Is not a valid Win32 application
Solved
Thibaut
-
Anonymous user -
Anonymous user -
Hello,
For some time now, I've been having problems related to "Win32".
Indeed, when I try to launch an .exe application, I get an error message saying "program_name is not a valid Win32 application".
I’ve done some research, first checking whether the application was compatible with my operating system (Windows Vista Premium Edition).
I then looked at the website commentcamarche.net, particularly the section dedicated to this issue (https://www.commentcamarche.net/faq/6845-exe-n-est-pas-une-application-win32-valide).
I tried the various solutions proposed there.
Nothing works; I still have the same problem.
I've also noticed a troubling fact that each USB drive connected to my PC gets infected by a virus.
However, my antivirus (Avast), which is regularly updated, does not detect any viruses (I performed a full scan of my entire hard drive).
I thought it might be the "Beagle" virus and took corrective action with the second solution proposed on the commentcamarche.net site titled "Combofix".
It cleared up some space on my hard drive and created a nice little report that I don't understand, but in no case is my problem resolved.
Is it worth trying the other solutions?
Knowing that I cannot download any applications due to my problem.
Do you have a solution to propose??
Thank you for your help
PS: if needed, I can send the report from the file created by Combofix.
Best regards.
For some time now, I've been having problems related to "Win32".
Indeed, when I try to launch an .exe application, I get an error message saying "program_name is not a valid Win32 application".
I’ve done some research, first checking whether the application was compatible with my operating system (Windows Vista Premium Edition).
I then looked at the website commentcamarche.net, particularly the section dedicated to this issue (https://www.commentcamarche.net/faq/6845-exe-n-est-pas-une-application-win32-valide).
I tried the various solutions proposed there.
Nothing works; I still have the same problem.
I've also noticed a troubling fact that each USB drive connected to my PC gets infected by a virus.
However, my antivirus (Avast), which is regularly updated, does not detect any viruses (I performed a full scan of my entire hard drive).
I thought it might be the "Beagle" virus and took corrective action with the second solution proposed on the commentcamarche.net site titled "Combofix".
It cleared up some space on my hard drive and created a nice little report that I don't understand, but in no case is my problem resolved.
Is it worth trying the other solutions?
Knowing that I cannot download any applications due to my problem.
Do you have a solution to propose??
Thank you for your help
PS: if needed, I can send the report from the file created by Combofix.
Best regards.
Configuration: Windows Vista Firefox 3.0.14
13 réponses
diagnostic? good....;)
Print these instructions because you will need to close all windows and applications during the installation and analysis.
▶ Download:
Malwarebytes
or:
Malwarebytes
▶ Install it (make sure to select "French"; do not change the installation settings) and update it.
(Note: If you receive an error message indicating that "COMCTL32.OCX" is missing during installation, download it here: COMCTL32.OCX
▶ Check out the Tutorial to familiarize yourself with the program:
(that said, it is very easy to use).
Restart Malwarebytes by strictly following these instructions:
! Disconnect and close all running applications!
▶ Launch Malwarebytes.
Perform a "Complete" scan.
▶ Let the program work (and do not use the PC for anything else during the scan).
▶ At the end click on "results."
▶ Make sure all infected objects are checked, then click on "remove."
▶ Note: if you need to restart your PC to complete the cleanup, do it!
▶ Post the saved report after removing the infected objects (in the "report/log" tab of Malwarebytes, the most recent one)
--
♦G3и-н@¢км@и™©®♦
Print these instructions because you will need to close all windows and applications during the installation and analysis.
▶ Download:
Malwarebytes
or:
Malwarebytes
▶ Install it (make sure to select "French"; do not change the installation settings) and update it.
(Note: If you receive an error message indicating that "COMCTL32.OCX" is missing during installation, download it here: COMCTL32.OCX
▶ Check out the Tutorial to familiarize yourself with the program:
(that said, it is very easy to use).
Restart Malwarebytes by strictly following these instructions:
! Disconnect and close all running applications!
▶ Launch Malwarebytes.
Perform a "Complete" scan.
▶ Let the program work (and do not use the PC for anything else during the scan).
▶ At the end click on "results."
▶ Make sure all infected objects are checked, then click on "remove."
▶ Note: if you need to restart your PC to complete the cleanup, do it!
▶ Post the saved report after removing the infected objects (in the "report/log" tab of Malwarebytes, the most recent one)
--
♦G3и-н@¢км@и™©®♦
don't mess with the pros!!!
########### [ Option 1 ( Search ) ]
▶ Download FindyKill by Chiquitine29 to your desktop:
https://www.commentcamarche.net/telecharger/securite/2759-adwcleaner/
! Log out and close all running applications!
▶ Double click (right-click "run as administrator" for Vista) on "FindyKill.exe" to start the installation and leave the default installation settings.
▶ Connect your external data sources to your PC, (USB stick, external hard drive, etc...)
▶ Double-click (right-click "run as administrator" for Vista) on the FindyKill shortcut on your desktop to launch the tool.
▶ In the main menu, choose option "F" for French and press [enter].
▶ In the second menu, choose option "1" (search) and press [enter]
▶ Let the tool do its job and do not touch anything ...
▶ Post the report that appears at the end on the forum ...
( the report is also saved under C:\FindyKill.txt )
( CTRL+A to select all, CTRL+C to copy and CTRL+V to paste )
--
♦G3и-н@¢км@и™©®♦
########### [ Option 1 ( Search ) ]
▶ Download FindyKill by Chiquitine29 to your desktop:
https://www.commentcamarche.net/telecharger/securite/2759-adwcleaner/
! Log out and close all running applications!
▶ Double click (right-click "run as administrator" for Vista) on "FindyKill.exe" to start the installation and leave the default installation settings.
▶ Connect your external data sources to your PC, (USB stick, external hard drive, etc...)
▶ Double-click (right-click "run as administrator" for Vista) on the FindyKill shortcut on your desktop to launch the tool.
▶ In the main menu, choose option "F" for French and press [enter].
▶ In the second menu, choose option "1" (search) and press [enter]
▶ Let the tool do its job and do not touch anything ...
▶ Post the report that appears at the end on the forum ...
( the report is also saved under C:\FindyKill.txt )
( CTRL+A to select all, CTRL+C to copy and CTRL+V to paste )
--
♦G3и-н@¢км@и™©®♦
Oki doki
Here it is done.
Below is the report.
Thank you for the analysis :
############################## | FindyKill V5.019 |
# User : Thibaut (Administrators) # PC-DE-THIBAUT
# Update on 16/11/2009 by Chiquitine29
# Start at: 14:50:06 | 26/11/2009
# Website : http://pagesperso-orange.fr/NosTools/index.html
# Contact : FindyKill.Contact@gmail.com
# Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
# Microsoft® Windows Vista™ Home Premium Edition (6.0.6000 32-bit) #
# Internet Explorer 7.0.6000.16916
# Windows Firewall Status : Enabled
# AV : AVG 7.5.552 7.5.552 [ Enabled | Updated ]
# AV : avast! antivirus 4.8.1351 [VPS 091126-0] 4.8.1351 [ Enabled | Updated ]
# A:\ # 3.5-inch Floppy Disk Drive # 1.39 Mo (0.58 Mo free) # FAT
# C:\ # Local Hard Disk # 30 Go (1.55 Go free) [System] # NTFS
# D:\ # Local Hard Disk # 117.04 Go (45.99 Go free) [Data] # NTFS
# E:\ # CD-ROM Drive
# F:\ # Removable Disk
# G:\ # CD-ROM Drive
# H:\ # Removable Disk # 981.72 Mo (286.34 Mo free) [KRYSTEL] # FAT
# I:\ # Removable Disk # 977.47 Mo (961.02 Mo free) [CLÉ TIBO] # FAT
############################## | Active Processes |
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
D:\annex programs\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Option\GlobeTrotter Connect\GtFix.exe
D:\webserver\bin\win32\matlabserver.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
d:\bin\win32\matlab.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Launch Manager\WisLMSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\wbem\wmiprvse.exe
################## | C: |
################## | C:\Windows |
################## | C:\Windows\system32 |
################## | C:\Windows\system32\drivers |
################## | C:\Users\Thibaut\AppData\Roaming |
################## | Other detections ... |
################## | Temporary Internet Files |
################## | Registry / Infectious Keys |
Present! [HKLM\software\microsoft\security center] "AntiVirusDisableNotify"
Present! [HKLM\software\microsoft\security center] "FirewallDisableNotify"
Present! [HKLM\software\microsoft\security center] "UpdatesDisableNotify"
Present! [HKLM\software\microsoft\security center\Svc] "AntiVirusOverride"
Present! [HKLM\software\microsoft\security center\Svc] "FirewallOverride"
Present! [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"
################## | State / Services / Information |
# Display hidden files : OK
# Safe mode : OK
# Uac : OK
# Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 )
# EapHost -> Start = 3 ( Good = 2 | Bad = 4 )
# Wlansvc -> Start = 2 ( Good = 2 | Bad = 4 )
# SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 )
# windefend -> Start = 2 ( Good = 2 | Bad = 4 )
# wuauserv -> Start = 2 ( Good = 2 | Bad = 4 )
# wscsvc -> Start = 2 ( Good = 2 | Bad = 4 )
################## | Cracks / Keygens / Serials |
"D:\Thibaut\Desktop\keygen.exe"
03/06/2009 05:14 |Size 97792 |Crc32 cbdbec12 |Md5 55e05cdb1a6f8fb7110eb000ea38e564
################## | ! End of report # FindyKill V5.019 ! |
Here it is done.
Below is the report.
Thank you for the analysis :
############################## | FindyKill V5.019 |
# User : Thibaut (Administrators) # PC-DE-THIBAUT
# Update on 16/11/2009 by Chiquitine29
# Start at: 14:50:06 | 26/11/2009
# Website : http://pagesperso-orange.fr/NosTools/index.html
# Contact : FindyKill.Contact@gmail.com
# Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
# Microsoft® Windows Vista™ Home Premium Edition (6.0.6000 32-bit) #
# Internet Explorer 7.0.6000.16916
# Windows Firewall Status : Enabled
# AV : AVG 7.5.552 7.5.552 [ Enabled | Updated ]
# AV : avast! antivirus 4.8.1351 [VPS 091126-0] 4.8.1351 [ Enabled | Updated ]
# A:\ # 3.5-inch Floppy Disk Drive # 1.39 Mo (0.58 Mo free) # FAT
# C:\ # Local Hard Disk # 30 Go (1.55 Go free) [System] # NTFS
# D:\ # Local Hard Disk # 117.04 Go (45.99 Go free) [Data] # NTFS
# E:\ # CD-ROM Drive
# F:\ # Removable Disk
# G:\ # CD-ROM Drive
# H:\ # Removable Disk # 981.72 Mo (286.34 Mo free) [KRYSTEL] # FAT
# I:\ # Removable Disk # 977.47 Mo (961.02 Mo free) [CLÉ TIBO] # FAT
############################## | Active Processes |
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
D:\annex programs\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Option\GlobeTrotter Connect\GtFix.exe
D:\webserver\bin\win32\matlabserver.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
d:\bin\win32\matlab.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Launch Manager\WisLMSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\wbem\wmiprvse.exe
################## | C: |
################## | C:\Windows |
################## | C:\Windows\system32 |
################## | C:\Windows\system32\drivers |
################## | C:\Users\Thibaut\AppData\Roaming |
################## | Other detections ... |
################## | Temporary Internet Files |
################## | Registry / Infectious Keys |
Present! [HKLM\software\microsoft\security center] "AntiVirusDisableNotify"
Present! [HKLM\software\microsoft\security center] "FirewallDisableNotify"
Present! [HKLM\software\microsoft\security center] "UpdatesDisableNotify"
Present! [HKLM\software\microsoft\security center\Svc] "AntiVirusOverride"
Present! [HKLM\software\microsoft\security center\Svc] "FirewallOverride"
Present! [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"
################## | State / Services / Information |
# Display hidden files : OK
# Safe mode : OK
# Uac : OK
# Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 )
# EapHost -> Start = 3 ( Good = 2 | Bad = 4 )
# Wlansvc -> Start = 2 ( Good = 2 | Bad = 4 )
# SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 )
# windefend -> Start = 2 ( Good = 2 | Bad = 4 )
# wuauserv -> Start = 2 ( Good = 2 | Bad = 4 )
# wscsvc -> Start = 2 ( Good = 2 | Bad = 4 )
################## | Cracks / Keygens / Serials |
"D:\Thibaut\Desktop\keygen.exe"
03/06/2009 05:14 |Size 97792 |Crc32 cbdbec12 |Md5 55e05cdb1a6f8fb7110eb000ea38e564
################## | ! End of report # FindyKill V5.019 ! |
remove this keygen, then:
########### [ Option 2 ( Removal ) ]
▶ Disconnect and close all running applications (including the browser).
