pp_muscimol

Ok OK ...if you think its necessary I will do it ...after installing my new Fedora 11 and pass the ghost image of this HD to a new one ... I'll post here the results. Thanks

Yes ...you were right ....it was an attempt to install Combo but was aborted by the virus or by Prevx ....anyway is not installed and I removed the ComboFix.exe..... if you tell me that ComboFix is the ultimate program to see if there is any left over from the virus, in that case only I will run it ...otherwise I prefer not to run combo if can put in danger the PC. ...I'm making now a ghost imagige of this HD to copy to a new HD...for ultimate back. Cheers and thanks again

"Ce logiciel est très puissant et ne doit pas être utilisé sans une aide compétente sous peine de risquer des dommages irréversibles." Ca fait peur .....why should I run this program if the PC is fine now??!! I run AVG and FindYkill and there is no more contaminations with virus or trojans .... do you strongly recommend using Combofix ??? .....Combo was never installed in this computer. cheers ############################## | FindyKill V5.006 | # User : X (Administrators) # ZEUS09 # Update on 14/08/09 by Chiquitine29 # Start at: 22:33:01 | 30/08/2009 # Website : http://pagesperso-orange.fr/NosTools/index.html # AMD Athlon 64 X2 Dual Core Processor 5200+ # Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 2 # Internet Explorer 6.0.2900.2180 # Windows Firewall Status : Enabled # AV : AVG Anti-Virus Free 8.5 [ Enabled | Updated ] # AV : Avira AntiVir PersonalEdition 8.0.1.30 [ Enabled | (!) Outdated ] # C:\ # Local Fixed Disk # 117,19 Go (3,88 Go free) # NTFS # D:\ # CD-ROM Disc # E:\ # Local Fixed Disk # F:\ # Local Fixed Disk # 167,13 Go (30,32 Go free) [Local Disk] # NTFS # G:\ # Local Fixed Disk # 112,34 Go (112,27 Go free) [fedora] # NTFS ############################## | Active Processes | C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ATKKBService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\snmp.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre6\bin\jucheck.exe C:\WINDOWS\system32\wbem\wmiprvse.exe ################## | C: | ################## | C:\WINDOWS | ################## | C:\WINDOWS\system32 | ################## | C:\WINDOWS\system32\drivers | ################## | C:\Documents and Settings\X\Application Data | ################## | C:\Documents and Settings\X\Temporary Internet Files | ################## | Registry / Infected keys | ################## | State / Service / Information | # Showing of hidden files : OK # Safe boot mode : OK # Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 ) # Ip6Fw -> Start = 2 ( Good = 2 | Bad = 4 ) # SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 ) # wuauserv -> Start = 2 ( Good = 2 | Bad = 4 ) # wscsvc -> Start = 2 ( Good = 2 | Bad = 4 ) ################## | Cracks / Keygens / Serials | "C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\"OriginCD.exe"" 15/02/2002 21:48 |Size 606208 |Crc32 62ed6da5 |Md5 fdc01ded78f8ecaff25b04ccb9ad914a "C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\Crack\OriginLab.Peak.Fitting.Module.v7.1.Plus.OriginPro.v7.0.Service.Patch.1.WinA ll\Service.Patch.1\"v7patch1.exe"" 17/05/2002 15:44 |Size 4555797 |Crc32 253271d6 |Md5 9f2d1dea359628ca54522b1fe008707e "C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\English\Information\"rp500enu.exe"" 10/08/2001 00:01 |Size 10236296 |Crc32 4f2cff82 |Md5 32467a23035acb9f8366d7f2200464b2 "C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\English\Origin70Setup\"Setup.exe"" 16/05/2000 23:37 |Size 46080 |Crc32 25a79781 |Md5 e41da9e19fdf91a2e0453da0ec039c8d ################## | End of Report # FindyKill V5.006 ! |

PrevX....yes ...although I disabled Prevx I sow that kept over 43 attempts of registry modification blocked ....I disabled it before rebooting....very good program it saved me already from a couple of attacks but the newest copy is not free and I only have this 5 years old version. If you know a similar program freeware please let me know. Thanks

