# Data execution prevention error



## force123

There's a folder in my computer that everytime i open it i keep getting this error : 





If i don't click on "close message" I can browse the folder. but if i click on it, I get this :  ( I made a pic of all) 






It is the first time i see such thing. And it happens ONLY in that folder.  (G:\incoming)

I've run ComboFix, and hijackthis After the combofix. 
Can anyone tell me what is this and how do i fix it?

*ComboFix log :*

ComboFix 08-08-12.01 - Alborz 2008-08-13 22:25:18.6 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1256.981.1033.18.2920 [GMT 4.5:30]
Running from: F:\Softwares\ComboFix & Friends\ComboFix.exe
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((   Files Created from 2008-07-13 to 2008-08-13  )))))))))))))))))))))))))))))))
.

2008-08-12 10:31 . 2008-08-12 10:31	<DIR>	d--------	E:\Documents and Settings\Alborz\Application Data\ImgBurn
2008-08-10 21:30 . 2004-10-12 14:40	2,255,360	--a------	E:\WINDOWS\system32\libavcodec.dll
2008-08-10 21:30 . 2004-10-12 14:46	1,761,280	--a------	E:\WINDOWS\system32\ffdshow.ax
2008-08-10 21:30 . 2004-10-05 16:16	395,776	--a------	E:\WINDOWS\system32\libmplayer.dll
2008-08-10 21:30 . 2004-10-12 14:42	262,144	--a------	E:\WINDOWS\system32\TomsMoComp_ff.dll
2008-08-10 21:30 . 2003-04-03 00:17	172,032	--a------	E:\WINDOWS\system32\ac3filter.ax
2008-08-10 21:30 . 2004-10-04 01:50	112,640	--a------	E:\WINDOWS\system32\libmpeg2_ff.dll
2008-08-10 21:30 . 2008-08-12 15:06	54,156	--ah-----	E:\WINDOWS\QTFont.qfn
2008-08-10 21:30 . 2008-08-10 21:30	1,409	--a------	E:\WINDOWS\QTFont.for
2008-08-10 18:55 . 2008-08-10 18:55	<DIR>	d--h-----	E:\WINDOWS\PIF
2008-08-02 15:54 . 2007-07-12 22:33	87,552	--a------	E:\WINDOWS\system32\cpwmon2k.dll
2008-08-02 15:53 . 2008-08-02 15:53	<DIR>	d--------	E:\Program Files\GPLGS
2008-07-24 11:41 . 2008-08-02 15:53	<DIR>	d--------	E:\Program Files\Acro Software
2008-07-23 00:32 . 2008-07-23 01:21	<DIR>	d--------	E:\Documents and Settings\Alborz\Application Data\Hamachi
2008-07-23 00:32 . 2008-07-23 00:32	25,280	--a------	E:\WINDOWS\system32\drivers\hamachi.sys
2008-07-22 05:12 . 2008-07-22 05:12	42,320	--a------	E:\WINDOWS\system32\xfcodec.dll
2008-07-17 11:48 . 2008-07-17 11:48	<DIR>	d--------	E:\Documents and Settings\Alborz\Application Data\TmpRecentIcons

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 16:25	---------	d-----w	E:\Documents and Settings\Alborz\Application Data\FileZilla
2008-08-13 08:48	---------	d-----w	E:\Documents and Settings\Alborz\Application Data\MySQL
2008-08-13 06:09	---------	d-----w	E:\Documents and Settings\Alborz\Application Data\uTorrent
2008-08-12 08:11	---------	d-----w	E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-11 19:19	---------	d-----w	E:\Documents and Settings\Alborz\Application Data\Xfire
2008-08-10 17:43	6,006	-csha-w	E:\WINDOWS\system32\KGyGaAvL.sys
2008-07-31 12:40	---------	d---a-w	E:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 17:58	---------	d-----w	E:\Documents and Settings\Alborz\Application Data\IcoFX
2008-07-04 10:54	---------	d-----w	E:\Program Files\Common Files\Adobe
2008-07-04 10:54	---------	d-----w	E:\Documents and Settings\Alborz\Application Data\AdobeUM
2007-08-09 07:55	8	--sh--r	E:\WINDOWS\system32\85FC424469.sys
.