▶ Connect your external data sources to your PC (USB key, external hard drive, etc.)
▶ Relaunch "FindyKill" (right-click "as administrator" for Vista): in the main menu choose option " F " for French and hit [enter].
▶ In the second menu choose option 2 (removal) and hit [enter]
▶ The PC will restart automatically ...
▶ the program will work, do not touch anything ..., your desktop will not be accessible, that's normal!
▶ Post the report that appears at the end (the report is also saved under C:\FindyKill.txt)
▶ If the desktop does not reappear, press Ctrl + Alt + Delete, Tab "File", "New Task", type explorer.exe and confirm
--
♦G3и-н@¢ки™©®♦
########### [ Option 2 ( Removal ) ]
▶ Disconnect and close all running applications (including the browser).
▶ Connect your external data sources to your PC (USB key, external hard drive, etc.)
▶ Relaunch "FindyKill" (right-click "as administrator" for Vista): in the main menu choose option " F " for French and hit [enter].
▶ In the second menu choose option 2 (removal) and hit [enter]
▶ The PC will restart automatically ...
▶ the program will work, do not touch anything ..., your desktop will not be accessible, that's normal!
▶ Post the report that appears at the end (the report is also saved under C:\FindyKill.txt)
▶ If the desktop does not reappear, press Ctrl + Alt + Delete, Tab "File", "New Task", type explorer.exe and confirm
--
♦G3и-н@¢ки™©®♦
This step being completed, I am posting the report:
############################## | FindyKill V5.019 |
# User: Thibaut (Administrators) # PC-DE-THIBAUT
# Update on 16/11/2009 by Chiquitine29
# Start at: 15:14:21 | 26/11/2009
# Website: http://pagesperso-orange.fr/NosTools/index.html
# Contact: FindyKill.Contact@gmail.com
# Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
# Microsoft® Windows Vista™ Home Premium Edition (6.0.6000 32-bit) #
# Internet Explorer 7.0.6000.16916
# Windows Firewall Status: Enabled
# AV: AVG 7.5.552 7.5.552 [ Enabled | Updated ]
# AV: avast! antivirus 4.8.1351 [VPS 091126-0] 4.8.1351 [ Enabled | Updated ]
# A:\ # 3.5-inch Floppy Drive # 1.39 MB (0.58 MB free) # FAT
# C:\ # Local Hard Drive # 30 GB (1.46 GB free) [System] # NTFS
# D:\ # Local Hard Drive # 117.04 GB (45.99 GB free) [Data] # NTFS
# E:\ # CD-ROM Drive
# F:\ # Removable Drive
# G:\ # CD-ROM Drive
# H:\ # Removable Drive # 981.72 MB (286.34 MB free) [KRYSTEL] # FAT
# I:\ # Removable Drive # 977.47 MB (961.02 MB free) [TIBO USB] # FAT
############################## | Active Processes |
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Option\GlobeTrotter Connect\GtFix.exe
D:\webserver\bin\win32\matlabserver.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
d:\bin\win32\matlab.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\runonce.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\wbem\wmiprvse.exe
################## | C: |
################## | C:\Windows |
################## | C:\Windows\system32 |
################## | C:\Windows\system32\drivers |
################## | C:\Users\Thibaut\AppData\Roaming |
################## | Other removals ... |
################## | Temporary Internet Files |
################## | Registry / Infectious Keys |
Deleted! [HKLM\software\microsoft\security center] "AntiVirusDisableNotify"
Deleted! [HKLM\software\microsoft\security center] "FirewallDisableNotify"
Deleted! [HKLM\software\microsoft\security center] "UpdatesDisableNotify"
Deleted! [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"
################## | Status / Services / Information |
# Safe mode: OK
# Show hidden files: OK
# UAC: OK
# Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 )
# EapHost -> Start = 2 ( Good = 2 | Bad = 4 )
# Wlansvc -> Start = 2 ( Good = 2 | Bad = 4 )
# SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 )
# windefend -> Start = 2 ( Good = 2 | Bad = 4 )
# wuauserv -> Start = 2 ( Good = 2 | Bad = 4 )
# wscsvc -> Start = 2 ( Good = 2 | Bad = 4 )
################## | PEH ... |
################## | Cracks / Keygens / Serials |
################## | ! End of report # FindyKill V5.019 ! |
############################## | FindyKill V5.019 |
# User: Thibaut (Administrators) # PC-DE-THIBAUT
# Update on 16/11/2009 by Chiquitine29
# Start at: 15:14:21 | 26/11/2009
# Website: http://pagesperso-orange.fr/NosTools/index.html
# Contact: FindyKill.Contact@gmail.com
# Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
# Microsoft® Windows Vista™ Home Premium Edition (6.0.6000 32-bit) #
# Internet Explorer 7.0.6000.16916
# Windows Firewall Status: Enabled
# AV: AVG 7.5.552 7.5.552 [ Enabled | Updated ]
# AV: avast! antivirus 4.8.1351 [VPS 091126-0] 4.8.1351 [ Enabled | Updated ]
# A:\ # 3.5-inch Floppy Drive # 1.39 MB (0.58 MB free) # FAT
# C:\ # Local Hard Drive # 30 GB (1.46 GB free) [System] # NTFS
# D:\ # Local Hard Drive # 117.04 GB (45.99 GB free) [Data] # NTFS
# E:\ # CD-ROM Drive
# F:\ # Removable Drive
# G:\ # CD-ROM Drive
# H:\ # Removable Drive # 981.72 MB (286.34 MB free) [KRYSTEL] # FAT
# I:\ # Removable Drive # 977.47 MB (961.02 MB free) [TIBO USB] # FAT
############################## | Active Processes |
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Option\GlobeTrotter Connect\GtFix.exe
D:\webserver\bin\win32\matlabserver.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
d:\bin\win32\matlab.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\runonce.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\wbem\wmiprvse.exe
################## | C: |
################## | C:\Windows |
################## | C:\Windows\system32 |
################## | C:\Windows\system32\drivers |
################## | C:\Users\Thibaut\AppData\Roaming |
################## | Other removals ... |
################## | Temporary Internet Files |
################## | Registry / Infectious Keys |
Deleted! [HKLM\software\microsoft\security center] "AntiVirusDisableNotify"
Deleted! [HKLM\software\microsoft\security center] "FirewallDisableNotify"
Deleted! [HKLM\software\microsoft\security center] "UpdatesDisableNotify"
Deleted! [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"
################## | Status / Services / Information |
# Safe mode: OK
# Show hidden files: OK
# UAC: OK
# Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 )
# EapHost -> Start = 2 ( Good = 2 | Bad = 4 )
# Wlansvc -> Start = 2 ( Good = 2 | Bad = 4 )
# SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 )
# windefend -> Start = 2 ( Good = 2 | Bad = 4 )
# wuauserv -> Start = 2 ( Good = 2 | Bad = 4 )
# wscsvc -> Start = 2 ( Good = 2 | Bad = 4 )
################## | PEH ... |
################## | Cracks / Keygens / Serials |
################## | ! End of report # FindyKill V5.019 ! |
Download OTL from OLDTimer
▶ save it on your Desktop.
▶ Double click (for Vista => right-click "run as administrator") on OTL.exe to launch it.
▶ Check the 2 boxes Lop and Purity
▶ Check the box in front of scan all users
▶ set it to "60 Days"
▶ in the left column, set everything to all
do not change this:
"files created within" and "files modified within"
▶ Click on Run Scan.
At the end of the scan, Notepad will open with the report (OTL.txt).
This file is on your Desktop (generally C:\Documents and settings\your_session_name\OTL.txt)
▶▶▶ DO NOT POST IT ON THE FORUM
To send it to me, click on this link: http://www.cijoint.fr/
▶ Click on Browse and locate the above file.
▶ Click on Open.
▶ Click on "Click here to drop the file".
A link of this form:
http://www.cijoint.fr/cjlink.php?file=cjge368/cijSKAP5fU.txt
is added to the page.
▶ Copy this link in your reply.
▶▶ You will do the same with the "Extra.txt".
--
♦G3и-н@¢ки™©®♦
▶ save it on your Desktop.
▶ Double click (for Vista => right-click "run as administrator") on OTL.exe to launch it.
▶ Check the 2 boxes Lop and Purity
▶ Check the box in front of scan all users
▶ set it to "60 Days"
▶ in the left column, set everything to all
do not change this:
"files created within" and "files modified within"
▶ Click on Run Scan.
At the end of the scan, Notepad will open with the report (OTL.txt).
This file is on your Desktop (generally C:\Documents and settings\your_session_name\OTL.txt)
▶▶▶ DO NOT POST IT ON THE FORUM
To send it to me, click on this link: http://www.cijoint.fr/
▶ Click on Browse and locate the above file.
▶ Click on Open.
▶ Click on "Click here to drop the file".
A link of this form:
http://www.cijoint.fr/cjlink.php?file=cjge368/cijSKAP5fU.txt
is added to the page.
▶ Copy this link in your reply.
▶▶ You will do the same with the "Extra.txt".
--
♦G3и-н@¢ки™©®♦
Here is the link for the OTL file:
http://www.cijoint.fr/cjlink.php?file=cj200911/cij67uEZCF.txt
And the link for the Extras file:
http://www.cijoint.fr/cjlink.php?file=cj200911/cijIMBPbyx.txt
I have a quick question:
Can this virus spread through USB drives and infect other computers in the same way (causing the same issues)?
http://www.cijoint.fr/cjlink.php?file=cj200911/cij67uEZCF.txt
And the link for the Extras file:
http://www.cijoint.fr/cjlink.php?file=cj200911/cijIMBPbyx.txt
I have a quick question:
Can this virus spread through USB drives and infect other computers in the same way (causing the same issues)?
▶ Click on the Start menu / Control Panel / Folder Options / then in the View tab
* - Check Show hidden files and folders
* - Uncheck Hide extensions for known file types
* - Uncheck Hide protected operating system files (recommended)
▶ Click on Apply, then OK.
Don't forget to hide the hidden files and protected operating system files again at the end of the cleanup, it's important
Have the following file(s) analyzed on Virustotal:
Virus Total
* Click on Browse at the top, choose This PC and search for these files:
D:\webserver\bin\win32\matlabserver.exe
* Now click on Submit the file. and let it work while "Current status: analyzing" is displayed.
