484.exe   642 KB
Infected: Trojan program Trojan.Win32.Pakes.bwy   \\marex86\jjjjj\windows\system32\drivers\down\58861687.exe   472.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\jjjjj\windows\system32\drivers\down\29280125.exe   69.5 KB
Infected: Trojan program Trojan.Win32.Pakes.bwy   \\marex86\c\windows\system32\drivers\down\102390.exe   472.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\windows\system32\drivers\down\30048921.exe   69.5 KB
Infected: Trojan program Trojan.Win32.Pakes.bwy   \\marex86\c\windows\system32\drivers\down\101281.exe   472.5 KB
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\jjjjj\windows\system32\drivers\down\58892234.exe   642 KB
Infected: Trojan program Trojan.Win32.Pakes.bwy   \\marex86\c\windows\system32\drivers\down\300808000.exe   472.5 KB
Infected: Trojan program Backdoor.Win32.Hupigon.axbr   \\marex86\c\documents and settings\marex86\desktop\igrice\admin\user.phpimperium_2007323_235923.htm   642 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\windows\system32\drivers\down\154921.exe   69.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\jjjjj\windows\system32\mdelk.exe   69.5 KB
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\jjjjj\windows\system32\drivers\down\43935156.exe   642 KB
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\c\windows\system32\drivers\down\15636984.exe   642 KB
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\c\windows\system32\drivers\down\14576703.exe   642 KB
Infected: Trojan program Trojan.Win32.Pakes.bwy   \\marex86\jjjjj\windows\system32\drivers\down\30001156.exe   472.5 KB
Infected: Trojan program Trojan.Win32.Pakes.bwy   \\marex86\c\windows\system32\drivers\down\97812.exe   472.5 KB
Infected: Trojan program Trojan.Win32.Pakes.bwy   \\marex86\c\documents and settings\marex86\local settings\temporary internet files\content.ie5\bs39hp2e\b64_2[1].jpg   472.5 KB
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\c\windows\system32\drivers\down\125281.exe   642 KB
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\c\windows\system32\drivers\down\30027578.exe   642 KB
Infected: Trojan program Trojan-Downloader.Win32.Bagle.jw   \\marex86\c\program files\hdd thermometer\hdd thermometer.exe   652.6 KB
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\c\windows\system32\drivers\down\125875.exe   642 KB
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\c\windows\system32\drivers\down\15474484.exe   642 KB
Infected: Trojan program Backdoor.Win32.Hupigon.axbr   \\marex86\c\incredimail transferred data\incredimail data.cab   65.2 MB
Infected: Trojan program Trojan.Win32.Pakes.bwy   \\marex86\c\windows\system32\drivers\down\124734.exe   472.5 KB
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\c\windows\system32\drivers\down\131875.exe   642 KB
Infected: Trojan program Trojan-PSW.Win32.Agent.xd   \\marex86\c\windows\system32\drivers\down\138171.exe   642 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\windows\system32\drivers\down\149468.exe   69.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\windows\system32\drivers\down\15494296.exe   69.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\windows\system32\drivers\down\146187.exe   69.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\windows\system32\drivers\down\172718.exe   69.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\windows\system32\mdelk.exe   69.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\windows\system32\drivers\down\300848906.exe   69.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\windows\system32\drivers\down\151484.exe   69.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\windows\system32\drivers\down\14593515.exe   69.5 KB
Infected: Trojan program Backdoor.Win32.Hupigon.axbr   \\marex86\c\documents and settings\marex86\desktop\igrice\admin\admin.rar   719.5 KB
Infected: virus Email-Worm.Win32.Bagle.of   \\marex86\c\documents and settings\marex86\local settings\temporary internet files\content.ie5\qf5zyslb\b64_31[1].jpg   69.5 KB
Infected: Trojan program Backdoor.Win32.Rbot.hau   \\marex86\c\windows\system32\boat32.exe   444 KB
Most of these i successfully backed up and deleted, but 3 i wasnt able to delete:

Quote
not found: virus Email-Worm.Win32.Bagle.of   File: \\MAREX86\jjjjj\WINDOWS\system32\mdelk.exe
detected: virus Email-Worm.Win32.Bagle.of   File: \\MAREX86\jjjjj\WINDOWS\system32\wintems.exe
detected: Trojan program Trojan-Downloader.Win32.Bagle.jv   File: \\MAREX86\jjjjj\WINDOWS\system32\drivers\hldrrr.exe

These 3 i wasnt able to delete, cos win was active and didnt allowed me, so i used live CD of Linux distribution and deleted them :)

But that didnt helped, they are not there anymore but i still get error "it is not valid win32 application"

Any help on this?