------- Sigcheck -------

2004-09-01 12:30  359040  7b11118b078b88f87183fe69eda43137	E:\WINDOWS\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-09-01 12:30 15360]
"IECheck"="E:\WINDOWS\IECheck.exe" [2005-11-17 20:40 108544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-09-01 12:30 208952]
"PHIME2002ASync"="E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 12:30 455168]
"PHIME2002A"="E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 12:30 455168]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2008-01-08 22:23 8523776]
"RemoteControl"="f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"VirtualCloneDrive"="f:\Program Files\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 17:51 94208]
"CloneCDTray"="f:\Program Files\CloneCD\CloneCDTray.exe" [2005-05-19 18:17 57344]
"ISUSPM Startup"="E:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2007-09-24 11:41 282624]
"NeroFilterCheck"="E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"NBKeyScan"="E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 10:51 1836328]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2008-01-08 22:23 81920]
"nwiz"="nwiz.exe" [2008-01-08 22:23 1626112 E:\WINDOWS\system32\nwiz.exe]
"FmctrlTray"="Fmctrl.EXE" [2001-11-06 16:57 270336 E:\WINDOWS\system32\fmctrl.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-09-01 12:30 15360]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm
"VIDC.ACDV"= ACDV.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"msacm.l3codec"= l3codecp.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"E:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"E:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Program Files\\wa\\WA.exe"=
"F:\\Program Files\\Yahoo! Messenger\\YahooMessenger.exe"=
"F:\\Program Files\\Yahoo! Messenger\\YServer.exe"=

R1 Cinemsup;Cinemsup;E:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 08:10]
R2 Apache2.2;Apache2.2;E:\Program Files\Apache2.2\bin\httpd.exe [2007-09-05 09:59]
R2 MySQL5;MySQL5;E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt --defaults-file=E:\Program Files\MySQL\MySQL Server 5.0\my.ini MySQL5 []
R3 gameport;Genius SM-Live Series PCI Joystick;E:\WINDOWS\system32\DRIVERS\fmjoy.sys [2001-10-31 10:11]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;E:\WINDOWS\system32\DRIVERS\SkyNET.SYS [2006-03-14 05:52]
R3 wdm_fm801;Genius SM-Live Series PCI Audio (WDM);E:\WINDOWS\system32\drivers\fm801.sys [2001-08-17 01:30]
S1 rxp;rxp;E:\WINDOWS\system32\drivers\rxp.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b3e0f2a-35e3-11dd-aa6b-00d0d714a718}]
\Shell\Auto\command - sunny.exe
\Shell\AutoRun\command - E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sunny.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{660b21a9-4989-11dc-a765-00d0d714a718}]
\Shell\AutoRun\command - P:\autorun.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\Alborz\Application Data\Mozilla\Firefox\Profiles\a58asg4q.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - 


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 22:26:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="E:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="E:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL5]
"ImagePath"="\"E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"E:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL5"
.
Completion time: 2008-08-13 22:26:46
ComboFix-quarantined-files.txt  2008-08-13 17:56:33
ComboFix2.txt  2008-08-12 08:43:48

Pre-Run: 65,810,497,536 bytes free
Post-Run: 65,942,835,200 bytes free

136
*
Hijackthis log :*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:22, on 2008-08-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\VirtualCloneDrive\VCDDaemon.exe
E:\WINDOWS\system32\Fmctrl.EXE
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Apache2.2\bin\httpd.exe
E:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
E:\Program Files\Apache2.2\bin\httpd.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PSIService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\FileZilla Client\filezilla.exe
E:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\notepad.exe
F:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - E:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - f:\Program Files\FLV Downloader\MoyeaCth.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - f:\PROGRA~1\LONGMA~1\LAD001PE\setup\qf\IEHelp.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - E:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "f:\Program Files\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [CloneCDTray] "f:\Program Files\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "E:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IECheck] E:\WINDOWS\IECheck.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{33DECB99-D7B7-4170-B79D-8D7848592871}: NameServer = 81.12.74.3 62.220.100.201
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE40051E-E6D6-4EA2-B283-08CDF7E28DB4}: NameServer = 217.218.127.104,4.2.2.4
O23 - Service: Apache2.2 - Apache Software Foundation - E:\Program Files\Apache2.2\bin\httpd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - F:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: MySql - Unknown owner - E:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: MySQL5 - Unknown owner - E:\Program.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - E:\WINDOWS\system32\PSIService.exe

--
End of file - 7770 bytes


----------



## magna86

log is good...
you must repair windows ...or reinstall windows!


