[Split] Sujet de pp_muscimol

[pp_muscimol]

Hello,

I hope I can write in english ....I read well French but to write it will be a big mess.

 

I read this post and I have similar problem ..... my both antiviral (Avast and Avira) did not detect it when I was opening a crack ....first time in over 5 years that an anivirus failed to detect something I got from emule....lesson taken. ...anyway

I try to install AVG last edition, SecurityCheck, Findykill, HijackThis and Combofix......all of them got an error message Invalid Win 32 application....ok ....only GMER was able to run and make a scan. At same time I started a scan online :http://www.pandasecurity.com/activescan/scan/?type=allpc

 

and now I have a pagefile in C:/ of over 4 Go (Gb)

 

I renamed FindYKill to Scanner as suggested and was able to install ..after which I followed instruction to scan and clean. After reboot the program did not restart as in the tutorial and the antivirus were still blocked.

The result of the first scan of Findykill is below.

 

 

I would tremendously appreciate your expertise dealing with this virus/trojan.

 

Thanks

 

PS: You may reply in French ..its perfectly OK for me.

 

 

############################## | FindyKill V5.006 |

 

# User : X (Administrators) # ZEUS09

# Update on 14/08/09 by Chiquitine29

# Start at: 11:46:32 | 29/08/2009

# Website : http://pagesperso-orange.fr/NosTools/index.html

 

# AMD Athlon 64 X2 Dual Core Processor 5200+

# Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 2

# Internet Explorer 6.0.2900.2180

# Windows Firewall Status : Enabled

# AV : Avira AntiVir PersonalEdition 8.0.1.30 [ Enabled | (!) Outdated ]

 

# C:\ # Local Fixed Disk # 117,19 Go (2,88 Go free) # NTFS

# D:\ # CD-ROM Disc # 3,67 Go (0 Mo free) [FARCRY2] # UDF

# E:\ # Local Fixed Disk

# F:\ # Removable Disk # 498,99 Mo (291,22 Mo free) # FAT32

 

############################## | Active Processes |

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\ATKKBService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\X\Application Data\drivers\winupgro.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\regedit.exe

C:\Documents and Settings\X\Application Data\m\flec006.exe

C:\Documents and Settings\X\Application Data\hidires\flec003.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

############################## | Infected processes stopped |

 

"C:\Documents and Settings\X\Application Data\drivers\winupgro.exe" (1676)

"C:\Documents and Settings\X\Application Data\m\flec006.exe" (3172)

"C:\Documents and Settings\X\Application Data\hidires\flec003.exe" (3288)

 

################## | C: |

 

Found ! D:\autorun.inf

Found ! F:\autorun.inf

 

################## | C:\WINDOWS |

 

Found ! C:\WINDOWS\Prefetch\295281.EXE-1E3249F7.pf

Found ! C:\WINDOWS\Prefetch\3088765.EXE-38B097F4.pf

Found ! C:\WINDOWS\Prefetch\342968.EXE-0222C5FA.pf

Found ! C:\WINDOWS\Prefetch\363234.EXE-0811477C.pf

Found ! C:\WINDOWS\Prefetch\447187.EXE-357F47E3.pf

Found ! C:\WINDOWS\Prefetch\FLEC003.EXE-2FD67BC8.pf

Found ! C:\WINDOWS\Prefetch\FLEC006.EXE-0865B771.pf

Found ! C:\WINDOWS\Prefetch\KEY_GENERATOR.EXE-26A31859.pf

 

################## | C:\WINDOWS\system32 |

 

 

################## | C:\WINDOWS\system32\drivers |

 

Found ! C:\WINDOWS\system32\drivers\down

 

################## | C:\Documents and Settings\X\Application Data |

 