Thanks Mark, indeed I forgot to insert the lo...here you have it. Now I have AVG active and Avira is on stand by. Dear pear ....thanks for your post ....I found a bit confusing that you give me some instructions in black regular captions just until "Supprimez C:\qoobox si vous le trouvez" The AVG medium level scan did not detect any problem..... and then you use a colored text that I don't know if they are instructions that I must and I repeat I mus do or if they are just informative. Could you please confirm that is your suggestion to install again Combofix or is just a regular text that you give as extra information. .... Thanks .. I appreciate all your help .. Mark is a name a little anglophone isn't it? Results of screen317's Security Check version 0.98.9 Windows XP Service Pack 2 Out of date service pack!! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! AVG Free 8.5 Avira AntiVir Personal - Free Antivirus Prevx Home Antivirus out of date! `````````````````````````````` Anti-malware/Other Utilities Check: Spybot - Search & Destroy CCleaner (remove only) Java 6 Update 11 Out of date Java installed! Adobe Flash Player 10 `````````````````````````````` Process Check: objlist.exe by Laurent AVG avgwdsvc.exe AVG avgtray.exe AVG avgrsx.exe AVG avgnsx.exe AVG avgemc.exe AVG avgemc.exe `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log```````````

Hello ...thanks for creating a topic only for my problem ...I'm honored here is the results of the second time using FindyKill .... in the first time did not work ....I mean after rebooting the virus was still active. After the second time I was able to install AVG and SecurityCheck as usual ....when I attempted to restart in Safe Mode the computer would block with a blue screen !!! The program Prevx Home is still showing the error: Reason: %1 is not a valid Win32 application. Any thoughts how to fix this?... at the end I also included the result of SecurityCheck program ....I'm not sure my pc is totally clean ....I still found it a bit slower ...and I still have a PAGEFILE of the type "system file" with 4 Gb size that was not here before .... I will remove it unless you advise me not to!! thanks for all the help given so far. Cheers ############################## | FindyKill V5.006 | # User : X (Administrators) # ZEUS09 # Update on 14/08/09 by Chiquitine29 # Start at: 19:59:34 | 29/08/2009 # Website : http://pagesperso-orange.fr/NosTools/index.html # AMD Athlon 64 X2 Dual Core Processor 5200+ # Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 2 # Internet Explorer 6.0.2900.2180 # Windows Firewall Status : Enabled # AV : Avira AntiVir PersonalEdition 8.0.1.30 [ Enabled | (!) Outdated ] # C:\ # Local Fixed Disk # 117,19 Go (2,71 Go free) # NTFS # D:\ # CD-ROM Disc # 3,67 Go (0 Mo free) [FARCRY2] # UDF # E:\ # Local Fixed Disk ############################## | Active Processes | C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\logonui.exe C:\WINDOWS\system32\userinit.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ATKKBService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\wbem\wmiprvse.exe ################## | C: | (!) Not Deleted ! D:\autorun.inf ################## | C:\WINDOWS | Deleted ! C:\WINDOWS\Prefetch\24383765.EXE-146E9F8D.pf Deleted ! C:\WINDOWS\Prefetch\24395828.EXE-0754F8BF.pf Deleted ! C:\WINDOWS\Prefetch\24397671.EXE-29FF598B.pf Deleted ! C:\WINDOWS\Prefetch\24423296.EXE-2C8931EB.pf Deleted ! C:\WINDOWS\Prefetch\24424875.EXE-2CC3B8E3.pf Deleted ! C:\WINDOWS\Prefetch\24443781.EXE-038DA5E1.pf Deleted ! C:\WINDOWS\Prefetch\24491843.EXE-28158708.pf Deleted ! C:\WINDOWS\Prefetch\24496046.EXE-09B4A7E0.pf Deleted ! C:\WINDOWS\Prefetch\24509687.EXE-04FB5C61.pf Deleted ! C:\WINDOWS\Prefetch\FLEC006.EXE-0865B771.pf Deleted ! C:\WINDOWS\Prefetch\WINUPGRO.EXE-17681AA8.pf ################## | C:\WINDOWS\system32 | ################## | C:\WINDOWS\system32\drivers | Deleted ! C:\WINDOWS\system32\drivers\down ################## | C:\Documents and Settings\X\Application Data | Deleted ! C:\Documents and Settings\X\Application Data\drivers\111wfs1intwq.sys Deleted ! C:\Documents and Settings\X\Application Data\drivers\11s11ro1s1a2.sys Deleted ! C:\Documents and Settings\X\Application Data\drivers\winupgro.exe Deleted ! C:\Documents and Settings\X\Application Data\m\data.oct Deleted ! C:\Documents and Settings\X\Application Data\m\flec006.exe Deleted ! C:\Documents and Settings\X\Application Data\m\list.oct Deleted ! C:\Documents and Settings\X\Application Data\m\srvlist.oct Deleted ! C:\Documents and Settings\X\Application Data\hidires\downloads.bak Deleted ! C:\Documents and Settings\X\Application Data\hidires\downloads.txt Deleted ! C:\Documents and Settings\X\Application Data\hidires\file.exe Deleted ! C:\Documents and Settings\X\Application Data\hidires\flec003.exe Deleted ! C:\Documents and Settings\X\Application Data\hidires\names.txt Deleted ! C:\Documents and Settings\X\Application Data\hidires\server.txt Deleted ! C:\Documents and Settings\X\Application Data\drivers\downld Deleted ! C:\Documents and Settings\X\Application Data\drivers Deleted ! C:\Documents and Settings\X\Application Data\hidires\config Deleted ! C:\Documents and Settings\X\Application Data\hidires\WDIR Deleted ! C:\Documents and Settings\X\Application Data\hidires Deleted ! C:\Documents and Settings\X\Application Data\m\shared Deleted ! C:\Documents and Settings\X\Application Data\m ################## | Other ... | # Reference of comparaison Bagle MD5 : File : C:\Documents and Settings\X\Application Data\drivers\winupgro.exe -> Crc32 : 5ff4d231 | Md5 : ad0fd710eb6a5e6724b588f9d6975325 ################## | Temporary Internet Files | Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64[2].