Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't install antivirus, gives Win32 error / Can't run HJT


  • This topic is locked This topic is locked
2 replies to this topic

#1 djfooroach

djfooroach

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 26 March 2009 - 10:37 PM

Hi guys, I've been getting one of those popups that ask if you want to send Microsoft an error report, FOR 'Microsoft Windows Operating System'. My computer also asked me if I wanted to continue with an installation of 'ActivityMonitor', which I said no to. I immediately knew I had some type of infection, so I tried downloading AVG, SuperAntiSpyware and the Windows malware removal tool. All of these gave me an error message saying something like "Such and such app is not a valid Win32 application". When I try to run HJTInstall.Exe, I get "The app failed to initialize properly (0xc0000005)" error.


DDS (Ver_09-03-16.01) - NTFSx86
Run by alex at 22:26:01.26 on Thu 03/26/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.629 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe C:\WINDOWS\TEMP\VRT7.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\alex\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\explorer.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
dRun: [reader_s] c:\documents and settings\alex\reader_s.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alex\applic~1\mozilla\firefox\profiles\c0uj1kdk.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-9 64160]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-9 45132]
RUnknown protect;protect; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]

=============== Created Last 30 ================

2009-03-26 22:18 11,450,341 a------- c:\windows\services.exe
2009-03-26 22:18 37,376 a------- c:\windows\system32\reader_s.exe
2009-03-26 22:18 37,376 a------- c:\documents and settings\alex\reader_s.exe
2009-03-26 22:18 29,696 a------- c:\windows\system32\B.tmp
2009-03-26 22:18 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-03-26 22:18 64,000 a------- c:\windows\system32\i386kd.exe
2009-03-26 22:16 71,680 a------- c:\windows\system32\9.tmp
2009-03-26 22:16 124 a------- c:\windows\system32\8.tmp
2009-03-26 22:10 <DIR> a-dshr-- C:\cmdcons
2009-03-26 22:09 179,200 a------- c:\windows\SWREG.exe
2009-03-26 22:09 115,712 a------- c:\windows\sed.exe
2009-03-26 22:09 <DIR> --d----- C:\ComboFix
2009-03-26 22:07 124 a------- c:\windows\system32\4.tmp
2009-03-26 21:34 <DIR> --d----- c:\docume~1\alex\applic~1\Malwarebytes
2009-03-26 21:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-26 21:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 21:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-26 21:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-26 21:27 31,744 a------- c:\windows\system32\1E.tmp
2009-03-26 21:27 71,680 a------- c:\windows\system32\1C.tmp
2009-03-26 21:27 124 a------- c:\windows\system32\1B.tmp
2009-03-26 21:23 31,744 a------- c:\windows\system32\11.tmp
2009-03-26 20:19 <DIR> --d----- C:\jesi mp3 music
2009-03-26 20:14 71,680 a------- c:\windows\system32\16F.tmp
2009-03-26 20:14 124 a------- c:\windows\system32\16E.tmp
2009-03-26 18:48 0 a------- c:\windows\_id.dat
2009-03-26 18:48 128 a------- c:\windows\adobe.bat
2009-03-26 18:48 0 a------- c:\windows\system32\11F.tmp
2009-03-26 18:47 71,680 a------- c:\windows\system32\117.tmp
2009-03-26 18:47 124 a------- c:\windows\system32\116.tmp
2009-03-26 13:10 <DIR> --d----- c:\program files\Lame for Audacity
2009-03-26 13:10 <DIR> --d----- c:\program files\Audacity
2009-03-15 01:21 <DIR> --d----- c:\program files\CMUD
2009-03-13 16:15 <DIR> --d----- c:\program files\TransMac
2009-03-12 21:47 45,568 a----r-- c:\windows\system32\drivers\bcm4sbxp.sys
2009-03-12 21:46 <DIR> --d----- c:\program files\Broadcom
2009-03-10 23:38 <DIR> --d----- c:\docume~1\alex\applic~1\FrostWire
2009-03-10 23:37 <DIR> --d----- c:\program files\FrostWire
2009-03-10 23:05 13,646 a------- c:\windows\system32\wpa.bak
2009-03-09 13:07 <DIR> --d----- c:\docume~1\alex\applic~1\My Battle for Middle-earth™ II Files
2009-03-08 19:48 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-08 19:48 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-08 19:48 <DIR> --d----- c:\program files\Real Alternative
2009-03-07 15:36 <DIR> --d----- c:\program files\Astonsoft
2009-03-07 15:29 89,184 a------- c:\windows\system32\drivers\imagedrv.sys
2009-03-07 15:29 57,344 a------- c:\windows\system32\ImageDrive.cpl
2009-03-07 15:28 38,912 a------- c:\windows\system32\picn20.dll
2009-03-07 15:28 569,344 a------- c:\windows\system32\imagr5.dll
2009-03-07 15:28 544,768 a------- c:\windows\system32\imagx5.dll
2009-03-07 15:28 283,920 a------- c:\windows\system32\ImagXpr5.dll
2009-03-07 15:28 176,128 a------- c:\windows\system32\NeroCheck.exe
2009-03-06 11:56 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-04 10:42 438,272 a----r-- c:\windows\system32\vp6vfw.dll
2009-03-04 10:42 327,680 a------- c:\windows\system32\vp6dec.ax
2009-03-02 22:35 <DIR> --d----- C:\GTA San Andreas User Files
2009-03-02 19:22 <DIR> --d----- c:\program files\Rockstar Games
2009-02-27 19:13 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-02-27 19:13 53,248 a------- c:\windows\system32\CSVer.dll
2009-02-27 17:47 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-02-26 13:35 <DIR> --ds---- c:\documents and settings\alex\UserData
2009-02-26 04:16 268,648 a------- c:\windows\system32\mucltui.dll
2009-02-26 04:16 208,744 a------- c:\windows\system32\muweb.dll
2009-02-26 04:16 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-02-25 13:35 <DIR> --d----- c:\documents and settings\alex\Tracing
2009-02-25 13:34 <DIR> --d----- c:\program files\Microsoft
2009-02-25 13:34 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-02-25 10:36 <DIR> --d----- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-03-26 21:38 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-26 18:48 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-02-20 14:49 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-19 20:19 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2009-02-19 20:19 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2009-02-12 20:42 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-02-09 20:54 397,312 a------- c:\windows\system32\AegisI5Installer.exe
2009-02-09 20:54 21,361 a------- c:\windows\system32\drivers\AegisP.sys
2009-02-09 20:54 21,361 a------- c:\windows\AegisP.sys
2009-02-09 19:10 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 19:07 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-09 18:36 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll

============= FINISH: 22:26:07.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:14 PM

Posted 29 March 2009 - 01:59 PM

Hello djfooroach,

I have some very bad news for you. :thumbup2:

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, an expert  for malware removal, and an MS-MVP, additionally has a blog post about Virut.

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows
:

http://web.mit.edu/ist/products/winxp/adva...all-format.html

Edited by SifuMike, 29 March 2009 - 01:59 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:14 PM

Posted 11 April 2009 - 10:03 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users