Found ! C:\Documents and Settings\X\Application Data\drivers

Found ! C:\Documents and Settings\X\Application Data\drivers\111wfs1intwq.sys

Found ! C:\Documents and Settings\X\Application Data\drivers\11s11ro1s1a2.sys

Found ! C:\Documents and Settings\X\Application Data\drivers\downld

Found ! C:\Documents and Settings\X\Application Data\drivers\winupgro.exe

Found ! C:\Documents and Settings\X\Application Data\hidires

Found ! C:\Documents and Settings\X\Application Data\hidires\config

Found ! C:\Documents and Settings\X\Application Data\hidires\downloads.bak

Found ! C:\Documents and Settings\X\Application Data\hidires\downloads.txt

Found ! C:\Documents and Settings\X\Application Data\hidires\file.exe

Found ! C:\Documents and Settings\X\Application Data\hidires\flec003.exe

Found ! C:\Documents and Settings\X\Application Data\hidires\names.txt

Found ! C:\Documents and Settings\X\Application Data\hidires\server.txt

Found ! C:\Documents and Settings\X\Application Data\hidires\WDIR

Found ! C:\Documents and Settings\X\Application Data\m

Found ! C:\Documents and Settings\X\Application Data\m\data.oct

Found ! C:\Documents and Settings\X\Application Data\m\flec006.exe

Found ! C:\Documents and Settings\X\Application Data\m\list.oct

Found ! C:\Documents and Settings\X\Application Data\m\srvlist.oct

Found ! C:\Documents and Settings\X\Application Data\m\shared

 

################## | C:\Documents and Settings\X\Temporary Internet Files |

 

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64[1].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64_3[1].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64_3[2].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\ieps[1].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64[1].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64[2].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_1[1].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_1[2].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_mul[1].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\ieps[1].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\mxd[1].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\mxd[2].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_3[1].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_6[1].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_3[1].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_mul[1].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\ieps[1].jpg

Found ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\mxd[1].jpg

 

################## | Registry / Infected keys |

 

Found ! [HKLM\SYSTEM\CurrentControlSet\Services\111111s1ro1s1a]

Found ! [HKLM\SYSTEM\ControlSet001\Services\111111s1ro1s1a]

Found ! [HKLM\SYSTEM\ControlSet002\Services\111111s1ro1s1a]

Found ! [HKLM\SYSTEM\CurrentControlSet\Services\sK9Ou0s]

Found ! [HKLM\SYSTEM\ControlSet001\Services\sK9Ou0s]

Found ! [HKLM\SYSTEM\ControlSet002\Services\sK9Ou0s]

Found ! [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_111111s1ro1s1a]

Found ! [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_111111s1ro1s1a]

Found ! [HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_111111s1ro1s1a]

Found ! [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SK9OU0S]

Found ! [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SK9OU0S]

Found ! [HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SK9OU0S]

Found ! [HKCU\Software\bisoft]

Found ! [HKCU\Software\MuleAppData]

Found ! [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit"

Found ! [HKU\S-1-5-21-1085031214-1220945662-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit"

Found ! [HKU\S-1-5-21-1085031214-1220945662-725345543-1003\Software\bisoft]

Found ! [HKU\S-1-5-21-1085031214-1220945662-725345543-1003\Software\MuleAppData]

Found ! [HKCU\Software\Local AppWizard-Generated Applications\key_generator]

Found ! [HKCU\Software\Local AppWizard-Generated Applications\winupgro]

Found ! [HKU\S-1-5-21-1085031214-1220945662-725345543-1003\Software\Local AppWizard-Generated Applications\key_generator]

Found ! [HKU\S-1-5-21-1085031214-1220945662-725345543-1003\Software\Local AppWizard-Generated Applications\winupgro]

[pear]

IL eut mieux valu créer un autre sujet .

Exceptionelement je vais vous répondre:

 

Ensuite le Nettoyage

 

Double cliquer sur le raccourci FindyKill sur le bureau

Au menu principal,choisir l'option 2 (Suppression)

 

il y aura 2 redémarrages du PC

avec Suppression des fichiers découverts et des clés de régistre infectées

Restauration du Mode sans échec et de certaines valeurs du régistre

Réparation de l'affichage des fichiers cachés

Relance des services

 

Laissez travailler l'outil jusqu'à l'apparition du message "Nettoyage effectué !"

Lisez attentivement le rapport C:\FindyKill.txt qui vous indiquera les logiciels à réparer

Ensuite postez le .

[Mark]

Hello pp_muscimol and welcome to our forum

 

If you can follow instructions is French, that's great and we'll do it that way. I will, however, split this topic and create a new one, just for you. I will send you a personnal message with a link to that new topic, so you won't be lost looking for it. I'm doing this because we can't have two members posting in the same topic ; way too confusing. In the meantime, you can do as pear suggests.

 

Traduction : Hello et bienvenue sur notre forum

Si tu peux suivre les instructions en français, tant mieux et nous poursuivrons de cette façon. Je vais néanmoins splitter (séparer) tes posts et ouvrir un nouveau sujet, juste pour toi. Je t'envoie un lien vers ce sujet par messagerie, sinon tu pourrais t'y perdre. Je fais tout ça simplement parce qu'on ne doit pas avoir deux membres qui postent dans un même sujet. Tu peux déjà appliquer les conseils de pear.

 

Merci et à plus tard.

[pp_muscimol]

Hello ...thanks for creating a topic only for my problem ...I'm honored

 

 

here is the results of the second time using FindyKill .... in the first time did not work ....I mean after rebooting the virus was still active. After the second time I was able to install AVG and SecurityCheck as usual ....when I attempted to restart in Safe Mode the computer would block with a blue screen !!!

 

The program Prevx Home is still showing the error: Reason: %1 is not a valid Win32 application. Any thoughts how to fix this?...

 

 

at the end I also included the result of SecurityCheck program ....I'm not sure my pc is totally clean ....I still found it a bit slower ...and I still have a PAGEFILE of the type "system file" with 4 Gb size that was not here before .... I will remove it unless you advise me not to!!

 

thanks for all the help given so far.

 

 

Cheers

 

 

 

 

 

 

############################## | FindyKill V5.006 |

 

# User : X (Administrators) # ZEUS09

# Update on 14/08/09 by Chiquitine29

# Start at: 19:59:34 | 29/08/2009

# Website : http://pagesperso-orange.fr/NosTools/index.html

 

# AMD Athlon 64 X2 Dual Core Processor 5200+

# Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 2

# Internet Explorer 6.0.2900.2180

# Windows Firewall Status : Enabled

# AV : Avira AntiVir PersonalEdition 8.0.1.30 [ Enabled | (!) Outdated ]

 

# C:\ # Local Fixed Disk # 117,19 Go (2,71 Go free) # NTFS

# D:\ # CD-ROM Disc # 3,67 Go (0 Mo free) [FARCRY2] # UDF

# E:\ # Local Fixed Disk

 

############################## | Active Processes |

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\logonui.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ATKKBService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

################## | C: |

 

(!) Not Deleted ! D:\autorun.inf

 

################## | C:\WINDOWS |

 

Deleted ! C:\WINDOWS\Prefetch\24383765.EXE-146E9F8D.pf

Deleted ! C:\WINDOWS\Prefetch\24395828.EXE-0754F8BF.pf

Deleted ! C:\WINDOWS\Prefetch\24397671.EXE-29FF598B.pf

Deleted ! C:\WINDOWS\Prefetch\24423296.EXE-2C8931EB.pf

Deleted ! C:\WINDOWS\Prefetch\24424875.EXE-2CC3B8E3.pf

Deleted ! C:\WINDOWS\Prefetch\24443781.EXE-038DA5E1.pf

Deleted ! C:\WINDOWS\Prefetch\24491843.EXE-28158708.pf

Deleted ! C:\WINDOWS\Prefetch\24496046.EXE-09B4A7E0.pf

Deleted ! C:\WINDOWS\Prefetch\24509687.EXE-04FB5C61.pf

Deleted ! C:\WINDOWS\Prefetch\FLEC006.EXE-0865B771.pf

Deleted ! C:\WINDOWS\Prefetch\WINUPGRO.EXE-17681AA8.pf

 

################## | C:\WINDOWS\system32 |

 

 

################## | C:\WINDOWS\system32\drivers |

 

Deleted ! C:\WINDOWS\system32\drivers\down

 

################## | C:\Documents and Settings\X\Application Data |

 

