Hello there,
I have a problem and would like to ask for help to solve it. As usual, I infected my computer somehow. Well, you know, it happens. This time, it really freaked me out, because I used a “program” many times and it caused me troubles (or I suppose it did) now, after few years when I am using Avast. Actually, before I started that kind of software, I also got a virus or something from friend’s flash drive.
So, the c2e.exe appeared in prefetch folder of windows and aas far as I know, I can delete it from there with no harm. But, I don’t know if it does or does not refer to a actual virus. My last reinstall (format of hdd) was two months ago and I’d really like to avoid it, or take it as a last resort. I actually think the reinstall can improve the whole system performance, but it also take some time to install drivers and needed software.
Also, I have to say, to avoid problems with my virus/malware/whatever, I switched Avast off, so it doesn’t bother me with popups, doesn’t want me to restart system or check the system at the start, so it appers that it’s no big deal. The main problem is, that I use the computer for a school purposes, and I am afraid of transfering a virus through a flash drive I own, which unfortunately also contain that particular program and thus may be infected.
Finally, the last thing I have on my mind is, that last time I’d been forced to reinstall was after deleting (or putting a infected file into quarantine). So I would definitelly don’t want to experience it again.
Thanks in advance, Dartvader.
Please upload the file to VirusTotal for analysis. Post the results here.
Hi DartVader
This is info on mentioned malware: http://www.prevx.com/filenames/1403440537600651757-X1/C2E.EXE.html
Files Created
%Temp%\herss.exe
%Temp%\cvasds0.dll (0-9)
X:\c2e.exe
X:\autorun.inf
%Temp% = C:\Documents and Settings[UserName]\Local Settings\Temp
X:\ = C:- Z:\
Registry Modifications
Keys added
HKLM\SOFTWARE\Classes\CLSID\MADOWN
Values added
HKLM\SOFTWARE\Classes\CLSID\MADOWN\urlinfo: “dsdxsxd.g”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
cdoosoft = %Temp%\herss.exe"
Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Advanced\ Folder\Hidden\SHOWALL\CheckedValue = 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Advanced\Hidden = 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Advanced\ShowSuperHidden = 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun = 0x00000091
Remote Host
202.111.175.157 port 80
Data identified/URLs to be download
hXtp://www.baidu2y4.com/1mg/am.rar
hXtp://www.baidu2y4.com/1mg/am1.rar
polonus
polonus: hi, thanks for an answer. however, I am not a pc guru, so I am not sure what to do with this stuff. anyway thank you for your effort.
More information on c2e.exe :
http://www.prevx.com/filenames/1403440537600651757-X1/C2E.EXE.html
http://www.threatexpert.com/report.aspx?md5=ba3436dfc09ef446c92271cd2b9027f3
I will give you a tips on how to remove manually:
try to create a batch file:
@echo offtaskkill /f /im c2e.exe
taskkill /f /im 1hqup.exe
taskkill /f /im herss.exe
exit
that codes will terminate there process.
try to phaste that codes in notepad and save the file like this “terminate.bat”
then after all navigate to your registry, to go in registry just goto START } RUN } and type regedit
then try to find this and delete in your registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdoosoft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL