Author Topic: Avast installation corrupted Windows XP  (Read 6463 times)

0 Members and 1 Guest are viewing this topic.

tatobo

  • Guest
Avast installation corrupted Windows XP
« on: February 24, 2008, 02:31:49 AM »
Can someone please help this newbie? (New to this forum, not to computers) I suspected malware on my pc, uninstalled AVG and SpySweeper and installed Avast. At the initial boot scan the following were found and put in the chest:

File C:\Documents and Settings\Kian\Local Settings\Temp\D371.tmp is infected by Win32:Trojan-gen {Other}, Repair: Error 42060 {The file was not repaired.}, Moved to chest
File C:\Documents and Settings\Kian\Local Settings\Temp\ismupd1.exe is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP22\A0001688.exe is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\WINDOWS\system32\rpcrt3.dll is infected by Win32:Agent-QMC [trj], Moved to chest

Now Windows is corrupted: most services are stopped and can't be started manually, I can't copy/paste anything except text files like the one above, Word and Excel report problems, Windows Explorer has issues, system restore won't work, I have no access to my other computer via LAN even though I can access the Internet, etc., etc. Avast itself seems to have issues: I can't open the chest to restore the files because the RPC service is stopped, and I can't start it from the control panel. I still have SuperAntispyware on my pc, but it doesn't seem to be running, and Windows won't let me uninstall it anyway.

I checked previous posts and found something similar, but the lucky guy was able to copy/paste with a flash drive and move the chest files to another pc, which I'm not able to do (copy/paste won't work). Can anyone help me restore whatever was removed or corrupted during the installation? Thanks so much! (I can provide a HJT log if that will help.)

CharleyO

  • Guest
Re: Avast installation corrupted Windows XP
« Reply #1 on: February 24, 2008, 09:56:43 AM »
***

Yes, please post a HJT log.


***

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Avast installation corrupted Windows XP
« Reply #2 on: February 24, 2008, 02:20:06 PM »
Avast itself seems to have issues: I can't open the chest to restore the files because the RPC service is stopped, and I can't start it from the control panel.
Some infections could do it... and avast can't cure itself (yet).

I still have SuperAntispyware on my pc, but it doesn't seem to be running, and Windows won't let me uninstall it anyway.
Can you run it?

I suggest a full computer on-line scanning:
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)
The best things in life are free.

tatobo

  • Guest
Re: Avast installation corrupted Windows XP
« Reply #3 on: February 24, 2008, 02:48:55 PM »
Thanks for the replies, the HJT log is below. My main concern is to get the computer functional again so that I can back everything up in case I have to do a complete reinstall of Windows. I'll try the suggested scans also.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:48 AM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\DOCUME~1\Kian\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-21-2266075044-3135658891-929149217-1005\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 (User '?')
O4 - HKUS\S-1-5-21-2266075044-3135658891-929149217-1005\..\Run: [SetDefaultMIDI] MIDIDef.exe (User '?')
O4 - HKUS\S-1-5-21-2266075044-3135658891-929149217-1005\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://msx.mlxchange.com/Control/FileCruiser.cab
O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://msx.mlxchange.com/Control/Specfile.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://msx.mlxchange.com/Control/SISC.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://msx.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://msx.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://msx.mlxchange.com/Control/LiteGrid.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://msx.mlxchange.com/4.2.04.18/Control/IRCSharc.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://msx.mlxchange.com/Control/AspCustomCtrls.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B60D2BCA-61F6-49F4-A4B6-881AEFF7ED13}: NameServer = 68.87.64.146,68.87.75.194
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Documents and Settings\Kian\My Documents\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 8547 bytes

tatobo

  • Guest
Re: Avast installation corrupted Windows XP
« Reply #4 on: February 26, 2008, 03:29:23 AM »
Update: Ran SUPERAntiSpyware, all it found was a bunch of cookies. Cannot run Kaspersky or any other online scan--the corrupted system will not allow me to perform certain Internet functions. Downloaded free trial of Kaspersky, but it warns that all other AV programs should be removed first.

Question: did running Avast place a needed system file in the chest that will be erased forever if I uninstall Avast? Any insights on my HJT log? Thanks!
« Last Edit: February 26, 2008, 03:41:44 AM by tatobo »

CharleyO

  • Guest
Re: Avast installation corrupted Windows XP
« Reply #5 on: February 26, 2008, 08:33:26 AM »
***

I see nothing obviously wrong in your HJT log but I am no expert.

Hopefully, someone who is will jump in and offer another opinion.


***

Offline TedNelly

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1538
  • Trust No-One!
Re: Avast installation corrupted Windows XP
« Reply #6 on: February 26, 2008, 08:45:25 AM »
like CharlyO I'm no HJT expert however
Just a couple of things
Are you using a firewall?
Sun Java Version should be -jre1.6.0_04 your version is jre1.6.0_03. Uninstall all older versions of Sun Java via Control Panel before update
« Last Edit: February 26, 2008, 08:55:52 AM by tednelly »
Windows 10 Pro | Intel I7 CPU | 16 Gig 2133 RAM | Avast beta 17.5.2295 | Firefox 54 b9(64-bit) | Cyberfox 52.1 | T-Bird 52.1.1 | SpyWareBlaster 5.5 | MalwareBytes 3.0.0.865 | WinPatrol 35.5.2 | GlassWire 1.2.100 | Cybereason Ransomfree 2.2.7 |  Pulla-dePlug Final!

MauriceW

  • Guest
Re: Avast installation corrupted Windows XP
« Reply #7 on: February 27, 2008, 02:19:52 AM »
tatobo,
Bad Luck - I doubt that your problems comes from !Avast installation.

I'm not an HJT expert but noted presence of %system%\rpcrt3.dll.
This is not in my XP Pro SP2 %system%

2) Google for "rpcrt3.dll" produces many hits
e.g.
1) "Rpcrt3.dll is Trojan/Backdoor from
http://greatis.com/appdata/d/r/rpcrt3.dll_Removal.htm.

See also at Sophos.com
http://www.sophos.com/security/analyses/trojbuzzita.html
and
http://www.sophos.com/security/analyses/trojbuzzitb.html

You should be able to get advice from these.
 
May be wise to reboot into Safe Mode

Hope this helps.

Maurice

P.S. If you are brave,
you could try searching registry for "rpcrt3,dll"
and after backup of any keys found to say a floppy disc
deleting ONLY them.

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Re: Avast installation corrupted Windows XP
« Reply #8 on: February 27, 2008, 06:06:49 AM »
Have you tried to run System Restore to a restore point before all this happened?
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!