Thanks
marko

Thanks
Logged

psw

  • Guest
Re: Expertise required: Full post on the problem of "Avast is not a win32"
« Reply #6 on: February 20, 2008, 05:04:47 PM »
You probably have Win32.HLLM.Beagle
You can try load from LiveCD and remove the following files
windows\system32\drivers\srosa.sys
windows\system32\drivers\hldrrr.exe
windows\system32\wintems.exe
windows\system32\mdelk.exe

Sometimes it enough to subsequent launch AV programs in Windows.
Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Expertise required: Full post on the problem of "Avast is not a win32"
« Reply #7 on: February 20, 2008, 05:13:09 PM »
Unless bagel has renamed the drivers (possible as they update faster than the tools to kill them ) Then combofix renamed should kill it

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:






  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
    -----------------------------------------------------------
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you. 
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
Logged

jon01

  • Guest
Re: Expertise required: Full post on the problem of "Avast is not a win32"
« Reply #8 on: February 20, 2008, 09:32:35 PM »
I have the same problem as well.  I have installed and ran McAfee 8, which found several bugs, but did not correct this problem.  I have been following several posts on this forum and have now successfully ran the renamed Combo-Fix and the log is split between the next post(s). 

I did not intend to hijack this thread but thought that since the problem is similar we could all benefit. 

Please advise...

ComboFix 08-02-20.2 - jlooney 2008-02-20 11:05:42.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.523 [GMT -5:00]
Running from: C:\Documents and Settings\jlooney\Desktop\Combo-Fix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\jlooney\g2mdlhlpx.exe
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\76538115.exe
C:\WINDOWS\system32\drivers\down\76547779.exe
C:\WINDOWS\system32\drivers\down\76563182.exe
C:\WINDOWS\system32\drivers\down\76599263.exe
C:\WINDOWS\system32\drivers\down\76599844.exe
C:\WINDOWS\system32\drivers\down\76619963.exe
C:\WINDOWS\system32\drivers\down\76622086.exe
C:\WINDOWS\system32\drivers\down\76625000.exe
C:\WINDOWS\system32\drivers\down\76627404.exe
C:\WINDOWS\system32\drivers\down\76634855.exe
C:\WINDOWS\system32\drivers\down\76638320.exe
C:\WINDOWS\system32\drivers\down\76639531.exe
C:\WINDOWS\system32\drivers\down\76640493.exe
C:\WINDOWS\system32\drivers\down\76643016.exe
C:\WINDOWS\system32\drivers\down\76646451.exe
C:\WINDOWS\system32\drivers\down\76648534.exe
C:\WINDOWS\system32\drivers\down\76678668.exe
C:\WINDOWS\system32\drivers\down\76701250.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys

.
(((((((((((((((((((((((((   Files Created from 2008-01-20 to 2008-02-20  )))))))))))))))))))))))))))))))
.

