Avast stopped working, virus?

system · August 22, 2007, 8:04pm

Part 2

2007-08-21 17:13 82,432 --a–c— C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-08-21 17:13 525,568 --a–c— C:\WINDOWS\system32\dllcache\tridxp.dll
2007-08-21 17:13 440,576 --a–c— C:\WINDOWS\system32\dllcache\tridkb.dll
2007-08-21 17:13 42,496 --a–c— C:\WINDOWS\system32\dllcache\tp4res.dll
2007-08-21 17:13 36,736 --a–c— C:\WINDOWS\system32\dllcache\ultra.sys
2007-08-21 17:13 34,375 --a–c— C:\WINDOWS\system32\dllcache\tpro4.sys
2007-08-21 17:13 315,520 --a–c— C:\WINDOWS\system32\dllcache\trid3d.dll
2007-08-21 17:13 222,336 --a–c— C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-08-21 17:13 216,064 --a–c— C:\WINDOWS\system32\dllcache\um34scan.dll
2007-08-21 17:13 211,968 --a–c— C:\WINDOWS\system32\dllcache\um54scan.dll
2007-08-21 17:13 166,784 --a–c— C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-08-21 17:13 159,232 --a–c— C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-08-21 17:13 11,520 --a–c— C:\WINDOWS\system32\dllcache\twotrack.sys
2007-08-21 17:12 81,408 --a–c— C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-08-21 17:12 4,992 --a–c— C:\WINDOWS\system32\dllcache\toside.sys
2007-08-21 17:12 37,961 --a–c— C:\WINDOWS\system32\dllcache\tdk100b.sys
2007-08-21 17:12 31,744 --a–c— C:\WINDOWS\system32\dllcache\tp4.dll
2007-08-21 17:12 28,232 --a–c— C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-08-21 17:12 241,664 --a–c— C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-08-21 17:12 230,912 --a–c— C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-08-21 17:12 17,129 --a–c— C:\WINDOWS\system32\dllcache\tdkcd31.sys
2007-08-21 17:12 149,376 --a–c— C:\WINDOWS\system32\dllcache\tffsport.sys
2007-08-21 17:12 138,528 --a–c— C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-08-21 17:12 123,995 --a–c— C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-08-21 17:11 94,293 --a–c— C:\WINDOWS\system32\dllcache\sxports.dll
2007-08-21 17:11 7,040 --a–c— C:\WINDOWS\system32\dllcache\tandqic.sys
2007-08-21 17:11 53,760 --a–c— C:\WINDOWS\system32\dllcache\sw_wheel.dll
2007-08-21 17:11 36,640 --a–c— C:\WINDOWS\system32\dllcache\t2r4mini.sys
2007-08-21 17:11 32,640 --a–c— C:\WINDOWS\system32\dllcache\symc8xx.sys
2007-08-21 17:11 30,688 --a–c— C:\WINDOWS\system32\dllcache\sym_u3.sys
2007-08-21 17:11 30,464 --a–c— C:\WINDOWS\system32\dllcache\tbatm155.sys
2007-08-21 17:11 3,968 --a–c— C:\WINDOWS\system32\dllcache\swusbflt.sys
2007-08-21 17:11 28,384 --a–c— C:\WINDOWS\system32\dllcache\sym_hi.sys
2007-08-21 17:11 172,768 --a–c— C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-08-21 17:11 16,256 --a–c— C:\WINDOWS\system32\dllcache\symc810.sys
2007-08-21 17:11 103,936 --a–c— C:\WINDOWS\system32\dllcache\sx.sys
2007-08-21 17:11 10,240 --a–c— C:\WINDOWS\system32\dllcache\swpidflt.dll
2007-08-21 17:11 10,240 --a–c— C:\WINDOWS\system32\dllcache\swpdflt2.dll
2007-08-21 17:10 99,328 --a–c— C:\WINDOWS\system32\dllcache\srusd.dll
2007-08-21 17:10 61,824 --a–c— C:\WINDOWS\system32\dllcache\speed.sys
2007-08-21 17:10 53,248 --a–c— C:\WINDOWS\system32\dllcache\stlncoin.dll
2007-08-21 17:10 48,736 --a–c— C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-08-21 17:10 41,472 --a–c— C:\WINDOWS\system32\dllcache\sw_effct.dll
2007-08-21 17:10 285,760 --a–c— C:\WINDOWS\system32\dllcache\stlnata.sys
2007-08-21 17:10 24,660 --a–c— C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-08-21 17:10 19,072 --a–c— C:\WINDOWS\system32\dllcache\sparrow.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 16:10 --------- d-------- C:\Program Files\SP2 Connection Patcher
2007-08-20 21:27 16490 --a------ C:\WINDOWS\pchealth\HelpCtr\PackageStore\SkuStore.bin
2007-08-20 21:26 8972 --a------ C:\WINDOWS\pchealth\HelpCtr\Config\Cntstore.bin
2007-08-20 00:24 --------- d-------- C:\Program Files\eMule
2007-07-27 16:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 16:02 94416 --a–c— C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 16:02 92848 --a–c— C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 16:00 23152 --a–c— C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 15:59 42912 --a–c— C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 15:58 26624 --a–c— C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 15:57 95608 --a–c— C:\WINDOWS\system32\AVASTSS.scr
2007-07-24 19:51 --------- d-------- C:\DOCUME~1\Ben\APPLIC~1\Image Zone Express
2007-07-17 07:30 --------- d-------- C:\Program Files\Picasa2
2007-07-15 23:41 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-07-15 23:41 249856 --a------ C:\WINDOWS\Setup1.exe
2007-07-14 08:53 --------- d-------- C:\Program Files\Last.fm
2007-06-24 16:35 --------- d-------- C:\Program Files\RL-Software
2006-12-02 12:05 774144 --a–c— C:\Program Files\RngInterstitial.dll
2001-11-23 06:08 712704 --a–c— C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2005-05-13 23:12:00 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 17:13:58 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-07-14 18:31:20 27,648 -csha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 21:32:28 616,448 -csha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 04:37:42 45,568 -csha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06:54 163,328 -csha-r C:\WINDOWS\system32\flvDX.dll
2004-01-25 06:00:00 70,656 -csha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47:16 31,232 -csha-r C:\WINDOWS\system32\msfDX.dll
2005-02-28 19:16:22 240,128 -csha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 06:00:00 70,656 -csha-r C:\WINDOWS\system32\yv12vfw.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]
“SiSUSBRG”=“C:\WINDOWS\sisUSBrg.exe” [2002-04-25 18:06]
“SiS KHooker”=“C:\WINDOWS\System32\khooker.exe” [2002-01-25 03:30]
“Cmaudio”=“cmicnfg.cpl”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-18 20:39]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 06:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoResolveSearch”=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoBandCustomize”=0 (0x0)
“NoMovingBands”=0 (0x0)
“NoCloseDragDropBands”=0 (0x0)
“NoSetTaskbar”=0 (0x0)
“NoToolbarsOnTaskbar”=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