Deleted ! C:\Documents and Settings\X\Application Data\drivers\111wfs1intwq.sys

Deleted ! C:\Documents and Settings\X\Application Data\drivers\11s11ro1s1a2.sys

Deleted ! C:\Documents and Settings\X\Application Data\drivers\winupgro.exe

Deleted ! C:\Documents and Settings\X\Application Data\m\data.oct

Deleted ! C:\Documents and Settings\X\Application Data\m\flec006.exe

Deleted ! C:\Documents and Settings\X\Application Data\m\list.oct

Deleted ! C:\Documents and Settings\X\Application Data\m\srvlist.oct

Deleted ! C:\Documents and Settings\X\Application Data\hidires\downloads.bak

Deleted ! C:\Documents and Settings\X\Application Data\hidires\downloads.txt

Deleted ! C:\Documents and Settings\X\Application Data\hidires\file.exe

Deleted ! C:\Documents and Settings\X\Application Data\hidires\flec003.exe

Deleted ! C:\Documents and Settings\X\Application Data\hidires\names.txt

Deleted ! C:\Documents and Settings\X\Application Data\hidires\server.txt

Deleted ! C:\Documents and Settings\X\Application Data\drivers\downld

Deleted ! C:\Documents and Settings\X\Application Data\drivers

Deleted ! C:\Documents and Settings\X\Application Data\hidires\config

Deleted ! C:\Documents and Settings\X\Application Data\hidires\WDIR

Deleted ! C:\Documents and Settings\X\Application Data\hidires

Deleted ! C:\Documents and Settings\X\Application Data\m\shared

Deleted ! C:\Documents and Settings\X\Application Data\m

 

################## | Other ... |

 

# Reference of comparaison Bagle MD5 :

 

File : C:\Documents and Settings\X\Application Data\drivers\winupgro.exe

-> Crc32 : 5ff4d231 | Md5 : ad0fd710eb6a5e6724b588f9d6975325

 

 

################## | Temporary Internet Files |

 

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64[2].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64_3[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64_3[2].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64_3[3].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\b64_3[4].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\ieps[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\07E3YEC1\mxd[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64[2].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64[3].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_1[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_1[2].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_mul[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\b64_mul[2].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\ieps[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\ieps[2].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\mxd[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\KB4DDYPS\mxd[2].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64[2].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_1[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_1[2].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_3[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_3[2].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_3[3].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\b64_6[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\WXVQLGBR\ieps[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_3[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_3[2].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_3[3].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_3[4].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_3[5].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_mul[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\b64_mul[2].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\ieps[1].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\ieps[2].jpg

Deleted ! C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\YGVTL3JR\mxd[1].jpg

 

################## | Registry / Infected keys |

 

Deleted ! [HKCU\Software\bisoft]

Deleted ! [HKCU\Software\MuleAppData]

Deleted ! [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit"

Deleted ! [HKCU\Software\Local AppWizard-Generated Applications\key_generator]

Deleted ! [HKCU\Software\Local AppWizard-Generated Applications\winupgro]

 

################## | State / Service / Information |

 

# Safe boot mode restored restauré !

 

# Showing of hidden files : OK

 

# Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 )

# Ip6Fw -> Start = 2 ( Good = 2 | Bad = 4 )

# SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 )

# wuauserv -> Start = 2 ( Good = 2 | Bad = 4 )

# wscsvc -> Start = 2 ( Good = 2 | Bad = 4 )

 

 

################## | PEH ... |

 

Corrupted : C:\cygwin\bin\ash.exe

[Offset = 00000084 - Value = 0x0001]

 

Corrupted : C:\Documents and Settings\X\Desktop\ComboFix.exe

[Offset = 000000EC - Value = 0x0001]

 

Corrupted : C:\Documents and Settings\X\Desktop\scanerhijack\scanner.exe

[Offset = 000000BC - Value = 0x0001]

 

Corrupted : C:\Documents and Settings\X\My Documents\DVDVideoSoft\Cleaner.exe

[Offset = 00000204 - Value = 0x0001]

 

Corrupted : C:\home\cygwin\bin\ash.exe

[Offset = 00000084 - Value = 0x0001]

 

Corrupted : C:\Program Files\Avast4\ashAvast.exe

[Offset = 0000010C - Value = 0x0001]

 

Corrupted : C:\Program Files\Avast4\ashQuick.exe

[Offset = 0000010C - Value = 0x0001]

 

Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avadmin.exe

[Offset = 00000114 - Value = 0x0001]

 

Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe

[Offset = 00000144 - Value = 0x0001]

 

Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avconfig.exe

[Offset = 00000114 - Value = 0x0001]

 

Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[Offset = 0000011C - Value = 0x0001]

 

Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

[Offset = 0000011C - Value = 0x0001]

 

Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe

[Offset = 0000011C - Value = 0x0001]

 

Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe

[Offset = 0000012C - Value = 0x0001]

 

Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\guardgui.exe

[Offset = 00000104 - Value = 0x0001]

 

Corrupted : C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

[Offset = 00000114 - Value = 0x0001]

 