2008-02-20 09:20 . 2008-02-20 09:20   <DIR>   d--------   C:\Program Files\MSXML 4.0
2008-02-19 14:38 . 2008-02-19 16:44   <DIR>   d--------   C:\QUARANTINE
2008-02-19 14:16 . 2008-02-19 17:04   512   --a------   C:\WINDOWS\randseed.rnd
2008-02-19 14:08 . 2008-02-19 14:08   <DIR>   d--------   C:\Program Files\Common Files\Cisco Systems
2008-02-19 14:08 . 2005-01-14 20:00   108,480   --a------   C:\WINDOWS\system32\drivers\naiavf5x.sys
2008-02-19 14:08 . 2005-01-14 20:00   58,464   --a------   C:\WINDOWS\system32\drivers\mvstdi5x.sys
2008-02-19 14:07 . 2008-02-19 14:08   <DIR>   d--------   C:\Program Files\Network Associates
2008-02-19 14:07 . 2008-02-19 14:07   <DIR>   d--------   C:\Program Files\Common Files\Network Associates
2008-02-19 14:07 . 2008-02-19 14:08   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Network Associates
2008-02-18 10:11 . 2008-02-19 11:10   <DIR>   d--------   C:\Documents and Settings\jlooney\.housecall6.6
2008-02-18 08:58 . 2008-02-18 08:58   <DIR>   d--------   C:\Documents and Settings\jlooney\Dial -up Info
2008-02-18 08:51 . 2008-02-19 11:11   <DIR>   d--------   C:\Documents and Settings\jlooney\desktop items
2008-02-18 08:51 . 2008-02-19 11:10   <DIR>   d--------   C:\Documents and Settings\jlooney\DataViz Mail
2008-02-18 08:51 . 2008-02-18 08:51   <DIR>   d--------   C:\Documents and Settings\jlooney\Corel User Files
2008-02-18 08:51 . 2008-02-18 08:51   <DIR>   d--------   C:\Documents and Settings\jlooney\copied video
2008-02-18 08:49 . 2008-02-19 11:11   <DIR>   d--------   C:\Documents and Settings\jlooney\CD Files for Autorun
2008-02-18 08:43 . 2008-02-19 11:10   <DIR>   d--------   C:\Documents and Settings\jlooney\Camtasia Studio
2008-02-18 08:43 . 2008-02-18 08:43   <DIR>   d--------   C:\Documents and Settings\jlooney\bridge
2008-02-18 08:39 . 2008-02-19 11:11   <DIR>   d--------   C:\Documents and Settings\jlooney\admin password reset utilities
2008-02-15 16:29 . 2008-02-15 16:29   1,905   --a------   C:\WINDOWS\diagwrn.xml
2008-02-15 16:29 . 2008-02-15 16:29   1,905   --a------   C:\WINDOWS\diagerr.xml
2008-02-11 14:47 . 2008-02-11 14:47   <DIR>   d--------   C:\Documents and Settings\jlooney\Application Data\Dolesoft
2008-02-11 14:46 . 2008-02-11 14:46   <DIR>   d--------   C:\Program Files\Dolesoft
2008-02-11 11:04 . 2008-02-11 11:04   <DIR>   d--------   C:\WINDOWS\system32\XPSViewer
2008-02-11 11:04 . 2008-02-11 11:04   <DIR>   d--------   C:\Program Files\Reference Assemblies
2008-02-11 11:03 . 2008-02-11 11:03   <DIR>   d--------   C:\Program Files\MSXML 6.0
2008-02-11 11:03 . 2006-06-29 13:07   14,048   ---------   C:\WINDOWS\system32\spmsg2.dll
2008-02-09 22:32 . 2008-02-09 22:39   768   --a------   C:\WINDOWS\system32\d3d8caps.dat
2008-02-08 15:48 . 2008-02-08 15:48   <DIR>   d--------   C:\Documents and Settings\jlooney\Application Data\Webcammax
2008-02-08 15:33 . 2008-02-11 10:37   <DIR>   d--------   C:\Program Files\WebcamMax
2008-02-08 08:58 . 2008-02-08 08:58   <DIR>   d--------   C:\Program Files\ooVoo
2008-02-08 08:58 . 2008-02-08 08:58   <DIR>   d--------   C:\Documents and Settings\jlooney\Application Data\ooVoo Details
2008-02-07 17:26 . 2006-10-26 19:56   32,592   --a------   C:\WINDOWS\system32\msonpmon.dll
2008-02-07 16:34 . 2008-02-07 16:34   <DIR>   d--------   C:\Program Files\Microsoft Visual Studio 8
2008-02-06 16:04 . 2008-02-06 16:04   <DIR>   d--------   C:\Documents and Settings\jlooney\Application Data\System Access to Go
2008-02-06 11:30 . 2008-02-06 11:30   <DIR>   d--------   C:\Program Files\Citrix
2008-01-22 10:27 . 2008-01-22 10:27   <DIR>   d--------   C:\Program Files\TextMiningTool 1.1.42
2008-01-21 10:40 . 2008-01-21 10:41   664   --a------   C:\WINDOWS\system32\d3d9caps.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 13:37   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-19 20:09   ---------   d-----w   C:\Documents and Settings\jlooney\Application Data\TeraCopy
2008-02-11 16:05   ---------   d-----w   C:\Program Files\MSBuild
2008-02-08 13:58   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-02-07 23:05   ---------   d-----w   C:\Documents and Settings\jlooney\Application Data\Skype
2008-02-06 16:49   ---------   d-----w   C:\Program Files\Java
2008-01-18 20:57   ---------   d-----w   C:\Program Files\Picasa2
2008-01-18 20:49   ---------   d-----w   C:\Program Files\Google
2008-01-18 20:37   ---------   d-----w   C:\Program Files\trayit
2008-01-17 18:59   ---------   d-----w   C:\Program Files\Microsoft
2008-01-11 14:49   ---------   d-----w   C:\Documents and Settings\jlooney\Application Data\OfficeUpdate12
2008-01-10 18:05   586,240   ----a-w   C:\WINDOWS\WLXPGSS.SCR
2008-01-04 19:33   ---------   d-----w   C:\Program Files\AviSynth 2.5
2008-01-04 19:32   ---------   d-----w   C:\Program Files\eRightSoft
2008-01-04 19:31   ---------   d-----w   C:\Program Files\MediaCoder
2008-01-04 17:41   ---------   d-----w   C:\Documents and Settings\jlooney\Application Data\Media Player Classic
2008-01-04 17:40   ---------   d-----w   C:\Documents and Settings\jlooney\Application Data\Winff
2008-01-04 17:38   ---------   d-----w   C:\Program Files\WinFF
2008-01-04 17:26   ---------   d-----w   C:\Program Files\Red Kawa
2008-01-03 15:27   ---------   d-----w   C:\Program Files\TrueLaunchBar
2008-01-02 19:40   ---------   d-----w   C:\Program Files\Unlocker
2008-01-02 19:13   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-02 16:18   ---------   d-----w   C:\Program Files\Runtime Software
2007-12-20 19:39   ---------   d-----w   C:\Program Files\Messenger Plus! Live
2004-09-30 20:05   65,536   ----a-w   C:\WINDOWS\Cursors\XZ-B-ONE Cursors\InCurso.exe
2003-08-05 15:41   53,248   ----a-w   C:\WINDOWS\inf\ap561.exe
2006-01-19 11:30   108   --sha-r   C:\WINDOWS\neoqaz2.dll
2006-05-03 09:06   163,328   --sh--r   C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47   31,232   --sh--r   C:\WINDOWS\system32\msfDX.dll
.