* The file may be queued due to a high volume of analysis requests. In this case, you will need to wait without refreshing the page.
* When the analysis is complete ("Current status: finished"), click on Formatted
* A new window of your browser will appear
* Then click on the two arrows
* Right-click on the page, and choose Select All, then copy
* Finally paste the result into your next response.
Note: To analyze another file, click at the bottom on Other file.
then:
▶ Double-click on OTL.exe to launch it.
▶ Copy the list that is in bold below,
▶ paste it in the area under Customs Scans/Fixes:
:processes
explorer.exe
iexplore.exe
firefox.exe
msnmsgr.exe
Teatimer.exe
:OTL
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
O4 - HKLM..\Run: [autopoll] C:\PROGRA~1\AUTOPO~1\autopoll.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-290061431-370062678-2208403576-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-290061431-370062678-2208403576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-290061431-370062678-2208403576-1000_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE File not found
:reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-
"iTunesHelper"=-
"QuickTime Task"=-
:commands
[emptytemp]
[start explorer]
[reboot]
▶ Click on RunFix to start the removal.
▶ Post the report.
--
♦G3и-н@¢км@и™©®♦
* - Check Show hidden files and folders
* - Uncheck Hide extensions for known file types
* - Uncheck Hide protected operating system files (recommended)
▶ Click on Apply, then OK.
Don't forget to hide the hidden files and protected operating system files again at the end of the cleanup, it's important
Have the following file(s) analyzed on Virustotal:
Virus Total
* Click on Browse at the top, choose This PC and search for these files:
D:\webserver\bin\win32\matlabserver.exe
* Now click on Submit the file. and let it work while "Current status: analyzing" is displayed.
* The file may be queued due to a high volume of analysis requests. In this case, you will need to wait without refreshing the page.
* When the analysis is complete ("Current status: finished"), click on Formatted
* A new window of your browser will appear
* Then click on the two arrows
* Right-click on the page, and choose Select All, then copy
* Finally paste the result into your next response.
Note: To analyze another file, click at the bottom on Other file.
then:
▶ Double-click on OTL.exe to launch it.
▶ Copy the list that is in bold below,
▶ paste it in the area under Customs Scans/Fixes:
:processes
explorer.exe
iexplore.exe
firefox.exe
msnmsgr.exe
Teatimer.exe
:OTL
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
O4 - HKLM..\Run: [autopoll] C:\PROGRA~1\AUTOPO~1\autopoll.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-290061431-370062678-2208403576-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-290061431-370062678-2208403576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-290061431-370062678-2208403576-1000_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE File not found
:reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-
"iTunesHelper"=-
"QuickTime Task"=-
:commands
[emptytemp]
[start explorer]
[reboot]
▶ Click on RunFix to start the removal.
▶ Post the report.
--
♦G3и-н@¢км@и™©®♦
Here is the report from the virustotal site:
I will launch the application in OTL and I will send you the report in the next response.
File matlabserver.exe received on 2009.11.26 15:57:32 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.26 -
AhnLab-V3 5.0.0.2 2009.11.26 -
AntiVir 7.9.1.78 2009.11.26 -
Antiy-AVL 2.0.3.7 2009.11.26 -
Authentium 5.2.0.5 2009.11.26 -
Avast 4.8.1351.0 2009.11.26 -
AVG 8.5.0.425 2009.11.26 -
BitDefender 7.2 2009.11.26 -
CAT-QuickHeal 10.00 2009.11.26 -
ClamAV 0.94.1 2009.11.26 -
Comodo 3045 2009.11.26 -
DrWeb 5.0.0.12182 2009.11.26 -
eSafe 7.0.17.0 2009.11.26 -
eTrust-Vet 35.1.7143 2009.11.26 -
F-Prot 4.5.1.85 2009.11.25 -
F-Secure 9.0.15370.0 2009.11.24 -
Fortinet 4.0.14.0 2009.11.26 -
GData 19 2009.11.26 -
Ikarus T3.1.1.74.0 2009.11.26 -
Jiangmin 11.0.800 2009.11.26 -
K7AntiVirus 7.10.905 2009.11.25 -
Kaspersky 7.0.0.125 2009.11.26 -
McAfee 5813 2009.11.25 -
McAfee+Artemis 5813 2009.11.25 -
McAfee-GW-Edition 6.8.5 2009.11.26 -
Microsoft 1.5302 2009.11.26 -
NOD32 4639 2009.11.26 -
Norman 6.03.02 2009.11.25 -
nProtect 2009.1.8.0 2009.11.26 -
Panda 10.0.2.2 2009.11.26 -
PCTools 7.0.3.5 2009.11.26 -
Prevx 3.0 2009.11.26 -
Rising 22.23.03.10 2009.11.26 -
Sophos 4.48.0 2009.11.26 -
Sunbelt 3.2.1858.2 2009.11.26 -
Symantec 1.4.4.12 2009.11.26 -
TheHacker 6.5.0.2.079 2009.11.26 -
TrendMicro 9.100.0.1001 2009.11.26 -
VBA32 3.12.12.0 2009.11.26 -
ViRobot 2009.11.26.2056 2009.11.26 -
VirusBuster 5.0.21.0 2009.11.25 -
Additional information
File size: 536576 bytes
MD5...: 7580504957c77ac0f245a93a50f878eb
SHA1..: fe1e5686323adfd07152fce556ee409d5679f74e
SHA256: 6a252c65eb0af4d98952264ce7ba1f78a86b7a8b4afa7e8626fb8ff7b3fdbd9c
ssdeep: 12288:btfxdQ9NXv7TdTBL8CTQwtKNXUdg0qRhfyo3EZNs:btjQ9NXDTBJ8CsNly<br>qRhfyT<br>
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x6412f
timedatestamp.....: 0x408a39a8 (Sat Apr 24 09:55:52 2004)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x63338 0x64000 6.24 0148997cf9701cfd46afeb63144fee91
.rdata 0x65000 0x2706 0x3000 4.19 bbc91ac0b792dfc0c4672e455cbb6d4a
.data 0x68000 0x10698 0xa000 5.87 bc1af317a649ee630941cfae89522822
_TEXT_HA 0x79000 0x10a82 0x11000 6.54 795e3f5196387de95827555b822cdcc9
( 9 imports )
> KERNEL32.dll: FormatMessageA, lstrlenA, LocalFree, SetConsoleCtrlHandler, GetVersionExA, Sleep, ResetEvent, WaitForSingleObject, GetModuleFileNameA, GetLastError, GetProcAddress, CreateEventA, CloseHandle, LoadLibraryA, SetLastError, GetPrivateProfileIntA, GetPrivateProfileStringA, QueryPerformanceFrequency, QueryPerformanceCounter, SleepEx, DeviceIoControl, SetEvent, ReadFile, GetCurrentThread, FindClose, CreateFileA, FindNextFileW, FindFirstFileA, FindNextFileA, GetProcessTimes, GetTickCount, FindFirstFileW, GetEnvironmentVariableA, GetCommandLineW, GetEnvironmentVariableW, MultiByteToWideChar, CreateMutexA, WideCharToMultiByte, SetHandleInformation, SetErrorMode, ReleaseMutex, VirtualAlloc, GetCurrentProcess, VirtualFree, GetVolumeInformationA, GetVersion, GetDriveTypeA, GetWindowsDirectoryA, CreateSemaphoreA, FreeLibrary, OpenSemaphoreA, ReleaseSemaphore, SetThreadPriority, GetModuleHandleA, WriteFile<br> > ADVAPI32.dll: DeleteService, StartServiceA, RegCloseKey, RegDeleteValueA, RegEnumValueA, RegOpenKeyExA, RegCreateKeyExA, RegQueryValueExA, RegQueryValueExW, RegSetValueExA, RegSetValueExW, GetUserNameA, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, OpenServiceA, StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, SetServiceStatus, DeregisterEventSource, ReportEventA, RegisterEventSourceA, CloseServiceHandle, CreateServiceA, OpenSCManagerA, ControlService<br> > WSOCK32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -<br> > libeng.dll: engOpenSingleUse, engClose, engEvalString, engOutputBuffer<br> > MSVCRT.dll: tolower, vsprintf, printf, _stricmp, rand, srand, fgets, vfprintf, strcmp, sscanf, localtime, abs, calloc, strncmp, _endthread, fprintf, _sys_nerr, strtol, malloc, getenv, __p__environ, fflush, longjmp, free, memcmp, qsort, _findclose, _stat, _findnext, _findfirst, mktime, _setjmp3, _sys_errlist, _wfreopen, _wopen, __3@YAXPAX@Z, _wstat, rename, _wrename, _waccess, remove, _wremove, _wunlink, _putenv, _exit, clearerr, ungetc, fgetc, _mkdir, putc, fputc, fwrite, _XcptFilter, __p___initenv, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, __dllonexit, _onexit, _controlfp, memset, memcpy, strchr, __2@YAPAXI@Z, fseek, fclose, fopen, _unlink, ftell, fread, ctime, signal, strrchr, exit, _beginthread, _errno, atoi, _iob, strstr, _pctype, __mb_cur_max, _isctype, sprintf, toupper, strncpy, strlen, strtok, atol, _wfopen, time, freopen, strcpy, strcat, _close, _mktemp, _access, _open, _getcwd, _getpid<br> > COMCTL32.dll: -<br> > USER32.dll: GetActiveWindow, GetParent, MoveWindow, ScreenToClient, ShowWindow, MessageBoxA, EnableWindow, GetWindowRect, GetDlgItem, SendMessageA, GetWindowLongA, MessageBeep, SetDlgItemTextA, GetDlgItemTextW, GetDlgItemTextA, EndDialog, GetFocus, SetFocus, SetWindowTextA, GetClientRect, GetSystemMetrics, wsprintfA, CreateDialogIndirectParamA, DialogBoxIndirectParamA<br> > comdlg32.dll: GetOpenFileNameA<br> > NETAPI32.dll: Netbios<br>
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
I will launch the application in OTL and I will send you the report in the next response.