----------



## Vizy

1.	Click Start, click Run, type sysdm.cpl, and then click OK.
2.	Click the Advanced tab, click Performance, and then click Settings.
3.	In Performance Options, click the Data Execution Prevention tab, and then click/
*Turn on DEP for essential Windows programs and services only*

u might be prompted for a restart. Try that.


----------



## force123

It is already on the *Turn on DEP for essential Windows programs and services only
*

However This is not solving the problem. I don't know why the problem is only for that folder!


----------



## cohen

One thing i just want to point out, is wait for ceewi1 or punk or gamemaster to come along and they will confirm if the log is clean, if not, they will suggest what to do.


----------



## Punk

Your log isn't clean, I spotted the Trojan.Downloader by a quick look. If Ceewi1 or GameMaster doesn't reply by this afternoon (France time) I'll post instructions.


----------



## Punk

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).*

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account.


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
Click *Format*, and ensure *Word Wrap* is unchecked.
Copy and Paste the text in the box below into *Notepad*.
Now save the file as *RemoveFiles.txt* in a location where you can find it.



> Files to delete:
> E:\WINDOWS\QTFont.qfn
> E:\WINDOWS\QTFont.for



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Start *Avenger* by double clicking on *Avenger.exe*.

Check *Load script from file:*
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
Double click it to enter it into Avenger.
Click the *green traffic light symbol*.
You will be asked if you want to execute the script, answer *Yes*.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer *Yes*, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created *C:\avenger.txt*.
*Copy and Paste it into your next post please.*


*:upload files to jotti:*



Please upload a file for scanning:
Open  virusscan.jotti
Copy/paste this file and path into the white box at the top:
*bad_file*

Press *Submit* - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

please do this with each of these files one at a time

*E:\WINDOWS\system32\libmpeg2_ff.dll
E:\WINDOWS\system32\TomsMoComp_ff.dll*

save the reports and send with your next reply
*Note:* If Jotti is busy, you can use VirusTotal instead.


Can you tell me what's in the E:\WINDOWS\PIF folder?


Punk


----------



## force123

PIF folder is empty, I've looked inside that with showing all hidden and system protected files viewing, So nothing is in there. 

jotti found nothing for both files, and gave me status OK. "Found nothing" infront of all virus scans for both files.  

here's the *avenger log* : 

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at E:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "E:\WINDOWS\QTFont.qfn" deleted successfully.
File "E:\WINDOWS\QTFont.for" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


----------



## Punk

Ok

How is your system running?

Let's get a log from Kapersky to see if anything is left. 

*Run Kaspersky Online AV Scanner*
Using *Internet Explorer* Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the *Accept* button at the end of the page.

_Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%._

 Read the *Requirements and limitations* before you click *Accept*.
 Allow the ActiveX download if necessary.
 Once the database has downloaded, click *Next*.
 Click *Scan Settings* and change the "*Scan using the following antivirus database*" from *standard* to *extended* and then click *OK*.
 Click on "*My Computer*" and then put the kettle on!
When the scan has completed, click *Save Report As...*
 Enter a name for the file in the *Filename:* text box and then click the down arrow to the right of *Save as type:* and select *text file (*.txt)*
 Click *Save* - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.


----------



## magna86

Hi @punk
sorry for disturb..
can you show me please infected line in HjT? 
I dont see nothing in HjT log except this unnecessary line 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

tnx for reply


----------



## Punk

magna86 said:


> Hi @punk
> sorry for disturb..
> can you show me please infected line in HjT?
> I dont see nothing in HjT log except this unnecessary line
> 
> O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
> 
> tnx for reply



I saw it in the Combofix log.

Hijackthis doesn't usually show the Trojan.Downloader infection. If you have other questions, PM me, let's not hijack this thread 

PS: I don't mind the disruption, I'm glad to to help


----------



## force123

I still have the problem. like nothing is changed from the start.

*online kasper log : *

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Friday, August 15, 2008
 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Friday, August 15, 2008 11:57:01
 Records in database: 1095198
--------------------------------------------------------------------------------

Scan settings:
	Scan using the following database: extended
	Scan archives: yes
	Scan mail databases: yes

Scan area - My Computer:
	A:\
	C:\
	D:\
	E:\
	F:\
	G:\
	H:\
	I:\
	J:\
	K:\
	L:\
	N:\
	O:\
	P:\

Scan statistics:
	Files scanned: 274829
	Threat name: 7
	Infected objects: 40
	Suspicious objects: 0
	Duration of the scan: 02:42:32