Corrupted : C:\Program Files\DeskSpace\uninstaller.exe

[Offset = 000000D4 - Value = 0x0001]

 

Corrupted : C:\Program Files\InCode Solutions\RemoveIT Pro v4 - SE\removeit.exe

[Offset = 00000104 - Value = 0x0001]

 

Corrupted : C:\Program Files\Prevx Home\PXAgent.exe

[Offset = 0000010C - Value = 0x0001]

 

Corrupted : C:\Program Files\Prevx Home\PXL1.exe

[Offset = 000000E4 - Value = 0x0001]

 

Corrupted : C:\WINDOWS\$hf_mig$\KB912812\update\update.exe

[Offset = 000000E4 - Value = 0x0001]

 

Attempt of repair...

Backup : update.exe.REN

[Offset = 000000E4 - New value = 0x4C01]

File repaired successfully.

 

 

 

################## | Cracks / Keygens / Serials |

 

"C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\"OriginCD.exe""

15/02/2002 21:48 |Size 606208 |Crc32 62ed6da5 |Md5 fdc01ded78f8ecaff25b04ccb9ad914a

 

"C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\Crack\OriginLab.Peak.Fitting.Module.v7.1.Plus.OriginPro.v7.0.Service.Patch.1.WinA

ll\Service.Patch.1\"v7patch1.exe""

17/05/2002 15:44 |Size 4555797 |Crc32 253271d6 |Md5 9f2d1dea359628ca54522b1fe008707e

 

"C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\English\Information\"rp500enu.exe""

10/08/2001 00:01 |Size 10236296 |Crc32 4f2cff82 |Md5 32467a23035acb9f8366d7f2200464b2

 

"C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\English\Origin70Setup\"Setup.exe""

16/05/2000 23:37 |Size 46080 |Crc32 25a79781 |Md5 e41da9e19fdf91a2e0453da0ec039c8d

 

 

################## | End of Report # FindyKill V5.006 ! |

[Mark]

Nice job

 

Je pense que c'est PrevX qui a causé les problèmes lors du premier lancement de FindyKill ; ce programme utilise une technologie HIPS qui peut bloquer des outils, surtout lorsque Bagle l'attaque. Tu devras désinstaller PrevX et le réinstaller, mais ne le réinstalle pas tout de suite car il pourrait nous gêner pour la suite.

 

Bagle tue les antivirus et pares-feu. Je ne sais plus trop quel antivirus est présent sur ta machine, mais je pense que tu as AVG en ce moment et qu'il tourne bien, alors désinstalle les autres si toujours présents (AntiVir et Avast!). Tu ne peux avoir qu'un seul antivirus actif sur ta machine.

 

As-tu fait un scan avec AVG ? Si oui, a-t-il trouvé quelque chose ?

 

Je n'ai pas vu ton rapport de SecurityCheck : pourrais-tu le poster ici, après désinstallation de PrevX et autres antivirus (sauf AVG) ?

 

Merci

[pear]

Bonsoir,

 

Corrupted : C:\Documents and Settings\X\Desktop\ComboFix.exe

 

Veuillez noter que ce logiciel est régulièrement mis à jour et que la version que vous allez charger sera obsolète dans quelques jours.

Pour supprimer Combofix:

Démarrer > Exécuter ->combofix.exe /u

Valider par OK

ComboFix démarre et affiche un message disant que ComboFix est bien éliminé: cliquer sur

OK.

Supprimez C:\qoobox si vous le trouvez

 

 

Vous allez télécharger Combofix.

Ce logiciel est très puissant et ne doit pas être utilisé sans une aide compétente sous peine de risquer des dommages irréversibles.

Veuillez noter que ce logiciel est régulièrement mis à jour et que la version que vous allez charger sera obsolète dans quelques jours.

Avant de l'installer,lisez ce Mode opératoire:

 

Télécharger combofix.exe de sUBs

 

Vous devriez avoir une fenêtre vous avertissant que vous téléchargez Combofix depuis un site non-autorisé.

N'en tenez pas compte

 

Lancez Combofix en double cliquant

 

Tout d'abord, Combofix vérifie si la Console de récupération est installée et vous propose de le faire dans le cas contraire.

Certaines infections comme braviax empêcheront son installation.