File matlabserver.exe received on 2009.11.26 15:57:32 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.26 -
AhnLab-V3 5.0.0.2 2009.11.26 -
AntiVir 7.9.1.78 2009.11.26 -
Antiy-AVL 2.0.3.7 2009.11.26 -
Authentium 5.2.0.5 2009.11.26 -
Avast 4.8.1351.0 2009.11.26 -
AVG 8.5.0.425 2009.11.26 -
BitDefender 7.2 2009.11.26 -
CAT-QuickHeal 10.00 2009.11.26 -
ClamAV 0.94.1 2009.11.26 -
Comodo 3045 2009.11.26 -
DrWeb 5.0.0.12182 2009.11.26 -
eSafe 7.0.17.0 2009.11.26 -
eTrust-Vet 35.1.7143 2009.11.26 -
F-Prot 4.5.1.85 2009.11.25 -
F-Secure 9.0.15370.0 2009.11.24 -
Fortinet 4.0.14.0 2009.11.26 -
GData 19 2009.11.26 -
Ikarus T3.1.1.74.0 2009.11.26 -
Jiangmin 11.0.800 2009.11.26 -
K7AntiVirus 7.10.905 2009.11.25 -
Kaspersky 7.0.0.125 2009.11.26 -
McAfee 5813 2009.11.25 -
McAfee+Artemis 5813 2009.11.25 -
McAfee-GW-Edition 6.8.5 2009.11.26 -
Microsoft 1.5302 2009.11.26 -
NOD32 4639 2009.11.26 -
Norman 6.03.02 2009.11.25 -
nProtect 2009.1.8.0 2009.11.26 -
Panda 10.0.2.2 2009.11.26 -
PCTools 7.0.3.5 2009.11.26 -
Prevx 3.0 2009.11.26 -
Rising 22.23.03.10 2009.11.26 -
Sophos 4.48.0 2009.11.26 -
Sunbelt 3.2.1858.2 2009.11.26 -
Symantec 1.4.4.12 2009.11.26 -
TheHacker 6.5.0.2.079 2009.11.26 -
TrendMicro 9.100.0.1001 2009.11.26 -
VBA32 3.12.12.0 2009.11.26 -
ViRobot 2009.11.26.2056 2009.11.26 -
VirusBuster 5.0.21.0 2009.11.25 -
Additional information
File size: 536576 bytes
MD5...: 7580504957c77ac0f245a93a50f878eb
SHA1..: fe1e5686323adfd07152fce556ee409d5679f74e
SHA256: 6a252c65eb0af4d98952264ce7ba1f78a86b7a8b4afa7e8626fb8ff7b3fdbd9c
ssdeep: 12288:btfxdQ9NXv7TdTBL8CTQwtKNXUdg0qRhfyo3EZNs:btjQ9NXDTBJ8CsNly<br>qRhfyT<br>
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x6412f
timedatestamp.....: 0x408a39a8 (Sat Apr 24 09:55:52 2004)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x63338 0x64000 6.24 0148997cf9701cfd46afeb63144fee91
.rdata 0x65000 0x2706 0x3000 4.19 bbc91ac0b792dfc0c4672e455cbb6d4a
.data 0x68000 0x10698 0xa000 5.87 bc1af317a649ee630941cfae89522822
_TEXT_HA 0x79000 0x10a82 0x11000 6.54 795e3f5196387de95827555b822cdcc9
( 9 imports )
> KERNEL32.dll: FormatMessageA, lstrlenA, LocalFree, SetConsoleCtrlHandler, GetVersionExA, Sleep, ResetEvent, WaitForSingleObject, GetModuleFileNameA, GetLastError, GetProcAddress, CreateEventA, CloseHandle, LoadLibraryA, SetLastError, GetPrivateProfileIntA, GetPrivateProfileStringA, QueryPerformanceFrequency, QueryPerformanceCounter, SleepEx, DeviceIoControl, SetEvent, ReadFile, GetCurrentThread, FindClose, CreateFileA, FindNextFileW, FindFirstFileA, FindNextFileA, GetProcessTimes, GetTickCount, FindFirstFileW, GetEnvironmentVariableA, GetCommandLineW, GetEnvironmentVariableW, MultiByteToWideChar, CreateMutexA, WideCharToMultiByte, SetHandleInformation, SetErrorMode, ReleaseMutex, VirtualAlloc, GetCurrentProcess, VirtualFree, GetVolumeInformationA, GetVersion, GetDriveTypeA, GetWindowsDirectoryA, CreateSemaphoreA, FreeLibrary, OpenSemaphoreA, ReleaseSemaphore, SetThreadPriority, GetModuleHandleA, WriteFile<br> > ADVAPI32.dll: DeleteService, StartServiceA, RegCloseKey, RegDeleteValueA, RegEnumValueA, RegOpenKeyExA, RegCreateKeyExA, RegQueryValueExA, RegQueryValueExW, RegSetValueExA, RegSetValueExW, GetUserNameA, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, OpenServiceA, StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, SetServiceStatus, DeregisterEventSource, ReportEventA, RegisterEventSourceA, CloseServiceHandle, CreateServiceA, OpenSCManagerA, ControlService<br> > WSOCK32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -<br> > libeng.dll: engOpenSingleUse, engClose, engEvalString, engOutputBuffer<br> > MSVCRT.dll: tolower, vsprintf, printf, _stricmp, rand, srand, fgets, vfprintf, strcmp, sscanf, localtime, abs, calloc, strncmp, _endthread, fprintf, _sys_nerr, strtol, malloc, getenv, __p__environ, fflush, longjmp, free, memcmp, qsort, _findclose, _stat, _findnext, _findfirst, mktime, _setjmp3, _sys_errlist, _wfreopen, _wopen, __3@YAXPAX@Z, _wstat, rename, _wrename, _waccess, remove, _wremove, _wunlink, _putenv, _exit, clearerr, ungetc, fgetc, _mkdir, putc, fputc, fwrite, _XcptFilter, __p___initenv, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, __dllonexit, _onexit, _controlfp, memset, memcpy, strchr, __2@YAPAXI@Z, fseek, fclose, fopen, _unlink, ftell, fread, ctime, signal, strrchr, exit, _beginthread, _errno, atoi, _iob, strstr, _pctype, __mb_cur_max, _isctype, sprintf, toupper, strncpy, strlen, strtok, atol, _wfopen, time, freopen, strcpy, strcat, _close, _mktemp, _access, _open, _getcwd, _getpid<br> > COMCTL32.dll: -<br> > USER32.dll: GetActiveWindow, GetParent, MoveWindow, ScreenToClient, ShowWindow, MessageBoxA, EnableWindow, GetWindowRect, GetDlgItem, SendMessageA, GetWindowLongA, MessageBeep, SetDlgItemTextA, GetDlgItemTextW, GetDlgItemTextA, EndDialog, GetFocus, SetFocus, SetWindowTextA, GetClientRect, GetSystemMetrics, wsprintfA, CreateDialogIndirectParamA, DialogBoxIndirectParamA<br> > comdlg32.dll: GetOpenFileNameA<br> > NETAPI32.dll: Netbios<br>
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
And here's the continuation:
So, the diagnostic doc?
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
No active process named iexplore.exe was found!
No active process named firefox.exe was found!
No active process named msnmsgr.exe was found!
No active process named Teatimer.exe was found!
========== OTL ==========
Prefs.js: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05 removed from extensions.enabledItems
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\autopoll deleted successfully.
C:\PROGRA~1\AUTOPO~1\autopoll.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-21-290061431-370062678-2208403576-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-290061431-370062678-2208403576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.
Registry key HKEY_USERS\S-1-5-21-290061431-370062678-2208403576-1000_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe Reader Speed Launcher deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\iTunesHelper deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\QuickTime Task deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: Thibaut
->Temp folder emptied: 31966 bytes
->Temporary Internet Files folder emptied: 229894808 bytes
->Java cache emptied: 376283 bytes
->FireFox cache emptied: 94881262 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 106822 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 6279697 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 316.21 mb
OTL by OldTimer - Version 3.1.10.1 log created on 11262009_170955
Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\Windows\temp\hsperfdata_PC-DE-THIBAUT$\2780 not found!
Registry entries deleted on Reboot...
So, the diagnostic doc?
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
No active process named iexplore.exe was found!
No active process named firefox.exe was found!
No active process named msnmsgr.exe was found!
No active process named Teatimer.exe was found!
========== OTL ==========
Prefs.js: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05 removed from extensions.enabledItems
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\autopoll deleted successfully.
C:\PROGRA~1\AUTOPO~1\autopoll.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-21-290061431-370062678-2208403576-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-290061431-370062678-2208403576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.
Registry key HKEY_USERS\S-1-5-21-290061431-370062678-2208403576-1000_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe Reader Speed Launcher deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\iTunesHelper deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\QuickTime Task deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: Thibaut
->Temp folder emptied: 31966 bytes
->Temporary Internet Files folder emptied: 229894808 bytes
->Java cache emptied: 376283 bytes
->FireFox cache emptied: 94881262 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 106822 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 6279697 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 316.21 mb
OTL by OldTimer - Version 3.1.10.1 log created on 11262009_170955
Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\Windows\temp\hsperfdata_PC-DE-THIBAUT$\2780 not found!
Registry entries deleted on Reboot...
Disable your antivirus for the duration of the operation as well as your firewall if present
▶ Download List&Kill'em and save it on your desktop
▶ unzip it, (right click/extract.....)
It does not require installation
▶ double click (right click "run as administrator" for Vista) to start the scan
choose the language then select option 1 = Search Mode
▶ let the tool work
▶ Post the content of the report that opens
--
♦G3и-н@¢км@и™©®♦
▶ Download List&Kill'em and save it on your desktop
▶ unzip it, (right click/extract.....)
It does not require installation
▶ double click (right click "run as administrator" for Vista) to start the scan
choose the language then select option 1 = Search Mode
▶ let the tool work
▶ Post the content of the report that opens
--
♦G3и-н@¢км@и™©®♦
And here is the content
So, are we on the right track?
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 21:02:48
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b7a51e9]
"0016dbe574bd"=hex:c5,3d,72,75,51,24,4c,02,b5,bd,93,62,78,21,db,00
"0015b90a7952"=hex:b8,24,b6,06,80,14,4e,d1,1a,95,9f,78,42,03,79,be
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:9c,ce,ed,8e,40,bb,a6,1b,df,b2,d3,da,45,3b,6c,ea,a3,c6,ed,22,cf,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,27,03,02,03,3c,a5,67,e7,3b,b2,74,e2,79,e2,af,15,39,..
"khjeh"=hex:59,b2,04,c2,15,82,a3,4a,b1,21,75,ae,38,21,82,cb,dc,b5,5c,b6,29,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:95,8c,5e,fd,7b,10,69,d4,10,3e,49,d1,7e,0e,d1,b1,39,19,5d,1a,1b,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:c0,65,72,32,b2,fa,e0,72,32,a0,44,f7,15,ca,46,16
So, are we on the right track?
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 21:02:48
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b7a51e9]
"0016dbe574bd"=hex:c5,3d,72,75,51,24,4c,02,b5,bd,93,62,78,21,db,00
"0015b90a7952"=hex:b8,24,b6,06,80,14,4e,d1,1a,95,9f,78,42,03,79,be
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:9c,ce,ed,8e,40,bb,a6,1b,df,b2,d3,da,45,3b,6c,ea,a3,c6,ed,22,cf,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,27,03,02,03,3c,a5,67,e7,3b,b2,74,e2,79,e2,af,15,39,..
"khjeh"=hex:59,b2,04,c2,15,82,a3,4a,b1,21,75,ae,38,21,82,cb,dc,b5,5c,b6,29,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:95,8c,5e,fd,7b,10,69,d4,10,3e,49,d1,7e,0e,d1,b1,39,19,5d,1a,1b,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:c0,65,72,32,b2,fa,e0,72,32,a0,44,f7,15,ca,46,16
Ah, too bad.
It must be the fatigue. I’ll rest with a good night’s sleep and I’ll pick this up tomorrow.
For now, it’s not blocking my PC but it’s preventing me from installing new applications that I’m going to need soon.
In any case, I thank you again for your help.
I hope we’ll resolve this issue tomorrow.
Good luck in your struggle against other people's problems.
See you!
It must be the fatigue. I’ll rest with a good night’s sleep and I’ll pick this up tomorrow.
For now, it’s not blocking my PC but it’s preventing me from installing new applications that I’m going to need soon.
In any case, I thank you again for your help.
I hope we’ll resolve this issue tomorrow.
Good luck in your struggle against other people's problems.
See you!
Hello,
Here I am back to eradicate this virus (if that's the case).
I found the corresponding file, hoping that this time it's the right one:
List'em by g3n-h@ckm@n 1.0.5.6
Thanks to Chiquitine29.....