File name / Threat name / Threats count
E:\WINDOWS\system32\Kernel.vbs	Infected: Virus.VBS.Small.f	1
F:\Softwares\EmEditor\Torrent\keygen.exe	Infected: not-a-virusSWTool.Win32.PasswordsPro.q	1
F:\Softwares\EmEditor\Torrent\setup.msi	Infected: not-a-virusSWTool.Win32.PasswordsPro.q	1
F:\Softwares\FLV Downloader\FLVDownloader_Install.exe	Infected: Backdoor.Win32.Sheldor.bj	1
F:\Softwares\FLV Downloader\Moyea FLV Downloader1.11.0.9-Setup.exe	Infected: Backdoor.Win32.Sheldor.bj	1
F:\Softwares\WeatherStudio\weatherstudio.exe	Infected: not-a-virus:AdWare.Win32.Comet.bo	1
G:\Emergency\HTML\7gL\agardoon\homedir\mail\new\1204478938.H167720P3829.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL\agardoon\homedir\mail\new\1204735028.H188359P32304.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL\agardoon\homedir\mail\new\1204785802.H862697P4518.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL\agardoon\homedir\mail\new\1204988364.H755807P22928.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL\agardoon\homedir\mail\new\1205389937.H733933P28896.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL\agardoon\homedir\mail\new\1205391854.H679864P31630.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL\agardoon\homedir\mail\new\1205647339.H122950P10907.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL\agardoon\homedir\mail\new\1205735156.H859750P26786.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL1\agardoon\homedir\mail\new\1204478938.H167720P3829.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL1\agardoon\homedir\mail\new\1204735028.H188359P32304.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL1\agardoon\homedir\mail\new\1204785802.H862697P4518.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL1\agardoon\homedir\mail\new\1204988364.H755807P22928.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL1\agardoon\homedir\mail\new\1205389937.H733933P28896.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL1\agardoon\homedir\mail\new\1205391854.H679864P31630.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL1\agardoon\homedir\mail\new\1205647339.H122950P10907.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gL1\agardoon\homedir\mail\new\1205735156.H859750P26786.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gN\agardoon\homedir\mail\new\1204478938.H167720P3829.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gN\agardoon\homedir\mail\new\1204735028.H188359P32304.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gN\agardoon\homedir\mail\new\1204785802.H862697P4518.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gN\agardoon\homedir\mail\new\1204988364.H755807P22928.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gN\agardoon\homedir\mail\new\1205389937.H733933P28896.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gN\agardoon\homedir\mail\new\1205391854.H679864P31630.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gN\agardoon\homedir\mail\new\1205647339.H122950P10907.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Emergency\HTML\7gN\agardoon\homedir\mail\new\1205735156.H859750P26786.JNPL1.jahannegar.net	Infected: Email-Worm.Win32.NetSky.q	1
G:\Incoming\7Gardoon Main\Last Backup\daily(2).tar.gz	Infected: Email-Worm.Win32.NetSky.q	8
H:\Applications\Fun\EarthQuake.exe	Infected: not-virus:BadJoke.Win16.Aloap	1
H:\Applications\Fun\WINDOWS.EXE	Infected: not-virus:BadJoke.Win32.Stript	1

The selected area was scanned.


----------



## chibicitiberiu

Is that the only folder or there are more? What does it contain?
I have a quick fix that may work if in that folder are .avi-s.
It happened to me before, and after some googling i found why: codecs.
There are some codecs which cause the explorer.exe process to crash.
If that folder contains avi-s (even one can cause the problem and it happens when a folder (any) with .avi -s is opened.
Delete all codecs from your computer. Restart your PC and try again launching that folder.
Then install just one codec (FFD Show should work just fine or divx or xvid). Install the VLC Media Player, it's one of the best video player and it's free. (just google for the program). Use it to play movies, because it won't need any kind of codec.

That should fix if it's an .avi problem.


----------



## force123

Interesting. 

There's no .avi in this folder, but it has 3 or 4 sub folder which they contain over 15 .avi files, even up to 30 incomplete .avi files (In Downloading progress). Which I don't wanna delete till they are all complete. 

But kasper found some viruses i guess in another sub folder in that directory. 
Why i never had such problem with AVIs before?  This folder is so ancient on my computer, it was there the day i installed my windows. and I never had problem with it.