system · August 22, 2007, 8:05pm

part 3

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ben^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=C:\Documents and Settings\Ben\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
“C:\Program Files\BearShare\BearShare.exe” /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
“C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\german.exe]
C:\WINDOWS\system32\wintems.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
“C:\Program Files\iTunes\iTunesHelper.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
“C:\Program Files\Messenger\msmsgs.exe” /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
“C:\Program Files\QuickTime\qttask.exe” -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2]
C:\WINDOWS\vsnpstd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
L"h’þ9Óœð3rÅ WC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
L"h’þ9Óœð3rÅ WC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
L"h’þ9Óœð3rÅ WC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
L"h’þ9Óœð3rÅ WC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\miftufo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“ShellHWDetection”=3 (0x3)

Contents of the ‘Scheduled Tasks’ folder
2007-08-09 04:40:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-22 19:42:16 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D432F9D3-12B8-43E7-97CB-0D48E3DE9774}.job - C:\WINDOWS\system32\msfeedssync.exe

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-22 13:49:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

Completion time: 2007-08-22 13:52:39
C:\ComboFix-quarantined-files.txt … 2007-08-22 13:52
C:\ComboFix2.txt … 2007-08-14 12:22

--- E O F ---

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 1:57:19 PM, on 22/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7

system · August 22, 2007, 8:06pm

part 4

c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187584452218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187584827515
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

system · August 22, 2007, 8:41pm

When you installed the OS did you use the key on the computer case or on the CD?

Try installing avast! again - I think there’s a good chance it will now. I’m at work and will sort through logs later on.

system · August 22, 2007, 9:31pm

I tried to install Avast again and it seems that no files were moved or renamed this time, but when I tried to open up the ashsimp2.exe application nothing happened.