User: Thibaut (Administrators) # PC-DE-THIBAUT
Update on 25/11/2009 by g3n-h@ckm@n ::::: 13:00
Start at: 12:02:28 | 27/11/2009
Contact: g3n-h@ckm@n on CCM
Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
Microsoft® Windows Vista™ Home Premium Edition (6.0.6000 32-bit) #
Internet Explorer 7.0.6000.16916
Windows Firewall Status: Disabled
AV: AVG 7.5.552 7.5.552 [ Enabled | Updated ]
AV: avast! antivirus 4.8.1351 [VPS 091127-1] 4.8.1351 [ (!) Disabled | Updated ]
A:\ -> 3.5-inch floppy disk drive | 1.39 MB (0.58 MB free) | FAT
C:\ -> Local hard disk | 30 GB (1.42 GB free) [System] | NTFS
D:\ -> Local hard disk | 117.04 GB (45.99 GB free) [Data] | NTFS
E:\ -> CD-ROM drive
F:\ -> Removable drive
G:\ -> CD-ROM drive
H:\ -> Removable drive | 981.72 MB (286.34 MB free) [KRYSTEL] | FAT
I:\ -> Removable drive | 977.47 MB (961.02 MB free) [TIBO KEY] | FAT
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Running processes
C:\Windows\System32\smss.exe 424
C:\Windows\system32\csrss.exe 492
C:\Windows\system32\wininit.exe 540
C:\Windows\system32\csrss.exe 552
C:\Windows\system32\services.exe 584
C:\Windows\system32\lsass.exe 596
C:\Windows\system32\lsm.exe 604
C:\Windows\system32\winlogon.exe 652
C:\Windows\system32\svchost.exe 796
C:\Windows\system32\svchost.exe 876
C:\Windows\System32\svchost.exe 908
C:\Windows\system32\Ati2evxx.exe 1004
C:\Windows\System32\svchost.exe 1028
C:\Windows\System32\svchost.exe 1056
C:\Windows\system32\svchost.exe 1120
C:\Windows\system32\SLsvc.exe 1228
C:\Windows\system32\svchost.exe 1268
C:\Windows\system32\svchost.exe 1408
C:\Windows\system32\Ati2evxx.exe 1456
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 1664
C:\Windows\system32\Dwm.exe 1728
C:\Program Files\Alwil Software\Avast4\ashServ.exe 1760
C:\Windows\Explorer.EXE 1776
C:\Windows\System32\spoolsv.exe 348
C:\Windows\system32\svchost.exe 440
C:\Windows\system32\taskeng.exe 460
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe 1188
C:\Program Files\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe 1704
C:\Program Files\Bonjour\mDNSResponder.exe 432
C:\Windows\system32\svchost.exe 1132
C:\Program Files\Option\GlobeTrotter Connect\GtFix.exe 692
D:\webserver\bin\win32\matlabserver.exe 1792
C:\Windows\system32\svchost.exe 2056
C:\Windows\system32\svchost.exe 2072
C:\Windows\System32\svchost.exe 2104
C:\Windows\system32\SearchIndexer.exe 2136
d:\bin\win32\matlab.exe 2400
C:\Windows\system32\WUDFHost.exe 2568
C:\Program Files\Windows Defender\MSASCui.exe 3392
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 3436
C:\Program Files\Launch Manager\HotkeyApp.exe 3448
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe 3484
C:\Program Files\Alwil Software\Avast4\ashDisp.exe 3504
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE 3532
C:\Program Files\Windows Sidebar\sidebar.exe 3560
C:\Windows\ehome\ehtray.exe 3568
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe 3576
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE 3676
C:\Windows\ehome\ehmsas.exe 3764
C:\Program Files\Launch Manager\WisLMSvc.exe 3776
C:\Windows\system32\wbem\wmiprvse.exe 3820
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe 3888
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN 3920
C:\Windows\system32\wbem\unsecapp.exe 2868
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe 3136
C:\Windows\system32\taskeng.exe 1216
C:\Program Files\Windows Media Player\wmpnetwk.exe 3904
C:\Windows\servicing\TrustedInstaller.exe 2324
C:\Windows\System32\svchost.exe 4152
C:\Windows\system32\wuauclt.exe 4600
D:\Thibaut\Desktop\List_Kill'em.exe 1528
C:\Windows\system32\conime.exe 4408
C:\Windows\system32\cmd.exe 4364
C:\Windows\system32\wbem\wmiprvse.exe 4124
C:\Users\Thibaut\AppData\Local\temp\91A4.tmp\pv.exe 4704
======================
Startup keys "Run"
======================
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sidebar REG_SZ C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
ehTray.exe REG_SZ C:\Windows\ehome\ehTray.exe
swg REG_SZ "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender REG_EXPAND_SZ %ProgramFiles%\Windows Defender\MSASCui.exe -hide
SynTPEnh REG_SZ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
HotkeyApp REG_SZ "C:\Program Files\Launch Manager\HotkeyApp.exe"
StartCCC REG_SZ C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
SunJavaUpdateSched REG_SZ "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
avast! REG_SZ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
CanonSolutionMenu REG_SZ C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
CanonMyPrinter REG_SZ C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
=====================
Additional keys
=====================
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin REG_DWORD 0x2
ConsentPromptBehaviorUser REG_DWORD 0x1
EnableInstallerDetection REG_DWORD 0x1
EnableLUA REG_DWORD 0x1
EnableSecureUIAPaths REG_DWORD 0x1
EnableVirtualization REG_DWORD 0x1
PromptOnSecureDesktop REG_DWORD 0x1
ValidateAdminCodeSignatures REG_DWORD 0x0
dontdisplaylastusername REG_DWORD 0x0
legalnoticecaption REG_SZ
legalnoticetext REG_SZ
scforceoption REG_DWORD 0x0
shutdownwithoutlogon REG_DWORD 0x1
undockwithoutlogon REG_DWORD 0x1
FilterAdministratorToken REG_DWORD 0x0
UacDisableNotify REG_DWORD 0x0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UIPI
===============
===============
BHO:
======
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}
========
Services
========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]
Ndisuio: 0x3
EapHost: 0x2
Wlansvc: 0x2
SharedAccess: 0x2
windefend: 0x2
wuauserv: 0x2
=========
=========================
Environment variables:
=========================
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Thibaut\AppData\Roaming
choice=1
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PC-DE-THIBAUT
ComSpec=C:\Windows\system32\cmd.exe
configsetroot=C:\Windows\ConfigSetRoot
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Thibaut
LOCALAPPDATA=C:\Users\Thibaut\AppData\Local
LOGONSERVER=\\PC-DE-THIBAUT
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem;D:\bin\win32;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0a
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Thibaut\AppData\Local\Temp
TMP=C:\Users\Thibaut\AppData\Local\Temp
USERDOMAIN=PC-de-Thibaut
USERNAME=Thibaut
USERPROFILE=C:\Users\Thibaut
windir=C:\Windows
¤¤¤¤¤¤¤¤¤¤ Present files and folders:
C:\Windows\jautoexp.dat
C:\Windows\mbr.exe
C:\Windows\System32\drivers\etc\hosts.msn
¤¤¤¤¤¤¤¤¤¤ Present registry keys:
=====================
Rootkit Verification
=====================
Here I am back to eradicate this virus (if that's the case).
I found the corresponding file, hoping that this time it's the right one:
List'em by g3n-h@ckm@n 1.0.5.6
Thanks to Chiquitine29.....
User: Thibaut (Administrators) # PC-DE-THIBAUT
Update on 25/11/2009 by g3n-h@ckm@n ::::: 13:00
Start at: 12:02:28 | 27/11/2009
Contact: g3n-h@ckm@n on CCM
Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
Microsoft® Windows Vista™ Home Premium Edition (6.0.6000 32-bit) #
Internet Explorer 7.0.6000.16916
Windows Firewall Status: Disabled
AV: AVG 7.5.552 7.5.552 [ Enabled | Updated ]
AV: avast! antivirus 4.8.1351 [VPS 091127-1] 4.8.1351 [ (!) Disabled | Updated ]
A:\ -> 3.5-inch floppy disk drive | 1.39 MB (0.58 MB free) | FAT
C:\ -> Local hard disk | 30 GB (1.42 GB free) [System] | NTFS
D:\ -> Local hard disk | 117.04 GB (45.99 GB free) [Data] | NTFS
E:\ -> CD-ROM drive
F:\ -> Removable drive
G:\ -> CD-ROM drive
H:\ -> Removable drive | 981.72 MB (286.34 MB free) [KRYSTEL] | FAT
I:\ -> Removable drive | 977.47 MB (961.02 MB free) [TIBO KEY] | FAT
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Running processes
C:\Windows\System32\smss.exe 424
C:\Windows\system32\csrss.exe 492
C:\Windows\system32\wininit.exe 540
C:\Windows\system32\csrss.exe 552
C:\Windows\system32\services.exe 584
C:\Windows\system32\lsass.exe 596
C:\Windows\system32\lsm.exe 604
C:\Windows\system32\winlogon.exe 652
C:\Windows\system32\svchost.exe 796
C:\Windows\system32\svchost.exe 876
C:\Windows\System32\svchost.exe 908
C:\Windows\system32\Ati2evxx.exe 1004
C:\Windows\System32\svchost.exe 1028
C:\Windows\System32\svchost.exe 1056
C:\Windows\system32\svchost.exe 1120
C:\Windows\system32\SLsvc.exe 1228
C:\Windows\system32\svchost.exe 1268
C:\Windows\system32\svchost.exe 1408
C:\Windows\system32\Ati2evxx.exe 1456
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 1664
C:\Windows\system32\Dwm.exe 1728
C:\Program Files\Alwil Software\Avast4\ashServ.exe 1760
C:\Windows\Explorer.EXE 1776
C:\Windows\System32\spoolsv.exe 348
C:\Windows\system32\svchost.exe 440
C:\Windows\system32\taskeng.exe 460
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe 1188
C:\Program Files\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe 1704
C:\Program Files\Bonjour\mDNSResponder.exe 432
C:\Windows\system32\svchost.exe 1132
C:\Program Files\Option\GlobeTrotter Connect\GtFix.exe 692
D:\webserver\bin\win32\matlabserver.exe 1792
C:\Windows\system32\svchost.exe 2056
C:\Windows\system32\svchost.exe 2072
C:\Windows\System32\svchost.exe 2104
C:\Windows\system32\SearchIndexer.exe 2136
d:\bin\win32\matlab.exe 2400
C:\Windows\system32\WUDFHost.exe 2568
C:\Program Files\Windows Defender\MSASCui.exe 3392
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 3436
C:\Program Files\Launch Manager\HotkeyApp.exe 3448
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe 3484
C:\Program Files\Alwil Software\Avast4\ashDisp.exe 3504
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE 3532
C:\Program Files\Windows Sidebar\sidebar.exe 3560
C:\Windows\ehome\ehtray.exe 3568
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe 3576
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE 3676
C:\Windows\ehome\ehmsas.exe 3764
C:\Program Files\Launch Manager\WisLMSvc.exe 3776
C:\Windows\system32\wbem\wmiprvse.exe 3820
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe 3888
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN 3920
C:\Windows\system32\wbem\unsecapp.exe 2868
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe 3136
C:\Windows\system32\taskeng.exe 1216
C:\Program Files\Windows Media Player\wmpnetwk.exe 3904
C:\Windows\servicing\TrustedInstaller.exe 2324
C:\Windows\System32\svchost.exe 4152
C:\Windows\system32\wuauclt.exe 4600
D:\Thibaut\Desktop\List_Kill'em.exe 1528
C:\Windows\system32\conime.exe 4408
C:\Windows\system32\cmd.exe 4364
C:\Windows\system32\wbem\wmiprvse.exe 4124
C:\Users\Thibaut\AppData\Local\temp\91A4.tmp\pv.exe 4704
======================
Startup keys "Run"
======================
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sidebar REG_SZ C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
ehTray.exe REG_SZ C:\Windows\ehome\ehTray.exe
swg REG_SZ "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender REG_EXPAND_SZ %ProgramFiles%\Windows Defender\MSASCui.exe -hide
SynTPEnh REG_SZ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
HotkeyApp REG_SZ "C:\Program Files\Launch Manager\HotkeyApp.exe"
StartCCC REG_SZ C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
SunJavaUpdateSched REG_SZ "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
avast! REG_SZ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
CanonSolutionMenu REG_SZ C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
CanonMyPrinter REG_SZ C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
=====================
Additional keys
=====================
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin REG_DWORD 0x2
ConsentPromptBehaviorUser REG_DWORD 0x1
EnableInstallerDetection REG_DWORD 0x1
EnableLUA REG_DWORD 0x1
EnableSecureUIAPaths REG_DWORD 0x1
EnableVirtualization REG_DWORD 0x1
PromptOnSecureDesktop REG_DWORD 0x1
ValidateAdminCodeSignatures REG_DWORD 0x0
dontdisplaylastusername REG_DWORD 0x0
legalnoticecaption REG_SZ
legalnoticetext REG_SZ
scforceoption REG_DWORD 0x0
shutdownwithoutlogon REG_DWORD 0x1
undockwithoutlogon REG_DWORD 0x1
FilterAdministratorToken REG_DWORD 0x0
UacDisableNotify REG_DWORD 0x0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UIPI
===============
===============
BHO:
======
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}
========
Services
========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]
Ndisuio: 0x3
EapHost: 0x2
Wlansvc: 0x2
SharedAccess: 0x2
windefend: 0x2
wuauserv: 0x2
=========
=========================
Environment variables:
=========================
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Thibaut\AppData\Roaming
choice=1
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PC-DE-THIBAUT
ComSpec=C:\Windows\system32\cmd.exe
configsetroot=C:\Windows\ConfigSetRoot
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Thibaut
LOCALAPPDATA=C:\Users\Thibaut\AppData\Local
LOGONSERVER=\\PC-DE-THIBAUT
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem;D:\bin\win32;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0a
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Thibaut\AppData\Local\Temp
TMP=C:\Users\Thibaut\AppData\Local\Temp
USERDOMAIN=PC-de-Thibaut
USERNAME=Thibaut
USERPROFILE=C:\Users\Thibaut
windir=C:\Windows
¤¤¤¤¤¤¤¤¤¤ Present files and folders:
C:\Windows\jautoexp.dat
C:\Windows\mbr.exe
C:\Windows\System32\drivers\etc\hosts.msn
¤¤¤¤¤¤¤¤¤¤ Present registry keys:
=====================
Rootkit Verification
=====================
there's a missing piece, the end ^^
▶ Restart List&Kill'em like you did for option 1 (either by right-clicking for Vista),
but this time:
▶ choose option 2 = Destruction Mode
let the tool do its work.