----------



## magna86

@punk...
tnx for reply


----------



## Punk

magna86 said:


> @punk...
> tnx for reply



No problem 


Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

This allows hackers to remotely control your computer, *steal critical system information* and *Download and Execute files*

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decide

if you wish to continue, do the following:
Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


By the way, all these viruses are coming from the files you're downloading off U-torrent


----------



## force123

ok.... 

I'm not sure about formatting and re-installing. Before I used to do such thing a lot, like I had learned 3 windows serial numbers by heart (Because of installing windows a lot). 

But this time, I have decided to have a good windows. It is 13 months old now. 

I have 4 x 320 GB HArd drives which are set to Raid 0.  My windows is on drive E. 
4 years ago in another computer me and my friend got hacked, exactly by a keystroke saver program.  Someone stole lotta money from us.  We found out he was one of our closest friends that came to our home and install this keystroke program! 

From that day I NEVER typed a password, I always save all password in a rar password protected file, and I always copy and paste passwords ...

I am a web programmer. I have a lot of written codes...modules... 
Checking through kasper log i see this folder : 
G:\Emergency\HTML\7gL1\agardoon\homedir\mail\new\

which is exactly one of my backups of a homedir of a site. But I have never ever open mail folder. 
The interesting part for me is, Is this virus files in that site server too? Cause I have a lot of problem with that server...being slow... 
The administrator of that server told me once : "Your server is so busy sending emails!" , and we were like "WTF? No one uses the mail service in that site that much" . 

Now if i've find the right thing, The question is how to clean up that server from viruses?
I've never done such thing with site servers.

now about the re-installing, I say I'd rather keep this windows. 
If I gotta format E drive,  Aren't these viruses on other drives?  Should i format whole hard disk?  I format 1.2 TB ?  how to back up this much information?

nice shot about the U-torrent, Should I stop using it? Is it these torrents that have the problem? Is it the U-torrent program that is the problem? Should I stop downloading torrents? Or Just change the program?


here's the *SDfix log :*


*SDFix: Version 1.216 *
Run by Administrator on Sat 08/16/2008 at 11:50 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: E:\SDfix\SDFix

*Checking Services *:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


*Checking Files *: 

No Trojan Files Found






Removing Temp Files

*ADS Check *:



*Final Check *:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 11:53:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:990267d2
"s1"=dword:6d4bddb0
"s2"=dword:af41b803
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:39,48,42,26,c2,1d,2d,74,54,e6,25,5d,db,a6,96,57,c1,40,3e,5d,b4,..
"p0"="f:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:39,48,42,26,c2,1d,2d,74,54,e6,25,5d,db,a6,96,57,c1,40,3e,5d,b4,..
"p0"="f:\Program Files\Alcohol Soft\Alcohol 120\"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


*Remaining Services *:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"E:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="E:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"E:\\Program Files\\uTorrent\\uTorrent.exe"="E:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"F:\\Program Files\\wa\\WA.exe"="F:\\Program Files\\wa\\WA.exe:*:Enabled:Worms Armageddon"
"F:\\Program Files\\Yahoo! Messenger\\YahooMessenger.exe"="F:\\Program Files\\Yahoo! Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"F:\\Program Files\\Yahoo! Messenger\\YServer.exe"="F:\\Program Files\\Yahoo! Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"E:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="E:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

*Remaining Files *:



*Files with Hidden Attributes *:

Thu  9 Aug 2007             8 ..SHR --- E:\WINDOWS\SYSTEM32\85FC42~1.SYS
Tue 27 May 2008            88 ..SHR --- E:\WINDOWS\SYSTEM32\D58D4D~1.SYS
Sun 10 Aug 2008         6,006 A.SH. --- E:\WINDOWS\SYSTEM32\KGYGAAVL.SYS
Wed 15 Aug 2007         4,348 A.SH. --- E:\DOCUME~1\ALLUSE~1\DRM\DRMV1.BAK
Wed 13 Aug 2008       164,880 A..H. --- E:\DOCUME~1\ALBORZ\APPLIC~1\MICROS~1\VIRTUA~1\VPCKEY~1.DLL
Fri 15 Aug 2008           444 ...HR --- E:\DOCUME~1\ALBORZ\APPLIC~1\SECUROM\USERDATA\SECURO~1.BAK

*Finished!*


----------



## Punk

Well utorrent, like any other P2P softwares if not used for legal downloading are subject to many viruses. I stopped using them since Kazaa got sued (long time ago) and I'm fine with the movies and music I bought. A movie is 20$ for three movies at Blockbuster and a dollar a song on Itunes, pretty good deal. And you are not ashamed that you downloaded the files illegally 

About the server sending mails, it's probably a spyware sending Spam. By looking at the Kapersky log, I can see it's infected by a Email Worm (*Email-Worm.Win32.NetSky.q*).





Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
Click *Format*, and ensure *Word Wrap* is unchecked.
Copy and Paste the text in the box below into *Notepad*.
Now save the file as *RemoveFiles.txt* in a location where you can find it.



> Files to delete:
> F:\Softwares\EmEditor\Torrent\keygen.exe
> F:\Softwares\EmEditor\Torrent\setup.msi
> F:\Softwares\FLV Downloader\FLVDownloader_Install.exe
> F:\Softwares\FLV Downloader\Moyea FLV Downloader1.11.0.9-Setup.exe
> F:\Softwares\WeatherStudio\weatherstudio.exe
> H:\Applications\Fun\EarthQuake.exe
> H:\Applications\Fun\WINDOWS.EXE



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Start *Avenger* by double clicking on *Avenger.exe*.

Check *Load script from file:*
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
Double click it to enter it into Avenger.
Click the *green traffic light symbol*.
You will be asked if you want to execute the script, answer *Yes*.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer *Yes*, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created *C:\avenger.txt*.
*Copy and Paste it into your next post please.*

About the emails, do you know what the files are? It'll be better to delete them too, if you are ok with that, let me know I'll add them the files list.


----------



## force123

I don't know the files, I don't need them in local, and about the server if they are not some mail function files which are needed for the server mail system, then I don't need them too.

I'm in Iran, there's no credit card to pay here. So sometimes these torrents is the only way to achieve what you want.

here's the avenger log :  (The error in that is I had delete those folders when I saw kasper log, I didnt' need those)

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at E:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "F:\Softwares\EmEditor\Torrent\keygen.exe" deleted successfully.
File "F:\Softwares\EmEditor\Torrent\setup.msi" deleted successfully.

Error:  could not open file "F:\Softwares\FLV Downloader\FLVDownloader_Install.exe"
Deletion of file "F:\Softwares\FLV Downloader\FLVDownloader_Install.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist


Error:  could not open file "F:\Softwares\FLV Downloader\Moyea FLV Downloader1.11.0.9-Setup.exe"
Deletion of file "F:\Softwares\FLV Downloader\Moyea FLV Downloader1.11.0.9-Setup.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist


Error:  could not open file "F:\Softwares\WeatherStudio\weatherstudio.exe"
Deletion of file "F:\Softwares\WeatherStudio\weatherstudio.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist

File "H:\Applications\Fun\EarthQuake.exe" deleted successfully.
File "H:\Applications\Fun\WINDOWS.EXE" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


----------



## force123

chibicitiberiu said:


> Is that the only folder or there are more? What does it contain?
> I have a quick fix that may work if in that folder are .avi-s.
> It happened to me before, and after some googling i found why: codecs.
> There are some codecs which cause the explorer.exe process to crash.
> If that folder contains avi-s (even one can cause the problem and it happens when a folder (any) with .avi -s is opened.
> Delete all codecs from your computer. Restart your PC and try again launching that folder.
> Then install just one codec (FFD Show should work just fine or divx or xvid). Install the VLC Media Player, it's one of the best video player and it's free. (just google for the program). Use it to play movies, because it won't need any kind of codec.
> 
> That should fix if it's an .avi problem.



I noticed my media player (classic) closes when I try to open an AVI with it. 
I updated it, get the latest k-lite codec pack, and it fixed the problem. the folder is now working fine.

But I guess all of this was leading me to find this mail worm, which is on that site server, I'm sure.
I've never scan a site for viruses. 
How can i clean that website??


----------



## Punk

force123 said:


> I noticed my media player (classic) closes when I try to open an AVI with it.
> I updated it, get the latest k-lite codec pack, and it fixed the problem. the folder is now working fine.
> 
> But I guess all of this was leading me to find this mail worm, which is on that site server, I'm sure.
> I've never scan a site for viruses.
> How can i clean that website??



I would suggest that you delete the files stated in Kapersky.

Also you might want to try to upload combofix.exe on the website and run it on the server (don't think that you can if you only have the FTP access). Make sure you delete it afterwards.


----------



## force123

I have the password to the site cPanel. It is a VPS hosting. I can even reset apache ... On it. 
I have never execute any file on a server. I try to find where should I go to execute a file.


----------