When I installed XP on the computer, I had to use the key on the CD. The XP sticker key on the computer would not work. I think that is because we went from XP Home to XP Professional.
(I could not find anyone with copy of XP Home)

Lisandro · August 23, 2007, 1:46am

This is bad… but sorry, the thread has 9 pages now…
Did you have any other antivirus installed in this computer in the past?

system · August 23, 2007, 2:57am

I’m afraid that may be a bit of a problem. Microsoft goes to some lengths to prevent this from happening successfully.

Let’s continue cleaning for now - maybe oldman or Tech (sorry, no trademark) will give some thought to the Windows license problem while we’re doing this.

First upload this file to Virus Total and post the scan results

C:\WINDOWS\Setup1.exe

Now download ERUNT from here and back up your entire registry http://www.snapfiles.com/get/erunt.html

Having done that we will create a registry fix. Copy and paste ALL of the information below in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\sharedtools\msconfig\startupreg\german.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
L"h’þ9Óœð3rÅ WC:]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
L"h’þ9Óœð3rÅ WC:\Program Files]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
L"h’þ9Óœð3rÅ WC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³#
L"h’þ9Óœð3rÅ WC:\Program Files\ISTsvc\istsvc.exe]
“C:\WINDOWS\miftufo.exe”=-

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Next open HJT and click to Do a System Scan Only. When complete place a check next to these lines

[b]O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx[/b]

Close all other windows, including your browser, and click Fix Checked.

Sorry about removing Scrabble but, under the circumstances, I don’t see how we can trust it.

Now open OTMoveIt and paste in the following paths:

C:\windows\system32\german.exe C:\WINDOWS\ratmn.exe C:\Program Files\SCRABBLE C:\Program Files\Kyodai C:\DOCUME~1\Ben\APPLIC~1\GameHouse C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9 C:\WINDOWS\PIF C:\WINDOWS\miftufo.exe C:\Program Files\ISTsvc

This will remove some of the other game soft that downloaded with Scrabble, ratmn.exe, and c:\windows\pif that was created in the same moments as Scrabble and seems related to a mass mailing worm (I think you guys are just going to have to stick with board games in the future). BTW, some of these files will probably not be found - that’s OK.

After completing all of the above please give me fresh ComboFix and HJT logs.

EDIT: Take a look in c:\windows\system32\dllcache and see if there’s a copy of chkdsk.exe

system · August 23, 2007, 7:01am

Here is the Virus Total results

Now I will do the rest…(and yes, boardgames will be safer)

File Setup1.exe received on 08.23.2007 08:55:50 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information…
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.22.0 2007.08.23 -
AntiVir 7.4.1.63 2007.08.22 -
Authentium 4.93.8 2007.08.22 -
Avast 4.7.1029.0 2007.08.22 -
AVG 7.5.0.484 2007.08.22 -
BitDefender 7.2 2007.08.23 -
CAT-QuickHeal 9.00 2007.08.22 -
ClamAV 0.91 2007.08.22 -
DrWeb 4.33 2007.08.23 -
eSafe 7.0.15.0 2007.08.22 -
eTrust-Vet 31.1.5081 2007.08.23 -
Ewido 4.0 2007.08.22 -
FileAdvisor 1 2007.08.23 -
Fortinet 2.91.0.0 2007.08.23 -
F-Prot 4.3.2.48 2007.08.22 -
F-Secure 6.70.13030.0 2007.08.23 -
Ikarus T3.1.1.12 2007.08.23 -
Kaspersky 4.0.2.24 2007.08.23 -
McAfee 5103 2007.08.22 -
Microsoft 1.2803 2007.08.23 -
NOD32v2 2477 2007.08.23 -
Norman 5.80.02 2007.08.22 -
Panda 9.0.0.4 2007.08.23 -
Prevx1 V2 2007.08.23 -
Rising 19.37.31.00 2007.08.23 -
Sophos 4.20.0 2007.08.23 -
Sunbelt 2.2.907.0 2007.08.23 -
Symantec 10 2007.08.23 -
TheHacker 6.1.8.171 2007.08.23 -
VBA32 3.12.2.2 2007.08.22 -
VirusBuster 4.3.26:9 2007.08.22 -
Webwasher-Gateway 6.0.1 2007.08.23 -
Additional information
File size: 249856 bytes
MD5: b9917fc4c836776765e311fff84dd534
SHA1: 63cf6b3992f2058f6a5995293e1017627569f8b5

oldman960 · August 23, 2007, 7:01am

Well, I’m afraid I’m not a bearer of good news. You assumption that the key on the computer wouldn’t work is because the computer had home and the cd is pro is correct. The key doesn’t match the product.