at the end of the scan a report will open, close it and then restart
▶ paste the content in your response
--
♦G3и-н@¢км@и™©®♦
▶ Restart List&Kill'em like you did for option 1 (either by right-clicking for Vista),
but this time:
▶ choose option 2 = Destruction Mode
let the tool do its work.
at the end of the scan a report will open, close it and then restart
▶ paste the content in your response
--
♦G3и-н@¢км@и™©®♦
the idiot, yet I had done a Ctrl+A, strange
here is the end of the message:
=====================
Verification Rootkits
=====================
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 12:03:54
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b7a51e9]
"0016dbe574bd"=hex:c5,3d,72,75,51,24,4c,02,b5,bd,93,62,78,21,db,00
"0015b90a7952"=hex:b8,24,b6,06,80,14,4e,d1,1a,95,9f,78,42,03,79,be
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:9c,ce,ed,8e,40,bb,a6,1b,df,b2,d3,da,45,3b,6c,ea,a3,c6,ed,22,cf,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,27,03,02,03,3c,a5,67,e7,3b,b2,74,e2,79,e2,af,15,39,..
"khjeh"=hex:59,b2,04,c2,15,82,a3,4a,b1,21,75,ae,38,21,82,cb,dc,b5,5c,b6,29,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:95,8c,5e,fd,7b,10,69,d4,10,3e,49,d1,7e,0e,d1,b1,39,19,5d,1a,1b,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:c0,65,72,32,b2,fa,e0,72,32,a0,44,f7,15,ca,46,16,99,1d,2f,d2,55,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:d1,7e,6f,e4,47,f1,8f,35,0e,61,cc,88,c9,06,50,f1,5f,61,d9,3a,9b,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:d1,7e,6f,e4,47,f1,8f,35,0e,61,cc,88,c9,06,50,f1,5f,61,d9,3a,9b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b7a51e9]
"0016dbe574bd"=hex:c5,3d,72,75,51,24,4c,02,b5,bd,93,62,78,21,db,00
"0015b90a7952"=hex:b8,24,b6,06,80,14,4e,d1,1a,95,9f,78,42,03,79,be
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:9c,ce,ed,8e,40,bb,a6,1b,df,b2,d3,da,45,3b,6c,ea,a3,c6,ed,22,cf,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,27,03,02,03,3c,a5,67,e7,3b,b2,74,e2,79,e2,af,15,39,..
"khjeh"=hex:59,b2,04,c2,15,82,a3,4a,b1,21,75,ae,38,21,82,cb,dc,b5,5c,b6,29,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:95,8c,5e,fd,7b,10,69,d4,10,3e,49,d1,7e,0e,d1,b1,39,19,5d,1a,1b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:c0,65,72,32,b2,fa,e0,72,32,a0,44,f7,15,ca,46,16,99,1d,2f,d2,55,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:d1,7e,6f,e4,47,f1,8f,35,0e,61,cc,88,c9,06,50,f1,5f,61,d9,3a,9b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:d1,7e,6f,e4,47,f1,8f,35,0e,61,cc,88,c9,06,50,f1,5f,61,d9,3a,9b,..
scanning hidden registry entries ...
scanning hidden files ...
here is the end of the message:
=====================
Verification Rootkits
=====================
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 12:03:54
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b7a51e9]
"0016dbe574bd"=hex:c5,3d,72,75,51,24,4c,02,b5,bd,93,62,78,21,db,00
"0015b90a7952"=hex:b8,24,b6,06,80,14,4e,d1,1a,95,9f,78,42,03,79,be
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:9c,ce,ed,8e,40,bb,a6,1b,df,b2,d3,da,45,3b,6c,ea,a3,c6,ed,22,cf,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,27,03,02,03,3c,a5,67,e7,3b,b2,74,e2,79,e2,af,15,39,..
"khjeh"=hex:59,b2,04,c2,15,82,a3,4a,b1,21,75,ae,38,21,82,cb,dc,b5,5c,b6,29,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:95,8c,5e,fd,7b,10,69,d4,10,3e,49,d1,7e,0e,d1,b1,39,19,5d,1a,1b,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:c0,65,72,32,b2,fa,e0,72,32,a0,44,f7,15,ca,46,16,99,1d,2f,d2,55,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:d1,7e,6f,e4,47,f1,8f,35,0e,61,cc,88,c9,06,50,f1,5f,61,d9,3a,9b,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:d1,7e,6f,e4,47,f1,8f,35,0e,61,cc,88,c9,06,50,f1,5f,61,d9,3a,9b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b7a51e9]
"0016dbe574bd"=hex:c5,3d,72,75,51,24,4c,02,b5,bd,93,62,78,21,db,00
"0015b90a7952"=hex:b8,24,b6,06,80,14,4e,d1,1a,95,9f,78,42,03,79,be
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:9c,ce,ed,8e,40,bb,a6,1b,df,b2,d3,da,45,3b,6c,ea,a3,c6,ed,22,cf,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,27,03,02,03,3c,a5,67,e7,3b,b2,74,e2,79,e2,af,15,39,..
"khjeh"=hex:59,b2,04,c2,15,82,a3,4a,b1,21,75,ae,38,21,82,cb,dc,b5,5c,b6,29,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:95,8c,5e,fd,7b,10,69,d4,10,3e,49,d1,7e,0e,d1,b1,39,19,5d,1a,1b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:c0,65,72,32,b2,fa,e0,72,32,a0,44,f7,15,ca,46,16,99,1d,2f,d2,55,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:d1,7e,6f,e4,47,f1,8f,35,0e,61,cc,88,c9,06,50,f1,5f,61,d9,3a,9b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:d1,7e,6f,e4,47,f1,8f,35,0e,61,cc,88,c9,06,50,f1,5f,61,d9,3a,9b,..
scanning hidden registry entries ...
scanning hidden files ...
