Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton 2008 And Avg Not Valid Win32 App, Can't Re-install


  • This topic is locked This topic is locked
3 replies to this topic

#1 Frank74

Frank74

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 03 March 2008 - 04:46 PM

I've been infected with something that has me stumped.
I had Norton Intenet Security 2008 installed and fully updated when it just stopped working. It showed the error about it not being a valid Win32 application. I tried reinstalling norton but it won't reinstall, it just extracts to the temp directory but stops before running the setup. I then removed all symatec software with the Norton_Removal_Tool.exe. Still couldn't reinstall norton. Then tried installing Grisoft AVG, it installed but won't run, same error, invalid Win32 app.

Then I ran trend micro online scan, it took over 5 hours, apparently it removed everything (i fell asleep). 2 vulnerabilities were detected, I downloaded them from windows update (WindowsXP-KB931784-x86-ENU and WindowsXP-KB890859-x86-ENU). They won't install. When running the updates, after extracting files completes, I get 'Extraction Failed' file is corrupt, message box.

I've also tried system restore, but its not able to restore after rebooting. Safe Mode as well goes to a blue screen so I can't boot into safe mode either. I've removed all Antivirus now and have to manually start windows firewall after booting windows.

I have Windows XP Home Service Pack 2, (a packard bell version). Microsoft Windows Recovery Console is installed.

Can anyone please help me run internet security again?
And where/how do I get a Hijackthis log?

Thanks.

BC AdBot (Login to Remove)

 


m

#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:35 PM

Posted 03 March 2008 - 06:26 PM

Hi Frank74

I suggest you post a HijackThis log for examination.
A member of the HijackThis Team will walk you through, step by step, how to disinfect your computer.

Read the Preparation Guide before posting a HijackThis Log.
Please read, and follow, all directions carefully

Run a log, and post it in the HijackThis Logs and Analysis forum.

Do not, post it in this topic.
Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response from the HJT Team, because they are very busy. Please, be patient, as these people are volunteers. They will help you, as soon as possible.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.


If you haven't heard back from them in 5 days, go to this topic, Haven't Had A Reply In Five Days?, and carefully follow all directions.

BBPP6nz.png


#3 Frank74

Frank74
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 03 March 2008 - 06:33 PM

I think ComboFix might have fixed it. I ran a windows update again and now there are no updates at all to install either, so I was already up to date.

Here is the log.
--------------

ComboFix 08-03-03.16 - Packard Bell 2008-03-03 22:20:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.458 [GMT 0:00]
Running from: D:\Documents and Settings\Packard Bell\Desktop\New-Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\10395906.exe
C:\WINDOWS\system32\drivers\down\1147625.exe
C:\WINDOWS\system32\drivers\down\1151968.exe
C:\WINDOWS\system32\drivers\down\1166265.exe
C:\WINDOWS\system32\drivers\down\1172859.exe
C:\WINDOWS\system32\drivers\down\1598703.exe
C:\WINDOWS\system32\drivers\down\1655328.exe
C:\WINDOWS\system32\drivers\down\1860156.exe
C:\WINDOWS\system32\drivers\down\2406296.exe
C:\WINDOWS\system32\drivers\down\2407093.exe
C:\WINDOWS\system32\drivers\down\2448343.exe
C:\WINDOWS\system32\drivers\down\25181140.exe
C:\WINDOWS\system32\drivers\down\25210296.exe
C:\WINDOWS\system32\drivers\down\25330812.exe
C:\WINDOWS\system32\drivers\down\25344281.exe
C:\WINDOWS\system32\drivers\down\25355031.exe
C:\WINDOWS\system32\drivers\down\27333062.exe
C:\WINDOWS\system32\drivers\down\27623406.exe
C:\WINDOWS\system32\drivers\down\28592218.exe
C:\WINDOWS\system32\drivers\down\28607609.exe
C:\WINDOWS\system32\drivers\down\2888921.exe
C:\WINDOWS\system32\drivers\down\29036875.exe
C:\WINDOWS\system32\drivers\down\3088562.exe
C:\WINDOWS\system32\drivers\down\5556515.exe
C:\WINDOWS\system32\drivers\down\6457546.exe
C:\WINDOWS\system32\drivers\down\6847046.exe
C:\WINDOWS\system32\drivers\down\6979796.exe
C:\WINDOWS\system32\drivers\down\6983734.exe
C:\WINDOWS\system32\drivers\down\7352468.exe
C:\WINDOWS\system32\drivers\down\8372984.exe
C:\WINDOWS\system32\drivers\down\8374265.exe
C:\WINDOWS\system32\drivers\down\8374531.exe
C:\WINDOWS\system32\drivers\down\9147718.exe
C:\WINDOWS\system32\drivers\down\9621078.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa


