Please help!

We are using Avast at home for long time and we enjoy this software (We have 5 kids and 8 PCs…).
Since few days our HP Entertainment Center is being infected and reboot automatically after around 30 seconds with an RPC error from Avast.

Below is the Logfile of HijackThis v1.99.1

Could anyone help us solving this?
Thanks in advance.

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hldrrr.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\voipbuster.com\voipbuster\voipbuster.exe
C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
C:\WINDOWS\system32\hldrrr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\wamp\wampserver.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS$NtUninstallKB912919$\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
c:\wamp\apache2\bin\Apache.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\wamp\apache2\bin\Apache.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Admin\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [HP Software Update] “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”
O4 - HKLM..\Run: [SSBkgdUpdate] “C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM..\Run: [PaperPort PTD] “C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe”
O4 - HKLM..\Run: [IndexSearch] “C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe”
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU..\Run: [Shareaza] “C:\Program Files\Shareaza\Shareaza.exe” -tray
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [VoipBuster] “C:\program files\voipbuster.com\voipbuster\voipbuster.exe” -nosplash -minimized
O4 - HKCU..\Run: [PPScheduler] C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
O4 - HKCU..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: WampServer.lnk = C:\wamp\wampserver.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165402554703
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft Shared\Help\hxds.dll
O23 - Service: DirectX Service (DirectDatt) - Unknown owner - c:\windows\system32\directx.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

Are you using Windows XP?
Can you boot in Safe Mode and schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.

Or just run:
C:\Program Files\ALWIL Software\Avast4\sched.exe /A:*

I also suggest, that you

  1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
  2. Clean your temporary files.
  3. Use a-squared, Free AVG Antispyware or SUPERantispyware (trojan removers).

You have cropped the headers of the HJT log, you should paste the complete log. The other and more concerting thing is there aren’t any 023 entries for avast, I can only see an entry for the ashDisp.exe, avast icon. I have to assume you have cropped those too ?
For obvious reasons we need to see the complete log, if it is too big, paste the bottom half in a second post on the same topic.

The same is true of a firewall, if you are using XP’s firewall it doesn’t provide outbound protection. Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

However, in the remnants of your log, some that are obliviously bad and would suggest to me you don’t have an anti-adware or anti-spyware program installed.

O4 - HKLM..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
http://fileinfo.prevx.com/spyware/qqe21e23592428-HLDR16820740/HLDRRR.EXE.html

O23 - Service: DirectX Service (DirectDatt) - Unknown owner - c:\windows\system32\directx.exe
http://www.liutilities.com/products/wintaskspro/processlibrary/directx/

Fix these and run HJT again, then paste the contents into this location http://hijackthis.de/index.php, check for any nasty, possibly nasty or unknown processes. Google the file names (that’s what I did with the above) and confirm you know what they are, or upload them to the scanner, etc.

This one is considered nasty (C:\WINDOWS\system32\hldrrr.exe) but some google search hits suggest not, so you can upload it for analysis (at the site) or submit it to You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.
  2. Ad-Aware SE Personal Edition - Ad-Aware Product Comparison Chart http://www.lavasoft.de/download_and_buy/product_comparison_chart.php
  3. Spybot Search and Destroy
  4. Spywareblaster Don’t install this until you are clean.

This running process might also be a problem

C:\WINDOWS$NtUninstallKB912919$\IEXPLORE.EXE

Good catch, it certainly looks weird, why would a supposed uninstall KB be running anything much less something calling itself IEXPLORE.EXE (Internet Explorer) which is normally in the “C:\Program Files\Internet Explorer” folder for any running occurrence.

This is what that KB relates to and would have no business with running iexplore.exe.

[b]Microsoft Security Bulletin MS06-001[/b] Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)

Thanks a lot!
According to DavidR and Tech’s advices I removed hldrrr.exe and directx.exe with HijackThis (this soft is really fantastic) and re-installed Avast.
Then I downloaded and installed SUPERantispyware which found many other shits on my HD.

Again thanks for your time and consideration.
Long life to Avast!

Your welcome, glad that we could help, a belated welcome to the forums Olivier.

Did you fix this one that mauserme mentioned “C:\WINDOWS$NtUninstallKB912919$\IEXPLORE.EXE” ?

Hello David
For now I haven’t removed yet what mauserme mentioned. Neither Avast! nor Superantispyware warned on this during the scan.
I analyzed my Hijackthis log on www.hijackthis.de/en (I recommend that useful site for newbies like me…!) and it only mentioned to get more information about the line.
In fact I fear to fix it and corrupt my OS.
Do you think I can remove it with Hijackthis?

By the way, David, one of my son would like to install XP Pro on a new partition in dual boot with XP.
I told him to be careful because Avast! may use the MBR.

What do you recommend? (and what boot loader?)

Thx in advance

The fact that neither has alerted on it is neither hear or there, the mark one brain has alerted on it, mauserme was correct this is very strange behaviour, there should be absolutely no need for an uninstall file to be running a program. The KB as I mentioned would also have no need to be running iexplore.exe much the uninstall file.

It is an uninstall file and the only thing that happens if you get rid of it is you can’t uninstall that KB for the most part this isn’t a problem. I use a program specifically to remove old KB Uninstall files after two months if I haven’t experienced any problems with the KB security update.

There were numerous faked patches sent by email and some installed what they thought was a patch, who is to know if it didn’t also setup a fake uninstall.

No matter what the activity is highly suspicious. Your choice.

Sorry I have never run a dual boot system, but XP should have its own dual boot system, you may need to do some searching.

:slight_smile: Hi Olivier :

 HijackThis logs are best analyzed by EXPERIENCED, trained, volunteer Malware Experts usually 
 found on antiSPYWARE Support Forums; since the Support Forums at SUPERantispyware are
 NOT geared to this and you seem to have no other antiSPYWARE/antiTROJAN program on
 your computer, I recommend the HijackThis forum at www.landzdown.com .

You come to this one a little late in the party to be sending someone to another site Spiritsongs. Show us something which we haven’t covered or got wrong or advise Olivier here please don’t drive people away help them here.

Well put, David.

@Olivier_dunet

Unless you’ve done some special installation iexplore.exe should run from

c:\program files\internet explorer\

Instances running from another location is very suspicious because of the file location and because a lot of malware uses this file name. It would at least be worth checking the file at Jotti or Virus Total. David posted links above.