------- Sigcheck -------

"C:\WINDOWS\system32\svchost.exe"
----a-w            14,336 2004-08-04 12:00:00  C:\WINDOWS\system32\svchost.exe
-c--a-w            14,336 2004-08-04 12:00:00  C:\WINDOWS\system32\dllcache\svchost.exe

"C:\WINDOWS\system32\user32.dll"
----a-w           577,024 2005-03-02 18:19:56  C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
----a-w           578,048 2007-03-08 15:48:36  C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
-c----w           577,024 2004-08-04 12:00:00  C:\WINDOWS\$NtUninstallKB890859$\user32.dll
-c----w           577,024 2005-03-02 18:09:30  C:\WINDOWS\$NtUninstallKB925902$\user32.dll
----a-w           577,536 2007-03-08 15:36:28  C:\WINDOWS\system32\user32.dll
-c--a-w           577,536 2007-03-08 15:36:28  C:\WINDOWS\system32\dllcache\user32.dll

"C:\WINDOWS\system32\ws2_32.dll"
----a-w            82,944 2004-08-04 12:00:00  C:\WINDOWS\system32\ws2_32.dll
-c--a-w            82,944 2004-08-04 12:00:00  C:\WINDOWS\system32\dllcache\ws2_32.dll

"C:\WINDOWS\system32\winlogon.exe"
----a-w           502,272 2004-08-04 12:00:00  C:\WINDOWS\system32\winlogon.exe
-c--a-w           502,272 2004-08-04 12:00:00  C:\WINDOWS\system32\dllcache\winlogon.exe

"C:\WINDOWS\system32\drivers\ndis.sys"
-c--a-w           182,912 2004-08-04 12:00:00  C:\WINDOWS\system32\dllcache\ndis.sys
----a-w           182,912 2004-08-04 12:00:00  C:\WINDOWS\system32\drivers\ndis.sys