((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-03 20:55 . 2008-03-03 20:55 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avg7
2008-03-03 08:44 . 2004-08-04 14:00 388,608 --a------ C:\CF30020.exe
2008-03-03 06:37 . 2008-03-03 06:52 <DIR> d-------- D:\Documents and Settings\Packard Bell\.housecall6.6
2008-03-03 06:12 . 2008-03-03 06:12 6,098,160 --a------ C:\WindowsXP-KB890859-x86-ENU.exe
2008-03-03 06:12 . 2008-03-03 06:12 2,297,224 --a------ C:\WindowsXP-KB931784-x86-ENU.exe
2008-03-03 04:14 . 2008-03-03 04:14 71,665,576 --a------ C:\NIS081550.exe
2008-03-03 02:10 . 2008-01-05 19:51 64,408,448 --a------ C:\NIS081500.exe
2008-02-06 01:05 . 2008-02-06 01:05 <DIR> d-------- D:\Documents and Settings\Packard Bell\Application Data\TSO
2008-02-06 00:31 . 2008-02-06 00:31 <DIR> dr-h----- D:\Documents and Settings\Packard Bell\Application Data\SecuROM
2008-02-06 00:28 . 2008-02-06 00:29 <DIR> d-------- C:\Program Files\DSA Theory Test
2008-02-05 03:18 . 2008-02-05 03:18 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-02-05 03:16 . 2008-02-05 04:01 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-05 03:16 . 2008-02-05 04:01 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 10:51 --------- d-----w C:\Program Files\Project64_1.7_04
2008-03-03 08:07 --------- d-----w C:\Program Files\Kontiki
2008-03-03 03:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-03 03:23 --------- d-----w D:\Documents and Settings\All Users\Application Data\Symantec
2008-03-03 01:46 --------- d-----w C:\Program Files\TablEdit
2008-03-02 05:57 --------- d-----w C:\Program Files\BrainStimPro
2008-02-06 00:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 06:21 --------- d-----w D:\Documents and Settings\Packard Bell\Application Data\Ahead
2007-11-20 06:36 180 ----a-w D:\Documents and Settings\Packard Bell\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:54 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"SmpcSys"="C:\APPS\SMP\SMPSYS.EXE" [2005-11-17 09:51 975360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2007-01-25 09:54 154112]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-12-01 00:54 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=HookDLL.DLL
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.


[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 16:43 69632 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAP3ON]
--a------ 2002-07-18 15:00 22528 C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 10:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltTray]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DetectorApp]
--a------ 2005-10-20 06:15 102400 C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 14:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 05:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-04-23 11:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 14:40 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-06-01 16:22 7618560 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-06-01 16:22 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-06-01 16:22 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OmniPass]
C:\Apps\Softex\OmniPass\scureapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2006-02-23 12:08 147456 c:\APPS\Powercinema\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 14:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 14:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-23 15:39 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-02-23 15:29 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-01-11 15:23 15961088 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmpcSys]
--------- 2005-11-17 09:51 975360 C:\APPS\SMP\SmpSys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2005-10-18 12:14 557056 C:\WINDOWS\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 10:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
--a------ 2006-05-24 18:31 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"omniserv"=2 (0x2)
"CyberLink Media Library Service"=2 (0x2)
"CLSched"=2 (0x2)
"CLCapSvc"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"rpcapd"=3 (0x3)
"bgsvcgen"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Symantec RemoteAssist"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R1 FSLX;FSLX;C:\WINDOWS\system32\drivers\fslx.sys [2006-09-09 15:09]
S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;C:\WINDOWS\system32\DRIVERS\dvc325.sys []
S3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2007-10-09 12:52]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-10-09 17:04]
S4 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" [2008-01-29 16:09]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-05 03:20:59 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Packard Bell.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 22:24:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\vsmidi.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\vsmidi.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\vsmidi.dll
-> C:\Program Files\WinRAR\rarext.dll
-> C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
-> C:\PROGRA~1\STARDO~1\SDIEInt.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
.
**************************************************************************
.
Completion time: 2008-03-03 22:59:45 - machine was rebooted [Packard Bell]
ComboFix-quarantined-files.txt 2008-03-03 22:59:41
.
2008-02-13 03:03:50 --- E O F ---

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:02:35 PM

Posted 05 March 2008 - 07:29 AM

Please follow the instructions provided by Starbuck.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users