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64_3[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64_3[2].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64_3[3].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64_3[4].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\ieps[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\mxd[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64[2].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64[3].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_1[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_1[2].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_mul[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_mul[2].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\ieps[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\ieps[2].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\mxd[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\mxd[2].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64[2].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_1[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_1[2].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_3[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_3[2].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_3[3].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_6[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\ieps[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_3[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_3[2].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_3[3].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_3[4].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_3[5].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_mul[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_mul[2].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\ieps[1].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\ieps[2].jpg Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\mxd[1].jpg ################## | Registry / Infected keys | Deleted ! [HKCU\Software\bisoft] Deleted ! [HKCU\Software\MuleAppData] Deleted ! [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit" Deleted ! [HKCU\Software\Local AppWizard-Generated Applications\key_generator] Deleted ! [HKCU\Software\Local AppWizard-Generated Applications\winupgro] ################## | State / Service / Information | # Safe boot mode restored restauré ! # Showing of hidden files : OK # Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 ) # Ip6Fw -> Start = 2 ( Good = 2 | Bad = 4 ) # SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 ) # wuauserv -> Start = 2 ( Good = 2 | Bad = 4 ) # wscsvc -> Start = 2 ( Good = 2 | Bad = 4 ) ################## | PEH ... | Corrupted : C:\cygwin\bin\ash.exe [Offset = 00000084 - Value = 0x0001] Corrupted : C:\Documents and Settings\X\Desktop\ComboFix.exe [Offset = 000000EC - Value = 0x0001] Corrupted : C:\Documents and Settings\X\Desktop\scanerhijack\scanner.exe [Offset = 000000BC - Value = 0x0001] Corrupted : C:\Documents and Settings\X\My Documents\DVDVideoSoft\Cleaner.exe [Offset = 00000204 - Value = 0x0001] Corrupted : C:\home\cygwin\bin\ash.exe [Offset = 00000084 - Value = 0x0001] Corrupted : C:\Program Files\Avast4\ashAvast.exe [Offset = 0000010C - Value = 0x0001] Corrupted : C:\Program Files\Avast4\ashQuick.exe [Offset = 0000010C - Value = 0x0001] Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avadmin.exe [Offset = 00000114 - Value = 0x0001] Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe [Offset = 00000144 - Value = 0x0001] Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avconfig.exe [Offset = 00000114 - Value = 0x0001] Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [Offset = 0000011C - Value = 0x0001] Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [Offset = 0000011C - Value = 0x0001] Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe [Offset = 0000011C - Value = 0x0001] Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe [Offset = 0000012C - Value = 0x0001] Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\guardgui.exe [Offset = 00000104 - Value = 0x0001] Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [Offset = 00000114 - Value = 0x0001] Corrupted : C:\Program Files\DeskSpace\uninstaller.exe [Offset = 000000D4 - Value = 0x0001] Corrupted : C:\Program Files\InCode Solutions\RemoveIT Pro v4 - SE\removeit.exe [Offset = 00000104 - Value = 0x0001] Corrupted : C:\Program Files\Prevx Home\PXAgent.exe [Offset = 0000010C - Value = 0x0001] Corrupted : C:\Program Files\Prevx Home\PXL1.exe [Offset = 000000E4 - Value = 0x0001] Corrupted : C:\WINDOWS\$hf_mig$\KB912812\update\update.exe [Offset = 000000E4 - Value = 0x0001] Attempt of repair... Backup : update.exe.REN [Offset = 000000E4 - New value = 0x4C01] File repaired successfully. ################## | Cracks / Keygens / Serials | "C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\"OriginCD.exe"" 15/02/2002 21:48 |Size 606208 |Crc32 62ed6da5 |Md5 fdc01ded78f8ecaff25b04ccb9ad914a "C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\Crack\OriginLab.Peak.Fitting.Module.v7.1.Plus.OriginPro.v7.0.Service.Patch.1.WinA ll\Service.Patch.1\"v7patch1.exe"" 17/05/2002 15:44 |Size 4555797 |Crc32 253271d6 |Md5 9f2d1dea359628ca54522b1fe008707e "C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\English\Information\"rp500enu.exe"" 10/08/2001 00:01 |Size 10236296 |Crc32 4f2cff82 |Md5 32467a23035acb9f8366d7f2200464b2 "C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\English\Origin70Setup\"Setup.exe"" 16/05/2000 23:37 |Size 46080 |Crc32 25a79781 |Md5 e41da9e19fdf91a2e0453da0ec039c8d ################## | End of Report # FindyKill V5.006 ! |

Hello, I hope I can write in english ....I read well French but to write it will be a big mess. I read this post and I have similar problem ..... my both antiviral (Avast and Avira) did not detect it when I was opening a crack ....first time in over 5 years that an anivirus failed to detect something I got from emule....lesson taken. ...anyway I try to install AVG last edition, SecurityCheck, Findykill, HijackThis and Combofix......all of them got an error message Invalid Win 32 application....ok ....only GMER was able to run and make a scan. At same time I started a scan online :http://www.pandasecurity.com/activescan/scan/?type=allpc and now I have a pagefile in C:/ of over 4 Go (Gb) I renamed FindYKill to Scanner as suggested and was able to install ..after which I followed instruction to scan and clean. After reboot the program did not restart as in the tutorial and the antivirus were still blocked. The result of the first scan of Findykill is below. I would tremendously appreciate your expertise dealing with this virus/trojan. Thanks PS: You may reply in French ..its perfectly OK for me. ############################## | FindyKill V5.006 | # User : X (Administrators) # ZEUS09 # Update on 14/08/09 by Chiquitine29 # Start at: 11:46:32 | 29/08/2009 # Website : http://pagesperso-orange.fr/NosTools/index.html # AMD Athlon 64 X2 Dual Core Processor 5200+ # Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 2 # Internet Explorer 6.0.2900.2180 # Windows Firewall Status : Enabled # AV : Avira AntiVir PersonalEdition 8.0.1.30 [ Enabled | (!) Outdated ] # C:\ # Local Fixed Disk # 117,19 Go (2,88 Go free) # NTFS # D:\ # CD-ROM Disc # 3,67 Go (0 Mo free) [FARCRY2] # UDF # E:\ # Local Fixed Disk # F:\ # Removable Disk # 498,99 Mo (291,22 Mo free) # FAT32 ############################## | Active Processes | C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\ATKKBService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\X\Application Data\drivers\winupgro.exe C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\regedit.exe C:\Documents and Settings\X\Application Data\m\flec006.exe C:\Documents and Settings\X\Application Data\hidires\flec003.exe C:\WINDOWS\system32\wbem\wmiprvse.exe ############################## | Infected processes stopped | "C:\Documents and Settings\X\Application Data\drivers\winupgro.exe" (1676) "C:\Documents and Settings\X\Application Data\m\flec006.exe" (3172) "C:\Documents and Settings\X\Application Data\hidires\flec003.exe" (3288) ################## | C: | Found ! D:\autorun.inf Found ! F:\autorun.inf ################## | C:\WINDOWS | Found ! C:\WINDOWS\Prefetch\295281.EXE-1E3249F7.pf Found ! C:\WINDOWS\Prefetch\3088765.EXE-38B097F4.pf Found ! C:\WINDOWS\Prefetch\342968.EXE-0222C5FA.pf Found ! C:\WINDOWS\Prefetch\363234.EXE-0811477C.pf