As to not being able update, I would say the product key is already registered on another computer that doesn’t match the system you are trying to run it on now. Yeah, MS has tied the os to the system, you can make only gradual changes to the system over time before you have to call MS and have a new key issued. This applies to retail versions, oem’s are a totally different story. This info is just basic, there is a bit more to it then that.

After you reinstalled, did the os version change to pro? I see that ie downgraded from 7 to 6.

One thing to remember is that your licence is the key on the computer not the cd itself. So if you can find a retail home version cd you can copy it and use your key. Assuming of course that a retail version was origonally installed.

Tech may have more thoughts on this. For now keep the cleaning process going. I find it strange that chkdsk wasn’t replaced.

As for a format and reinstall, I think if you use the same cd and number that you already did, the results would be the same.

Hang in there, this isn’t over. ;D

system · August 23, 2007, 7:28am

Oldman,
Thanks, I kinda thought the same after my wife told me she had the XP home edition.
It did change to pro and IE changed from 7 to 6 (I think that may be the default for Pro)
Awhile back we upgraded to IE 7

I don’t think I will ever play scrabble again

system · August 23, 2007, 7:33am

EDIT: Take a look in c:\windows\system32\dllcache and see if there’s a copy of chkdsk.exe
[/quote]
Yes, there is a copy of chkdsk.exe in the c:\windows\system32\dllcache folder

system · August 23, 2007, 7:35am

Combo fix part 1

omboFix 07-08-14.4 - “Ben” 2007-08-23 1:26:15.3 - NTFS x86
C:\WINDOWS\system32\chkdsk.exe not present

((((((((((((((((((((((((( Files Created from 2007-07-23 to 2007-08-23 )))))))))))))))))))))))))))))))