Les utilisateurs de Windows Vista peuvent utiliser leur CD Windows pour démarrer en mode Vista Recovery Environment (Environnement de réparation Vista)

La Console de récupération Windows vous permettra de démarrer dans un mode spécial de récupération (réparation).

Elle peut être nécessaire si votre ordinateur rencontre un problème après une tentative de nettoyage.

C'est une procédure simple, qui ne vous prendra que peu de temps et pourra peut-être un jour vous sauver la mis

 

Certaines infections (Rootkit en Mbr)ne peuvent être traitées qu'en utilisant la Console de Récupération,

D'importantes procédures que Combofix est susceptible de lancer ne fonctionneront qu'à la condition que la console de récupération(Sous Xp) soit installée

C'est pourquoi il vous est vivement conseillé d' installer d'abord la Console de Récupération sur le pc .

 

Cela permettra de réparer le système au cas ou le pc ne redémarrerait plus suite à la désinfection.

* Après avoir cliqué sur le lien correspondant à votre version de Windows, vous serez dirigé sur une page:

cliquez sur le bouton Télécharger afin de récupérer le package d'installation sur leBureau:

Ne modifiez pas le nom du fichier

Windows XP Service Pack 2 (SP2) > Microsoft Windows XP Professionnel SP2

* Faites un glisser/déposer de ce fichier sur le fichier ComboFix.exe

 

 

* Suivre les indications à l'écran pour lancer ComboFix et lorsqu'on le demande, accepter le Contrat de Licence d'Utilisateur Final pour installer la Console de Récupération Microsoft.

Après installation,vous devriez voir ce message:

The Recovery Console was successfully installed.

 

Fermez ou désactivez tous les programmes Antivirus, Antispyware, Pare-feu actifs ,Teatimer de Spybot car ils pourraient perturber le fonctionnement de cet outil

* Pour cela, faites un clic droit sur l'icône de l'antivirus en bas à droite à côté de l'horloge puis Disable Guard ou Shield ou Résident...

Pour éviter leur réactivation après un redémarrage, décochez les dans les options de démarrage ->Msconfig

Si vous utilisez Spybot

Pour désactiver TeaTimer qui ne set à rien et peut faire échouer une désinfection:!

Afficher d'abord le Mode Avancé dans SpyBot

->Options Avancées :

- >menu Mode, Mode Avancé.

Une colonne de menus apparaît dans la partie gauche :

- >cliquer sur Outils,

- >cliquer sur Résident,

Dans Résident :

- >décocher Résident "TeaTimer" pour le désactiver.

 

Cela est absolument nécessaire au succès de la procédure.

Bien évidemment, vous les rétablirez ensuite.

Connecter tous les disques amovibles (disque dur externe, clé USB…).

*Double cliquer sur combofix.exe ou votrenom .exe pour le lancer.

 

 

Ne pas fermer la fenêtre qui vient de s'ouvrir , le bureau serait vide et cela pourrait entraîner un plantage du programme!

Pour lancer le scan

 

* Taper sur la touche 1 pour démarrer le scan.

Si pour une raison quelconque, Vista par exemple, combofix ne se lançait pas,

Démarrez en mode sans échec, choisissez le compte Administrateur, lancez Combofix

Lorsque ComboFix tourne, ne touchez plus du tout à votre ordinateur, vous risqueriez de planter le programme.

 

* Le scan pourrait prendre un certain temps:Soyez patient!

A la fin,,un rapport sera généré : postez en le contenu dans un prochain message.

* Si le rapport est trop long, postez le en deux fois.

Il se trouve à c:\combofix.txt

[pp_muscimol]

Thanks Mark,

indeed I forgot to insert the lo...here you have it. Now I have AVG active and Avira is on stand by.

 

Dear pear ....thanks for your post ....I found a bit confusing that you give me some instructions in black regular captions just until "Supprimez C:\qoobox si vous le trouvez"

 

The AVG medium level scan did not detect any problem.....

 

 

and then you use a colored text that I don't know if they are instructions that I must and I repeat I mus do or if they are just informative. Could you please confirm that is your suggestion to install again Combofix or is just a regular text that you give as extra information. ....

 

Thanks .. I appreciate all your help ..

Mark is a name a little anglophone isn't it?