Found ! C:\WINDOWS\Prefetch\447187.EXE-357F47E3.pf Found ! C:\WINDOWS\Prefetch\FLEC003.EXE-2FD67BC8.pf Found ! C:\WINDOWS\Prefetch\FLEC006.EXE-0865B771.pf Found ! C:\WINDOWS\Prefetch\KEY_GENERATOR.EXE-26A31859.pf ################## | C:\WINDOWS\system32 | ################## | C:\WINDOWS\system32\drivers | Found ! C:\WINDOWS\system32\drivers\down ################## | C:\Documents and Settings\X\Application Data | Found ! C:\Documents and Settings\X\Application Data\drivers Found ! C:\Documents and Settings\X\Application Data\drivers\111wfs1intwq.sys Found ! C:\Documents and Settings\X\Application Data\drivers\11s11ro1s1a2.sys Found ! C:\Documents and Settings\X\Application Data\drivers\downld Found ! C:\Documents and Settings\X\Application Data\drivers\winupgro.exe Found ! C:\Documents and Settings\X\Application Data\hidires Found ! C:\Documents and Settings\X\Application Data\hidires\config Found ! C:\Documents and Settings\X\Application Data\hidires\downloads.bak Found ! C:\Documents and Settings\X\Application Data\hidires\downloads.txt Found ! C:\Documents and Settings\X\Application Data\hidires\file.exe Found ! C:\Documents and Settings\X\Application Data\hidires\flec003.exe Found ! C:\Documents and Settings\X\Application Data\hidires\names.txt Found ! C:\Documents and Settings\X\Application Data\hidires\server.txt Found ! C:\Documents and Settings\X\Application Data\hidires\WDIR Found ! C:\Documents and Settings\X\Application Data\m Found ! C:\Documents and Settings\X\Application Data\m\data.oct Found ! C:\Documents and Settings\X\Application Data\m\flec006.exe Found ! C:\Documents and Settings\X\Application Data\m\list.oct Found ! C:\Documents and Settings\X\Application Data\m\srvlist.oct Found ! C:\Documents and Settings\X\Application Data\m\shared ################## | C:\Documents and Settings\X\Temporary Internet Files | Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64[1].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64_3[1].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64_3[2].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\ieps[1].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64[1].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64[2].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_1[1].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_1[2].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_mul[1].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\ieps[1].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\mxd[1].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\mxd[2].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_3[1].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_6[1].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_3[1].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_mul[1].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\ieps[1].jpg Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\mxd[1].jpg ################## | Registry / Infected keys | Found ! [HKLM\SYSTEM\CurrentControlSet\Services\111111s1ro1s1a] Found ! [HKLM\SYSTEM\ControlSet001\Services\111111s1ro1s1a] Found ! [HKLM\SYSTEM\ControlSet002\Services\111111s1ro1s1a] Found ! [HKLM\SYSTEM\CurrentControlSet\Services\sK9Ou0s] Found ! [HKLM\SYSTEM\ControlSet001\Services\sK9Ou0s] Found ! [HKLM\SYSTEM\ControlSet002\Services\sK9Ou0s] Found ! [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_111111s1ro1s1a] Found ! [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_111111s1ro1s1a] Found ! [HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_111111s1ro1s1a] Found ! [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SK9OU0S] Found ! [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SK9OU0S] Found ! [HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SK9OU0S] Found ! [HKCU\Software\bisoft] Found ! [HKCU\Software\MuleAppData] Found ! [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit" Found ! [HKU\S-1-5-21-1085031214-1220945662-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit" Found ! [HKU\S-1-5-21-1085031214-1220945662-725345543-1003\Software\bisoft] Found ! [HKU\S-1-5-21-1085031214-1220945662-725345543-1003\Software\MuleAppData] Found ! [HKCU\Software\Local AppWizard-Generated Applications\key_generator] Found ! [HKCU\Software\Local AppWizard-Generated Applications\winupgro] Found ! [HKU\S-1-5-21-1085031214-1220945662-725345543-1003\Software\Local AppWizard-Generated Applications\key_generator] Found ! [HKU\S-1-5-21-1085031214-1220945662-725345543-1003\Software\Local AppWizard-Generated Applications\winupgro]