2007-08-21 17:18 27,648 --a–c— C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-08-21 17:18 23,040 --a–c— C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-08-21 17:18 17,408 --a–c— C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-08-21 17:18 116,224 --a–c— C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-08-21 17:17 99,865 --a–c— C:\WINDOWS\system32\dllcache\xlog.exe
2007-08-21 17:17 8,832 --a–c— C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-08-21 17:17 8,192 --a–c— C:\WINDOWS\system32\dllcache\wshirda.dll
2007-08-21 17:17 4,608 --a–c— C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-08-21 17:17 19,455 --a–c— C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-08-21 17:17 16,970 --a–c— C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-08-21 17:17 154,624 --a–c— C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-08-21 17:17 12,063 --a–c— C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-08-21 17:16 87,040 --a–c— C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-08-21 17:16 771,581 --a–c— C:\WINDOWS\system32\dllcache\winacisa.sys
2007-08-21 17:16 701,386 --a–c— C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-08-21 17:16 53,760 --a–c— C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-08-21 17:16 35,871 --a–c— C:\WINDOWS\system32\dllcache\wbfirdma.sys
2007-08-21 17:16 34,890 --a–c— C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-08-21 17:16 33,599 --a–c— C:\WINDOWS\system32\dllcache\watv04nt.sys
2007-08-21 17:16 31,744 --a–c— C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-08-21 17:16 29,311 --a–c— C:\WINDOWS\system32\dllcache\watv01nt.sys
2007-08-21 17:16 23,615 --a–c— C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2007-08-21 17:16 19,551 --a–c— C:\WINDOWS\system32\dllcache\watv02nt.sys
2007-08-21 17:16 19,016 --a–c— C:\WINDOWS\system32\dllcache\w926nd.sys
2007-08-21 17:16 16,925 --a–c— C:\WINDOWS\system32\dllcache\w940nd.sys
2007-08-21 17:16 12,415 --a–c— C:\WINDOWS\system32\dllcache\wadv01nt.sys
2007-08-21 17:16 12,127 --a–c— C:\WINDOWS\system32\dllcache\wadv02nt.sys
2007-08-21 17:16 11,775 --a–c— C:\WINDOWS\system32\dllcache\wadv05nt.sys
2007-08-21 17:15 765,884 --a–c— C:\WINDOWS\system32\dllcache\usrti.sys
2007-08-21 17:15 7,556 --a–c— C:\WINDOWS\system32\dllcache\usroslba.sys
2007-08-21 17:15 687,999 --a–c— C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-08-21 17:15 64,605 --a–c— C:\WINDOWS\system32\dllcache\vvoice.sys
2007-08-21 17:15 604,253 --a–c— C:\WINDOWS\system32\dllcache\vmodem.sys
2007-08-21 17:15 5,376 --a–c— C:\WINDOWS\system32\dllcache\viaide.sys
2007-08-21 17:15 397,502 --a–c— C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-08-21 17:15 249,402 --a–c— C:\WINDOWS\system32\dllcache\vinwm.sys
2007-08-21 17:15 24,576 --a–c— C:\WINDOWS\system32\dllcache\viairda.sys
2007-08-21 17:15 19,528 --a–c— C:\WINDOWS\system32\dllcache\w840nd.sys
2007-08-21 17:15 113,762 --a–c— C:\WINDOWS\system32\dllcache\usrpda.sys
2007-08-21 17:14 94,720 --a–c— C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-08-21 17:14 794,654 --a–c— C:\WINDOWS\system32\dllcache\usr1801.sys
2007-08-21 17:14 794,399 --a–c— C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-08-21 17:14 793,598 --a–c— C:\WINDOWS\system32\dllcache\usr1806.sys
2007-08-21 17:14 69,632 --a–c— C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-08-21 17:14 50,688 --a–c— C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-08-21 17:14 50,176 --a–c— C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-08-21 17:14 47,616 --a–c— C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-08-21 17:14 32,384 --a–c— C:\WINDOWS\system32\dllcache\usb101et.sys
2007-08-21 17:14 28,160 --a–c— C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-08-21 17:14 26,624 --a–c— C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-08-21 17:14 25,600 --a–c— C:\WINDOWS\system32\dllcache\usbser.sys
2007-08-21 17:14 224,802 --a–c— C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-08-21 17:14 22,912 --a–c— C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-08-21 17:14 20,480 --a–c— C:\WINDOWS\system32\dllcache\usbuhci.sys
2007-08-21 17:13 82,432 --a–c— C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-08-21 17:13 525,568 --a–c— C:\WINDOWS\system32\dllcache\tridxp.dll
2007-08-21 17:13 440,576 --a–c— C:\WINDOWS\system32\dllcache\tridkb.dll
2007-08-21 17:13 42,496 --a–c— C:\WINDOWS\system32\dllcache\tp4res.dll
2007-08-21 17:13 36,736 --a–c— C:\WINDOWS\system32\dllcache\ultra.sys
2007-08-21 17:13 34,375 --a–c— C:\WINDOWS\system32\dllcache\tpro4.sys
2007-08-21 17:13 315,520 --a–c— C:\WINDOWS\system32\dllcache\trid3d.dll
2007-08-21 17:13 222,336 --a–c— C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-08-21 17:13 216,064 --a–c— C:\WINDOWS\system32\dllcache\um34scan.dll
2007-08-21 17:13 211,968 --a–c— C:\WINDOWS\system32\dllcache\um54scan.dll
2007-08-21 17:13 166,784 --a–c— C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-08-21 17:13 159,232 --a–c— C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-08-21 17:13 11,520 --a–c— C:\WINDOWS\system32\dllcache\twotrack.sys
2007-08-21 17:12 81,408 --a–c— C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-08-21 17:12 4,992 --a–c— C:\WINDOWS\system32\dllcache\toside.sys
2007-08-21 17:12 37,961 --a–c— C:\WINDOWS\system32\dllcache\tdk100b.sys
2007-08-21 17:12 31,744 --a–c— C:\WINDOWS\system32\dllcache\tp4.dll
2007-08-21 17:12 28,232 --a–c— C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-08-21 17:12 241,664 --a–c— C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-08-21 17:12 230,912 --a–c— C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-08-21 17:12 17,129 --a–c— C:\WINDOWS\system32\dllcache\tdkcd31.sys
2007-08-21 17:12 149,376 --a–c— C:\WINDOWS\system32\dllcache\tffsport.sys
2007-08-21 17:12 138,528 --a–c— C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-08-21 17:12 123,995 --a–c— C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-08-21 17:11 94,293 --a–c— C:\WINDOWS\system32\dllcache\sxports.dll
2007-08-21 17:11 7,040 --a–c— C:\WINDOWS\system32\dllcache\tandqic.sys
2007-08-21 17:11 53,760 --a–c— C:\WINDOWS\system32\dllcache\sw_wheel.dll
2007-08-21 17:11 36,640 --a–c— C:\WINDOWS\system32\dllcache\t2r4mini.sys
2007-08-21 17:11 32,640 --a–c— C:\WINDOWS\system32\dllcache\symc8xx.sys
2007-08-21 17:11 30,688 --a–c— C:\WINDOWS\system32\dllcache\sym_u3.sys
2007-08-21 17:11 30,464 --a–c— C:\WINDOWS\system32\dllcache\tbatm155.sys
2007-08-21 17:11 3,968 --a–c— C:\WINDOWS\system32\dllcache\swusbflt.sys
2007-08-21 17:11 28,384 --a–c— C:\WINDOWS\system32\dllcache\sym_hi.sys
2007-08-21 17:11 172,768 --a–c— C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-08-21 17:11 16,256 --a–c— C:\WINDOWS\system32\dllcache\symc810.sys
2007-08-21 17:11 103,936 --a–c— C:\WINDOWS\system32\dllcache\sx.sys
2007-08-21 17:11 10,240 --a–c— C:\WINDOWS\system32\dllcache\swpidflt.dll
2007-08-21 17:11 10,240 --a–c— C:\WINDOWS\system32\dllcache\swpdflt2.dll
2007-08-21 17:10 99,328 --a–c— C:\WINDOWS\system32\dllcache\srusd.dll
2007-08-21 17:10 61,824 --a–c— C:\WINDOWS\system32\dllcache\speed.sys
2007-08-21 17:10 53,248 --a–c— C:\WINDOWS\system32\dllcache\stlncoin.dll
2007-08-21 17:10 48,736 --a–c— C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-08-21 17:10 41,472 --a–c— C:\WINDOWS\system32\dllcache\sw_effct.dll
2007-08-21 17:10 285,760 --a–c— C:\WINDOWS\system32\dllcache\stlnata.sys
2007-08-21 17:10 24,660 --a–c— C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-08-21 17:10 19,072 --a–c— C:\WINDOWS\system32\dllcache\sparrow.sys