And here is the deletion report:
Kill'em by g3n-h@ckm@n 1.0.5.6
User: Thibaut (Administrators) # PC-DE-THIBAUT
Update on 25/11/2009 by g3n-h@ckm@n ::::: 13:00
Start at: 18:12:17 | 27/11/2009
Contact: g3n-h@ckm@n on CCM
Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
Microsoft® Windows Vista™ Home Premium Edition (6.0.6000 32-bit) #
Internet Explorer 7.0.6000.16916
Windows Firewall Status: Disabled
AV: AVG 7.5.552 7.5.552 [ Enabled | Updated ]
AV: avast! antivirus 4.8.1351 [VPS 091127-1] 4.8.1351 [ (!) Disabled | Updated ]
A:\ -> 3.5-inch floppy disk drive | 1.39 MB (0.58 MB free) | FAT
C:\ -> Local hard drive | 30 GB (1.36 GB free) [System] | NTFS
D:\ -> Local hard drive | 117.04 GB (45.99 GB free) [Data] | NTFS
E:\ -> CD-ROM drive
F:\ -> Removable drive
G:\ -> CD-ROM drive
H:\ -> Removable drive | 981.72 MB (286.34 MB free) [KRYSTEL] | FAT
I:\ -> Removable drive | 977.47 MB (961.02 MB free) [CLÉ TIBO] | FAT
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Running processes
C:\Windows\System32\smss.exe 424
C:\Windows\system32\csrss.exe 556
C:\Windows\system32\wininit.exe 604
C:\Windows\system32\csrss.exe 616
C:\Windows\system32\services.exe 648
C:\Windows\system32\lsass.exe 660
C:\Windows\system32\lsm.exe 668
C:\Windows\system32\winlogon.exe 716
C:\Windows\system32\svchost.exe 860
C:\Windows\system32\svchost.exe 940
C:\Windows\System32\svchost.exe 972
C:\Windows\system32\Ati2evxx.exe 1072
C:\Windows\System32\svchost.exe 1092
C:\Windows\System32\svchost.exe 1124
C:\Windows\system32\svchost.exe 1160
C:\Windows\system32\SLsvc.exe 1292
C:\Windows\system32\svchost.exe 1348
C:\Windows\system32\Ati2evxx.exe 1444
C:\Windows\system32\svchost.exe 1520
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 1792
C:\Program Files\Alwil Software\Avast4\ashServ.exe 1840
C:\Windows\system32\Dwm.exe 1852
C:\Windows\Explorer.EXE 1904
C:\Program Files\Windows Defender\MSASCui.exe 2016
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 2040
C:\Program Files\Launch Manager\HotkeyApp.exe 300
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe 320
C:\Program Files\Alwil Software\Avast4\ashDisp.exe 348
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE 924
C:\Program Files\Windows Sidebar\sidebar.exe 980
C:\Windows\ehome\ehtray.exe 1252
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe 1284
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE 1156
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe 1412
C:\Windows\System32\spoolsv.exe 2052
C:\Windows\system32\svchost.exe 2076
C:\Windows\system32\taskeng.exe 2088
C:\Windows\ehome\ehmsas.exe 2368
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN 2408
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe 2640
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe 2948
C:\Program Files\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe 2980
C:\Program Files\Bonjour\mDNSResponder.exe 3000
C:\Windows\system32\svchost.exe 3012
C:\Program Files\Option\GlobeTrotter Connect\GtFix.exe 3048
D:\webserver\bin\win32\matlabserver.exe 3212
C:\Windows\system32\svchost.exe 3252
C:\Windows\system32\svchost.exe 3268
C:\Windows\System32\svchost.exe 3308
C:\Windows\system32\SearchIndexer.exe 3356
d:\bin\win32\matlab.exe 3604
C:\Windows\system32\WUDFHost.exe 3784
C:\Windows\System32\mobsync.exe 3912
C:\Windows\system32\taskeng.exe 596
C:\Program Files\Launch Manager\WisLMSvc.exe 2128
C:\Windows\system32\wbem\wmiprvse.exe 1988
C:\Program Files\Windows Media Player\wmplayer.exe 2804
C:\Program Files\Windows Media Player\WMPNSCFG.exe 4192
C:\Program Files\Windows Media Player\wmpnetwk.exe 4244
C:\Windows\system32\wbem\unsecapp.exe 5736
C:\Windows\system32\wbem\wmiprvse.exe 1324
C:\Windows\system32\wuauclt.exe 2220
D:\Thibaut\Desktop\List_Kill'em.exe 4804
C:\Windows\system32\conime.exe 4864
C:\Windows\system32\cmd.exe 4264
C:\Users\Thibaut\AppData\Local\temp\2DC3.tmp\pv.exe 4760
Files scanned:
=================
¤¤¤¤¤¤¤¤¤¤ Present files and folders:
"C:\Windows\jautoexp.dat"
"C:\Windows\mbr.exe"
"C:\Windows\System32\drivers\etc\hosts.msn"
¤¤¤¤¤¤¤¤¤¤ File actions:
Quarantine:
hosts.msn.Kill'em
jautoexp.dat.Kill'em
MBR.exe.Kill'em
====================
Cleaned hosts files
====================
¤¤¤¤¤¤¤¤¤¤ C:\Windows\Prefetch
AgAppLaunch.db
AgCx_Hibernate.snp.db
AgCx_S1_S-1-5-21-290061431-370062678-2208403576-1000.snp.db
AgCx_SC1.db
AgCx_SC1.db.trx
AgCx_SC2.db
AgGlFaultHistory.db
AgGlFgAppHistory.db
AgGlGlobalHistory.db
AgGlUAD_P_S-1-5-21-290061431-370062678-2208403576-1000.db
AgGlUAD_S-1-5-21-290061431-370062678-2208403576-1000.db
AgRobust.db
Layout.ini
NTOSBOOT-B00DFAAD.pf
PfSvPerfStats.bin
ReadyBoot
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
Kill'em by g3n-h@ckm@n 1.0.5.6
User: Thibaut (Administrators) # PC-DE-THIBAUT
Update on 25/11/2009 by g3n-h@ckm@n ::::: 13:00
Start at: 18:12:17 | 27/11/2009
Contact: g3n-h@ckm@n on CCM
Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
Microsoft® Windows Vista™ Home Premium Edition (6.0.6000 32-bit) #
Internet Explorer 7.0.6000.16916
Windows Firewall Status: Disabled
AV: AVG 7.5.552 7.5.552 [ Enabled | Updated ]
AV: avast! antivirus 4.8.1351 [VPS 091127-1] 4.8.1351 [ (!) Disabled | Updated ]
A:\ -> 3.5-inch floppy disk drive | 1.39 MB (0.58 MB free) | FAT
C:\ -> Local hard drive | 30 GB (1.36 GB free) [System] | NTFS
D:\ -> Local hard drive | 117.04 GB (45.99 GB free) [Data] | NTFS
E:\ -> CD-ROM drive
F:\ -> Removable drive
G:\ -> CD-ROM drive
H:\ -> Removable drive | 981.72 MB (286.34 MB free) [KRYSTEL] | FAT
I:\ -> Removable drive | 977.47 MB (961.02 MB free) [CLÉ TIBO] | FAT
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Running processes
C:\Windows\System32\smss.exe 424
C:\Windows\system32\csrss.exe 556
C:\Windows\system32\wininit.exe 604
C:\Windows\system32\csrss.exe 616
C:\Windows\system32\services.exe 648
C:\Windows\system32\lsass.exe 660
C:\Windows\system32\lsm.exe 668
C:\Windows\system32\winlogon.exe 716
C:\Windows\system32\svchost.exe 860
C:\Windows\system32\svchost.exe 940
C:\Windows\System32\svchost.exe 972
C:\Windows\system32\Ati2evxx.exe 1072
C:\Windows\System32\svchost.exe 1092
C:\Windows\System32\svchost.exe 1124
C:\Windows\system32\svchost.exe 1160
C:\Windows\system32\SLsvc.exe 1292
C:\Windows\system32\svchost.exe 1348
C:\Windows\system32\Ati2evxx.exe 1444
C:\Windows\system32\svchost.exe 1520
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 1792
C:\Program Files\Alwil Software\Avast4\ashServ.exe 1840
C:\Windows\system32\Dwm.exe 1852
C:\Windows\Explorer.EXE 1904
C:\Program Files\Windows Defender\MSASCui.exe 2016
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 2040
C:\Program Files\Launch Manager\HotkeyApp.exe 300
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe 320
C:\Program Files\Alwil Software\Avast4\ashDisp.exe 348
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE 924
C:\Program Files\Windows Sidebar\sidebar.exe 980
C:\Windows\ehome\ehtray.exe 1252
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe 1284
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE 1156
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe 1412
C:\Windows\System32\spoolsv.exe 2052
C:\Windows\system32\svchost.exe 2076
C:\Windows\system32\taskeng.exe 2088
C:\Windows\ehome\ehmsas.exe 2368
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN 2408
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe 2640
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe 2948
C:\Program Files\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe 2980
C:\Program Files\Bonjour\mDNSResponder.exe 3000
C:\Windows\system32\svchost.exe 3012
C:\Program Files\Option\GlobeTrotter Connect\GtFix.exe 3048
D:\webserver\bin\win32\matlabserver.exe 3212
C:\Windows\system32\svchost.exe 3252
C:\Windows\system32\svchost.exe 3268
C:\Windows\System32\svchost.exe 3308
C:\Windows\system32\SearchIndexer.exe 3356
d:\bin\win32\matlab.exe 3604
C:\Windows\system32\WUDFHost.exe 3784
C:\Windows\System32\mobsync.exe 3912
C:\Windows\system32\taskeng.exe 596
C:\Program Files\Launch Manager\WisLMSvc.exe 2128
C:\Windows\system32\wbem\wmiprvse.exe 1988
C:\Program Files\Windows Media Player\wmplayer.exe 2804
C:\Program Files\Windows Media Player\WMPNSCFG.exe 4192
C:\Program Files\Windows Media Player\wmpnetwk.exe 4244
C:\Windows\system32\wbem\unsecapp.exe 5736
C:\Windows\system32\wbem\wmiprvse.exe 1324
C:\Windows\system32\wuauclt.exe 2220
D:\Thibaut\Desktop\List_Kill'em.exe 4804
C:\Windows\system32\conime.exe 4864
C:\Windows\system32\cmd.exe 4264
C:\Users\Thibaut\AppData\Local\temp\2DC3.tmp\pv.exe 4760
Files scanned:
=================
¤¤¤¤¤¤¤¤¤¤ Present files and folders:
"C:\Windows\jautoexp.dat"
"C:\Windows\mbr.exe"
"C:\Windows\System32\drivers\etc\hosts.msn"
¤¤¤¤¤¤¤¤¤¤ File actions:
Quarantine:
hosts.msn.Kill'em
jautoexp.dat.Kill'em
MBR.exe.Kill'em
====================
Cleaned hosts files
====================
¤¤¤¤¤¤¤¤¤¤ C:\Windows\Prefetch
AgAppLaunch.db
AgCx_Hibernate.snp.db
AgCx_S1_S-1-5-21-290061431-370062678-2208403576-1000.snp.db
AgCx_SC1.db
AgCx_SC1.db.trx
AgCx_SC2.db
AgGlFaultHistory.db
AgGlFgAppHistory.db
AgGlGlobalHistory.db
AgGlUAD_P_S-1-5-21-290061431-370062678-2208403576-1000.db
AgGlUAD_S-1-5-21-290061431-370062678-2208403576-1000.db
AgRobust.db
Layout.ini
NTOSBOOT-B00DFAAD.pf
PfSvPerfStats.bin
ReadyBoot
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
▶ Download: ATF Cleaner by Atribune
Double-click (right-click "Run as administrator" for Vista) ATF-Cleaner.exe to launch the program.
Under the Main tab, choose: Select All
Click the Empty Selected button
If you are using the Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button
NOTE: If you want to keep your saved passwords, click No at the prompt.
If you are using the Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button
NOTE: If you want to keep your saved passwords, click No at the prompt.
Click Exit from the main menu to close the program.
For technical support, double-click the email address located at the bottom of each menu.
__________________________________________________
▶ You can keep ATF for potential deeper cleanings
__________________________________________________
▶---> Download ToolsCleaner2 to your Desktop.
* Double-click (right-click "Run as administrator" for Vista) on ToolsCleaner2.exe to launch it.
* Click on Search and let the scan run.
* Click on Delete to finalize.
* You may, if you wish, use the Optional Options.
* Click on Quit to get the report.
* Post the report (TCleaner.txt) found at the root of your hard drive (C:\).
________________________________________________
▶ You can delete ToolCleaner
_________________________________________________
▶ Download and install CCleaner (Do not install the Yahoo Toolbar):
* Launch it (right-click "Run as administrator" for Vista) Go to Options then Advanced and uncheck the box Clear only files etc....
* Go to Cleaner, choose Analyze. Once completed, start the cleaning.
* Then, choose Registry, then Search for issues. Once completed, fix all issues as often as it finds them in the scan.
* Make sure in the options the setting is at Windows startup and set to "secure deletion" 35 passes (Gutmann)
__________________________________________________
Warning: do not touch the PC while it is working!
▶ Cleaning and Defragmentation of your Disks
*Cleaning:
Right-click on "My Computer" (Computer for Vista) ==>"Open" ==> right-click on the C drive ==> Properties ==> "General" tab
Click on the "Disk Cleanup" button, OK
Do this for each of your drives
________________________________________________
*Error checking:
Right-click on "My Computer" (Computer for Vista) ==>"Open" ==> right-click on the C drive ==> Properties ==> "Tools" tab
"Check Now", a box opens, check the boxes:
- Automatically fix file system errors...
- Scan for and attempt recovery of bad sectors...
---> Start, OK
Note: if it asks you to restart your PC to do this, restart and let it run; it takes a little time, that’s normal
Do this for each of your drives
________________________________________________
Then still in the same tab, choose:
*Defragmentation:
"Defragment now", OK
A box opens, select the drive to defragment, and click on "Analyze", then after the analysis, "Defragment". OK
Do this for each of your drives
_______________________________________________
Note: if you have a defragmentation utility, use it instead
To do this, Defraggler is suggested
_________________________________________________
▶ Can you check your Java Console? :
and install the new version if needed (in this case uninstall the old version first).
Here’s how to uninstall:
JavaRa
Extract the file on the Desktop (Right-click > Extract All).
* Double-click (right-click "Run as administrator" for Vista) on the JavaRa directory.