"C:\WINDOWS\system32\drivers\ip6fw.sys"
-c--a-w            29,056 2004-08-04 12:00:00  C:\WINDOWS\system32\dllcache\ip6fw.sys
----a-w            29,056 2004-08-04 12:00:00  C:\WINDOWS\system32\drivers\ip6fw.sys

Logged

jon01

  • Guest
Re: Expertise required: Full post on the problem of "Avast is not a win32"
« Reply #9 on: February 20, 2008, 09:34:17 PM »
"C:\WINDOWS\system32\ntkrnlpa.exe"
----a-w         2,056,832 2005-03-02 00:36:40  C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
----a-w         2,059,392 2006-12-19 16:12:16  C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
----a-w         2,059,392 2007-02-28 09:15:56  C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
-c----w         2,056,832 2004-08-04 12:00:00  C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
-c----w         2,056,832 2005-03-02 00:34:40  C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
-c----w         2,057,600 2006-12-19 12:55:39  C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
------w         2,057,600 2007-02-28 08:38:55  C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
----a-w         2,057,600 2007-02-28 08:38:55  C:\WINDOWS\system32\ntkrnlpa.exe
-c----w         2,057,600 2007-02-28 08:38:55  C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

"C:\WINDOWS\system32\ntoskrnl.exe"
----a-w         2,179,456 2005-03-02 01:04:22  C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
----a-w         2,182,016 2006-12-19 16:51:12  C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
----a-w         2,182,144 2007-02-28 09:55:14  C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
-c----w         2,180,992 2004-08-04 12:00:00  C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
-c----w         2,179,328 2005-03-02 00:59:53  C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
-c----w         2,180,352 2006-12-19 14:17:19  C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
------w         2,180,352 2007-02-28 09:10:57  C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
----a-w         2,180,352 2007-02-28 09:10:57  C:\WINDOWS\system32\ntoskrnl.exe
-c----w         2,180,352 2007-02-28 09:10:57  C:\WINDOWS\system32\dllcache\ntoskrnl.exe

"C:\WINDOWS\explorer.exe"
----a-w         1,183,744 2007-06-13 10:23:07  C:\WINDOWS\explorer.exe
----a-w         1,033,216 2007-06-13 11:26:03  C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
-c----w         1,032,192 2004-08-04 12:00:00  C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
-c--a-w         1,183,744 2007-06-13 10:23:07  C:\WINDOWS\system32\dllcache\explorer.exe
----a-w         1,033,216 2007-06-13 10:23:07  C:\WINDOWS\XPize\Backup\explorer.exe
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 30208]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-02-26 14:07 160832]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-12-05 15:08 5724184]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-19 02:43 7397376]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 12:03 94208]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 09:37 28672 C:\WINDOWS\system32\nwtray.exe]
"NVHotkey"="nvHotkey.dll" [2006-01-19 02:43 73728 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2006-01-19 02:43 86016 C:\WINDOWS\system32\nvmctray.dll]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2006-09-27 22:38 304640]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 17:29 62976]
"HotSync"="C:\Program Files\PalmSource\Desktop\HotSync.exe" [ ]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19 15872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 03:18 437160]

C:\Documents and Settings\jlooney\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]
TrayIt!.lnk - C:\Program Files\trayit\trayit!.exe [2008-01-18 15:37:20 114688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe [2005-08-18 17:09:58 1388544]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-10-28 18:36:32 565309]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-02-22 12:43:20 671744]
Perstray.lnk - C:\Program Files\PerSono\PersTray.exe [2007-03-08 09:37:33 32768]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 14:40:46 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTServ]
C:\Program Files\Common Files\Logitech\Bluetooth\lbtserv.dll 2004-12-02 09:34 1404928 C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ      msv1_0 nwv1_0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launchy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launchy.lnk
backup=C:\WINDOWS\pss\Launchy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jlooney^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\jlooney\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jlooney^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
path=C:\Documents and Settings\jlooney\Start Menu\Programs\Startup\PdaNet Desktop.lnk
backup=C:\WINDOWS\pss\PdaNet Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jlooney^Start Menu^Programs^Startup^PdaReach Desktop.lnk]
path=C:\Documents and Settings\jlooney\Start Menu\Programs\Startup\PdaReach Desktop.lnk
backup=C:\WINDOWS\pss\PdaReach Desktop.lnkStartup
Logged

jon01

  • Guest
Re: Expertise required: Full post on the problem of "Avast is not a win32"
« Reply #10 on: February 20, 2008, 09:35:58 PM »