system · August 23, 2007, 7:37am

Combo fix part 2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 16:10 --------- d-------- C:\Program Files\SP2 Connection Patcher
2007-08-20 21:27 16490 --a------ C:\WINDOWS\pchealth\HelpCtr\PackageStore\SkuStore.bin
2007-08-20 21:26 8972 --a------ C:\WINDOWS\pchealth\HelpCtr\Config\Cntstore.bin
2007-08-20 00:24 --------- d-------- C:\Program Files\eMule
2007-07-27 16:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 16:02 94416 --a–c— C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 16:02 92848 --a–c— C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 16:00 23152 --a–c— C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 15:59 42912 --a–c— C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 15:58 26624 --a–c— C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 15:57 95608 --a–c— C:\WINDOWS\system32\AVASTSS.scr
2007-07-24 19:51 --------- d-------- C:\DOCUME~1\Ben\APPLIC~1\Image Zone Express
2007-07-17 07:30 --------- d-------- C:\Program Files\Picasa2
2007-07-15 23:41 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-07-15 23:41 249856 --a------ C:\WINDOWS\Setup1.exe
2007-07-14 08:53 --------- d-------- C:\Program Files\Last.fm
2007-06-24 16:35 --------- d-------- C:\Program Files\RL-Software
2006-12-02 12:05 774144 --a–c— C:\Program Files\RngInterstitial.dll
2001-11-23 06:08 712704 --a–c— C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2005-05-13 23:12:00 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 17:13:58 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-07-14 18:31:20 27,648 -csha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 21:32:28 616,448 -csha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 04:37:42 45,568 -csha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06:54 163,328 -csha-r C:\WINDOWS\system32\flvDX.dll
2004-01-25 06:00:00 70,656 -csha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47:16 31,232 -csha-r C:\WINDOWS\system32\msfDX.dll
2005-02-28 19:16:22 240,128 -csha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 06:00:00 70,656 -csha-r C:\WINDOWS\system32\yv12vfw.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]
“SiSUSBRG”=“C:\WINDOWS\sisUSBrg.exe” [2002-04-25 18:06]
“SiS KHooker”=“C:\WINDOWS\System32\khooker.exe” [2002-01-25 03:30]
“Cmaudio”=“cmicnfg.cpl”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-07-27 16:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-18 20:39]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 06:00]

C:\Documents and Settings\Ben\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]