* Then double-click on the JavaRa.exe file (the exe may not be displayed).
* Choose French then click on Select.
* Click on Check for Updates.
* Select Update via jucheck.exe then click on Search.
* Allow the process to connect if it asks, click on Install and follow the installation instructions which take a few minutes.
* Once the installation is complete, return to the JavaRa screen and click on Remove old versions.
* Click Yes to confirm. Let it work and then click on OK, then a second time on OK.
* A report will open. Post it in your next reply.
* Close the application.
Note: the report is also located in C:\ under the name JavaRa.log.
_________________________________________________
▶ Update Adobe Reader if not done (uninstall the previous version first)
__________________________________________________
▶ I advise you if you don’t have it, to better secure your PC by installing a firewall:
Online Armor or KERIO or JETICO or ZONE ALARM (only use the free firewall) or COMODO
https://www.commentcamarche.net/telecharger/securite/16545-online-armor-personal-firewall/
https://www.01net.com/telecharger/windows/Securite/firewall/fiches/39911.html
https://forum.pcastuces.com/sujet.asp?f=25&s=35606
https://www.clubic.com/telecharger-fiche11071-sunbelt-personal-firewall-ex-kerio.html
https://manuelsdaide.com/contact/
http://www.open-files.com/forum/index.php?showtopic=29277
https://www.commentcamarche.net/telecharger/securite/24863-zonealarm/
___________________________________________________
▶ You can also empty your recycle bin, though CCleaner does it automatically
_____________________________________________________
▶ If we used MalwareByte's Anti-Malware, empty its quarantine:
* Launch the program then click on <Quarantine>.
* Select all items then click on <delete>.
* Exit the program.
______________________________________________________
▶ if you have installed Antivir:
Configuration
________________________________________________________
▶ Same for your antivirus: empty its quarantine if not already done
______________________________________________________
▶ Disable and re-enable system restore, to do this: follow the instructions in the link:
Link XP
Link Vista
▶ As soon as that’s done, create a so-called "healthy" restore point to guard against potential future issues
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A few tips and recommendations for the future:
▶ Run MalwareByte's Anti-Malware from time to time (once a week, depending on how you use your PC).
▶ Use your other protection software (antivirus scans, antispywares...). Don’t forget to update them before use.
* Also remember to defragment your hard drives from time to time (keep enough space on C:\ (1/3 free to feel comfortable))
_____________
▶ To properly protect your PC:
[1 antivirus] + [1 firewall] + [a good antispyware with immunization] + [recent updates for Windows and Protection Software] + [use Firefox -or others- (Internet Explorer has security flaws that take a long time to fix but must be kept for Windows updates and Windows Live Messenger)]
I recommend installing this Firefox extension to secure your browsing: WOT
I recommend installing this Internet Explorer extension to secure your browsing: WOT
PS: In fact, the best protection is you: what you do with your PC: where you surf, download... etc....
Viruses exploit the vulnerabilities of your PC to infect a system
▶ if you wish to uninstall one antivirus in favor of another, here are a few links:
Uninstall Avast
Uninstall BitDefender
Uninstall Norton
Uninstall Kaspersky
Uninstall AVG
or all in one:
Antivirus, Firewall, Antispyware Uninstallation
_____________
▶ If you have Vista, don’t forget to re-enable User Account Control (UAC)
___________
▶ If you have Spybot S&D and we disabled the "Tea-timer," you can re-enable it
___________
▶ If we have shown hidden files, don’t forget to set them back to "hidden" attribute
▶ Click on the Start menu / Control Panel / Folder Options / then in the View tab
* - Uncheck Show hidden files and folders
* - check Hide extensions for known file types
* - check Hide protected operating system files (recommended)
▶ Click on Apply, then OK.
____________
There you go,
Happy reading, see you soon, once all this is done,
you can mark the thread as resolved
Good luck and above all, be cautious and enjoy your surfing :)
--
♦G3и-н@¢км@и™©®♦
Double-click (right-click "Run as administrator" for Vista) ATF-Cleaner.exe to launch the program.
Under the Main tab, choose: Select All
Click the Empty Selected button
If you are using the Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button
NOTE: If you want to keep your saved passwords, click No at the prompt.
If you are using the Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button
NOTE: If you want to keep your saved passwords, click No at the prompt.
Click Exit from the main menu to close the program.
For technical support, double-click the email address located at the bottom of each menu.
__________________________________________________
▶ You can keep ATF for potential deeper cleanings
__________________________________________________
▶---> Download ToolsCleaner2 to your Desktop.
* Double-click (right-click "Run as administrator" for Vista) on ToolsCleaner2.exe to launch it.
* Click on Search and let the scan run.
* Click on Delete to finalize.
* You may, if you wish, use the Optional Options.
* Click on Quit to get the report.
* Post the report (TCleaner.txt) found at the root of your hard drive (C:\).
________________________________________________
▶ You can delete ToolCleaner
_________________________________________________
▶ Download and install CCleaner (Do not install the Yahoo Toolbar):
* Launch it (right-click "Run as administrator" for Vista) Go to Options then Advanced and uncheck the box Clear only files etc....
* Go to Cleaner, choose Analyze. Once completed, start the cleaning.
* Then, choose Registry, then Search for issues. Once completed, fix all issues as often as it finds them in the scan.
* Make sure in the options the setting is at Windows startup and set to "secure deletion" 35 passes (Gutmann)
__________________________________________________
Warning: do not touch the PC while it is working!
▶ Cleaning and Defragmentation of your Disks
*Cleaning:
Right-click on "My Computer" (Computer for Vista) ==>"Open" ==> right-click on the C drive ==> Properties ==> "General" tab
Click on the "Disk Cleanup" button, OK
Do this for each of your drives
________________________________________________
*Error checking:
Right-click on "My Computer" (Computer for Vista) ==>"Open" ==> right-click on the C drive ==> Properties ==> "Tools" tab
"Check Now", a box opens, check the boxes:
- Automatically fix file system errors...
- Scan for and attempt recovery of bad sectors...
---> Start, OK
Note: if it asks you to restart your PC to do this, restart and let it run; it takes a little time, that’s normal
Do this for each of your drives
________________________________________________
Then still in the same tab, choose:
*Defragmentation:
"Defragment now", OK
A box opens, select the drive to defragment, and click on "Analyze", then after the analysis, "Defragment". OK
Do this for each of your drives
_______________________________________________
Note: if you have a defragmentation utility, use it instead
To do this, Defraggler is suggested
_________________________________________________
▶ Can you check your Java Console? :
and install the new version if needed (in this case uninstall the old version first).
Here’s how to uninstall:
JavaRa
Extract the file on the Desktop (Right-click > Extract All).
* Double-click (right-click "Run as administrator" for Vista) on the JavaRa directory.
* Then double-click on the JavaRa.exe file (the exe may not be displayed).
* Choose French then click on Select.
* Click on Check for Updates.
* Select Update via jucheck.exe then click on Search.
* Allow the process to connect if it asks, click on Install and follow the installation instructions which take a few minutes.
* Once the installation is complete, return to the JavaRa screen and click on Remove old versions.
* Click Yes to confirm. Let it work and then click on OK, then a second time on OK.
* A report will open. Post it in your next reply.
* Close the application.
Note: the report is also located in C:\ under the name JavaRa.log.
_________________________________________________
▶ Update Adobe Reader if not done (uninstall the previous version first)
__________________________________________________
▶ I advise you if you don’t have it, to better secure your PC by installing a firewall:
Online Armor or KERIO or JETICO or ZONE ALARM (only use the free firewall) or COMODO
https://www.commentcamarche.net/telecharger/securite/16545-online-armor-personal-firewall/
https://www.01net.com/telecharger/windows/Securite/firewall/fiches/39911.html
https://forum.pcastuces.com/sujet.asp?f=25&s=35606
https://www.clubic.com/telecharger-fiche11071-sunbelt-personal-firewall-ex-kerio.html
https://manuelsdaide.com/contact/
http://www.open-files.com/forum/index.php?showtopic=29277
https://www.commentcamarche.net/telecharger/securite/24863-zonealarm/
___________________________________________________
▶ You can also empty your recycle bin, though CCleaner does it automatically
_____________________________________________________
▶ If we used MalwareByte's Anti-Malware, empty its quarantine:
* Launch the program then click on <Quarantine>.
* Select all items then click on <delete>.
* Exit the program.
______________________________________________________
▶ if you have installed Antivir:
Configuration
________________________________________________________
▶ Same for your antivirus: empty its quarantine if not already done
______________________________________________________
▶ Disable and re-enable system restore, to do this: follow the instructions in the link:
Link XP
Link Vista
▶ As soon as that’s done, create a so-called "healthy" restore point to guard against potential future issues
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A few tips and recommendations for the future:
▶ Run MalwareByte's Anti-Malware from time to time (once a week, depending on how you use your PC).
▶ Use your other protection software (antivirus scans, antispywares...). Don’t forget to update them before use.
* Also remember to defragment your hard drives from time to time (keep enough space on C:\ (1/3 free to feel comfortable))
_____________
▶ To properly protect your PC:
[1 antivirus] + [1 firewall] + [a good antispyware with immunization] + [recent updates for Windows and Protection Software] + [use Firefox -or others- (Internet Explorer has security flaws that take a long time to fix but must be kept for Windows updates and Windows Live Messenger)]
I recommend installing this Firefox extension to secure your browsing: WOT
I recommend installing this Internet Explorer extension to secure your browsing: WOT
PS: In fact, the best protection is you: what you do with your PC: where you surf, download... etc....
Viruses exploit the vulnerabilities of your PC to infect a system
▶ if you wish to uninstall one antivirus in favor of another, here are a few links:
Uninstall Avast
Uninstall BitDefender
Uninstall Norton
Uninstall Kaspersky
Uninstall AVG
or all in one:
Antivirus, Firewall, Antispyware Uninstallation
_____________
▶ If you have Vista, don’t forget to re-enable User Account Control (UAC)
___________
▶ If you have Spybot S&D and we disabled the "Tea-timer," you can re-enable it
___________
▶ If we have shown hidden files, don’t forget to set them back to "hidden" attribute
▶ Click on the Start menu / Control Panel / Folder Options / then in the View tab
* - Uncheck Show hidden files and folders
* - check Hide extensions for known file types
* - check Hide protected operating system files (recommended)
▶ Click on Apply, then OK.
____________
There you go,
Happy reading, see you soon, once all this is done,
you can mark the thread as resolved
Good luck and above all, be cautious and enjoy your surfing :)
--
♦G3и-н@¢км@и™©®♦
Thank you for the disinfection process.
Here is the report:
Malwarebytes' Anti-Malware 1.41
Database version: 3238
Windows 6.0.6000
11/26/2009 8:22:05 PM
mbam-log-2009-11-26 (20-22-05).txt
Scan type: Full scan (C:\|D:\|H:\|I:\|)
Items scanned: 382996
Elapsed time: 1 hour(s), 22 minute(s), 3 second(s)
Infected memory process(es): 0
Infected memory module(s): 0
Infected Registry key(s): 0
Infected Registry value(s): 0
Infected Registry data item(s): 0
Infected folder(s): 1
Infected file(s): 0
Infected memory process(es):
(No harmful item detected)
Infected memory module(s):
(No harmful item detected)
Infected Registry key(s):
(No harmful item detected)
Infected Registry value(s):
(No harmful item detected)
Infected Registry data item(s):
(No harmful item detected)
Infected folder(s):
C:\Program Files\DivoCodec (Trojan.Downloader) -> Quarantined and deleted successfully.
Infected file(s):
(No harmful item detected)