[HKLM\~\startupfolder\C:^Documents and Settings^jlooney^Start Menu^Programs^Startup^Sonic INSTALLit! Setup.lnk]
path=C:\Documents and Settings\jlooney\Start Menu\Programs\Startup\Sonic INSTALLit! Setup.lnk
backup=C:\WINDOWS\pss\Sonic INSTALLit! Setup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2001-11-06 13:32 131072 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVEDESK]
--a------ 2005-10-25 23:44 1424896 C:\AveDesk13\AveDesk13\AVEDESK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 13:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 14:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-01-19 02:43 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime Alternative\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
C:\Program Files\Rainlendar2\Rainlendar2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NBService"=3 (0x3)
"iPod Service"=3 (0x3)
"BlueSoleil Hid Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)

R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 21:22]
R3 BULKUSB;Plantronics USB Bulk Driver;C:\WINDOWS\system32\Drivers\USBPLANT.sys [2002-10-09 15:26]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2004-06-23 16:10]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2004-06-23 16:09]
R3 LHidPPKE;Logitech SetPoint HID Function Driver;C:\WINDOWS\system32\DRIVERS\LHidPPKE.Sys [2004-04-13 12:44]
R3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-23 21:12]
R3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2004-12-26 22:35]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 21:23]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;C:\WINDOWS\system32\wlanndi5.SYS [2004-04-21 17:51]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2004-06-23 16:09]
S3 BLKWGN;Belkin Wireless G Notebook Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGN.sys [2005-06-02 02:10]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS []
S3 Ich;Ich;C:\WINDOWS\system32\DRIVERS\Ich.sys [2002-01-13 16:25]
S3 PEEK5;PEEK5 Protocol Driver;C:\WINAIR~1\PEEK5.SYS [2005-11-12 11:00]
S3 PsSdk30;PsSdk30;C:\WINDOWS\system32\Drivers\PsSdk30.drv []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 16:05:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-20 16:17:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-18 16:30:13 C:\WINDOWS\Tasks\SyncBack Jon's Work Backup.job"
- C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 11:14:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.exe [6.00.2900.3156]
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~2\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2008-02-20 11:21:49 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-20 16:21:42
.
2008-02-20 14:20:48   --- E O F --- 
Logged

jon01

  • Guest
Re: Expertise required: Full post on the problem of "Avast is not a win32"
« Reply #11 on: February 20, 2008, 09:43:12 PM »
My Hijackthis log is split among the next posts...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:46, on 2008-02-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~2\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\PerSono\PersTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\trayit\trayit!.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\jlooney\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

Logged

jon01

  • Guest
Re: Expertise required: Full post on the problem of "Avast is not a win32"
« Reply #12 on: February 20, 2008, 09:43:37 PM »
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: TrayIt!.lnk = C:\Program Files\trayit\trayit!.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Perstray.lnk = C:\Program Files\PerSono\PersTray.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - https://favorites.live.com/cab/ImportAx.cab?v=13,0,1609,00
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172165311858
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172165422778
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host-d.oddcast.com/hostClientIE.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www1.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com/imgag/cp/install/crusher-us.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kedc.org
O17 - HKLM\Software\..\Telephony: DomainName = kedc.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kedc.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kedc.org
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 14210 bytes
Logged

jon01

  • Guest
Re: Expertise required: Full post on the problem of "Avast is not a win32"
« Reply #13 on: February 20, 2008, 09:45:01 PM »
I appreciate any help that can be offered. 

I also have an install of kubuntu 7.10 on this machine, if it would help to try to clean from there.

Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Expertise required: Full post on the problem of "Avast is not a win32"
« Reply #14 on: February 20, 2008, 09:50:37 PM »
Quote
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
That is Beagle......................... gone  jon01

Now the best part of the day ----- Your log now appears clean  :thumbsup:

You may now delete combofix


Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
  • SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe  :wave:
Logged
Pages: [1] 2   Go Up
« previous next »