 

 

 

 

 

Results of screen317's Security Check version 0.98.9

Windows XP Service Pack 2

Out of date service pack!!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

AVG Free 8.5

Avira AntiVir Personal - Free Antivirus

Prevx Home

Antivirus out of date!

``````````````````````````````

Anti-malware/Other Utilities Check:

Spybot - Search & Destroy

CCleaner (remove only)

Java 6 Update 11

Out of date Java installed!

Adobe Flash Player 10

``````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

AVG avgemc.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

 

`````````End of Log```````````

[pp_muscimol]

PrevX....yes ...although I disabled Prevx I sow that kept over 43 attempts of registry modification blocked ....I disabled it before rebooting....very good program it saved me already from a couple of attacks but the newest copy is not free and I only have this 5 years old version. If you know a similar program freeware please let me know.

 

Thanks

[pear]

Bonjour,

 

Je vous demande de désinstaller votre combofix corrompu : c'est le texte en noir

et d'en lancer une nouvelle version à jour.

C'est le texte en couleur

[pp_muscimol]

"Ce logiciel est très puissant et ne doit pas être utilisé sans une aide compétente sous peine de risquer des dommages irréversibles."

 

 

Ca fait peur .....why should I run this program if the PC is fine now??!!

 

I run AVG and FindYkill and there is no more contaminations with virus or trojans ....

 

do you strongly recommend using Combofix ??? .....Combo was never installed in this computer.

 

cheers

 

 

 

 

 

############################## | FindyKill V5.006 |

 

# User : X (Administrators) # ZEUS09

# Update on 14/08/09 by Chiquitine29

# Start at: 22:33:01 | 30/08/2009

# Website : http://pagesperso-orange.fr/NosTools/index.html

 

# AMD Athlon 64 X2 Dual Core Processor 5200+

# Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 2

# Internet Explorer 6.0.2900.2180

# Windows Firewall Status : Enabled

# AV : AVG Anti-Virus Free 8.5 [ Enabled | Updated ]

# AV : Avira AntiVir PersonalEdition 8.0.1.30 [ Enabled | (!) Outdated ]

 

# C:\ # Local Fixed Disk # 117,19 Go (3,88 Go free) # NTFS

# D:\ # CD-ROM Disc

# E:\ # Local Fixed Disk

# F:\ # Local Fixed Disk # 167,13 Go (30,32 Go free) [Local Disk] # NTFS

# G:\ # Local Fixed Disk # 112,34 Go (112,27 Go free) [fedora] # NTFS

 

############################## | Active Processes |

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ATKKBService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

################## | C: |

 

 

################## | C:\WINDOWS |

 

 

################## | C:\WINDOWS\system32 |

 

 

################## | C:\WINDOWS\system32\drivers |

 

 

################## | C:\Documents and Settings\X\Application Data |

 

 

################## | C:\Documents and Settings\X\Temporary Internet Files |

 

 

################## | Registry / Infected keys |

 

 

################## | State / Service / Information |

 

# Showing of hidden files : OK

 

# Safe boot mode : OK

 

# Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 )

# Ip6Fw -> Start = 2 ( Good = 2 | Bad = 4 )

# SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 )

# wuauserv -> Start = 2 ( Good = 2 | Bad = 4 )

# wscsvc -> Start = 2 ( Good = 2 | Bad = 4 )

 

 

################## | Cracks / Keygens / Serials |

 

"C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\"OriginCD.exe""

15/02/2002 21:48 |Size 606208 |Crc32 62ed6da5 |Md5 fdc01ded78f8ecaff25b04ccb9ad914a

 

"C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\Crack\OriginLab.Peak.Fitting.Module.v7.1.Plus.OriginPro.v7.0.Service.Patch.1.WinA

ll\Service.Patch.1\"v7patch1.exe""

17/05/2002 15:44 |Size 4555797 |Crc32 253271d6 |Md5 9f2d1dea359628ca54522b1fe008707e

 

"C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\English\Information\"rp500enu.exe""

10/08/2001 00:01 |Size 10236296 |Crc32 4f2cff82 |Md5 32467a23035acb9f8366d7f2200464b2

 

"C:\Documents and Settings\X\Desktop\lixo\Microcal Origin 7 + crack\Microcal Origin 7\English\Origin70Setup\"Setup.exe""

16/05/2000 23:37 |Size 46080 |Crc32 25a79781 |Md5 e41da9e19fdf91a2e0453da0ec039c8d

 

 

################## | End of Report # FindyKill V5.006 ! |