Bonjour, good morning,

I use an automatic translator, and machine translations are sometimes “funny”. So I supply the same text with French language.

My computer is a HP m8180.fr, the operating system is Windows Vista.

Two weeks ago, Avast found two viruses on my computer: Win32:Malware-gen et Win32:Webhancer[PUP].

The problem seems resolute, Avast Internet Security (Engine and definitions of virus up to date) finds no more threat, in spite of a meticulous scan.

But since then, I have a software who do not want to start any more. I uninstalled it to reinstall it cleanly: it does not want to reinstall any more.

It is not a copy nor a pirated version. In fact, the software is well loaded in the list of the processes, but no window appears to the screen or in the taskbar, and actually, I have no possible action on it, I cannot thus click “install”.

The infected, quarantined files, have no report(relationship) with it, and are not files-system…

Thus I suppose that there is another problem in my computer. How may I detect and eliminate it ?

[i](in french :
il y a deux semaines, Avast a trouvé deux virus sur mon ordinateur : (Win32:Malware-gen et Win32:Webhancer[PUP])

Le problème semble résolu, Avast Internet Security (moteur et définitions de virus à jour) ne trouve plus de menace malgré un scan minutieux.

Mais depuis, j’ai un logiciel qui ne veux plus démarrer. Je l’ai désinstallé pour le réinstaller proprement : il ne veut plus se réinstaller.

Il n’est pas une copie ni une version piratée. En fait, le logiciel est bien chargé dans la liste des processus, mais aucune fenêtre n’apparait à l’écran ni dans la barre des tâches, et de fait, on a aucune action possible sur lui, on ne peut donc pas cliquer sur “installer”.

Les fichiers infectés, mis en quarantaine, n’ont pas de rapport avec lui, et ne sont pas des fichiers-système.

Donc je suppose qu’il y a encore un problème dans mon ordinateur. Comment puis-je le détecter et l’éliminer ?). [/i]

Win32:Webhancer[[b]PUP[/b]].

Thus I suppose that there is another problem in my computer. How may I detect and eliminate it ?

AdwCleaner
Malwarebytes
OTL
aswMBR

when done a malware removal expert will be notified and check the logs for any infections

Thank you for your attention.

Here are the first two stages. I waits for your sign to throw(launch) the third stage, OTL.

Hi !

Was it necessary to make four tests for the continuation ? I believed a moment when it was necessary to make a test, to post the result, and to wait for comments before passing in the following test. I then reread your answer, and here is four wanted reports (five : otl = otl + extras)

And the last : aswMBR

When you try to start a programme what error do you get ?

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

When you try to start a programme what error do you get ?

By making ctrl-alt-suppr, I find the process in the list of the processes, it (pr1.exe, prhyper.exe, or autorun.exe) occupies typically 25 % of the resources of the processor.

Here is the kapersky report

It does look clean, lets check windows out

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the following items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

Windows Repair worked 25 minutes and generated the attached log.

Windows Repair, in step 3, said that SFC did not find problem and asked me to restart the computer - > restarted computer.

Windows Repair proposed me a point of restoration, I accepted.

I configured the list of the repairs as asked, I stopped the network and the antivirus, and I threw the repair.

At the end of the repair, after the restart of the computer, I tested my contrary software (Should I have waited for your opinion before ?): this time, Windows reacts and says that the program stopped working.

What programme is it that will not run ?

Frenchman’s dictionary " Le Petit Robert ", readable from the CD or installable on hard disk. There are 3 programs on the CD: autorun, pr1, PRHYPER. Only these three programs do not work, other programs of my computer work. The CD is an original, and it has been several years since I use carefree the installed version.

We find these programs in Extra log generated by OTL:
(To note that the first of April in our country is often the opportunity of hoaxes, but I guarantee here that my case is not a gag The problem already dates more than two weeks. I just have the impression that I am not alone on my computer, and that somebody made me a joke)

Error - 01/04/2013 15:13:52 | Computer Name = Primevere | Source = Application Error | ID = 1000
Description = Application défaillante AUTORUN.EXE_unknown, version 0.0.0.0, horodatage
0x61152b4b, module défaillant unknown, version 0.0.0.0, horodatage 0x00000000,
code d’exception 0xc0000005, décalage d’erreur 0x018e4558, ID du processus 0x538,
heure de début de l’application 0x01ce2f0d08a017af.

Error - 01/04/2013 15:14:18 | Computer Name = Primevere | Source = Application Error | ID = 1000
Description = Application défaillante prhyper.exe, version 0.0.0.0, horodatage 0x61682b4b,
module défaillant unknown, version 0.0.0.0, horodatage 0x00000000, code d’exception
0xc0000005, décalage d’erreur 0x01593fb4, ID du processus 0x690, heure de début
de l’application 0x01ce2f0d1b06e08a.

Error - 01/04/2013 15:14:18 | Computer Name = Primevere | Source = Application Error | ID = 1000
Description = Application défaillante pr1.exe, version 2.1.1.0, horodatage 0x5dd72b77,
module défaillant unknown, version 0.0.0.0, horodatage 0x00000000, code d’exception
0xc0000005, décalage d’erreur 0x01eca1d4, ID du processus 0x67c, heure de début
de l’application 0x01ce2f0d17074f9c.

This joined, the screenshot of the error message generated in the afternoon after the application Windows Repair, when I wanted to launch the dictionary, and the programs on the CD.

The error code generated is an access violation one. The programme is trying to access a forbidden area of the system memory or an area that is already in use

Do you have the latest version of this programme ?

No, I only have the version on the CD, and I can not find update on publisher site and the distributor site (vivendi-universal and lerobert.com).

On another computer, it installs and runs correctly, even from a disk image (no CD/DVD drive).

OTL file “Extra” is older than the repair by Windows Repair, do you want I raised OTL (or another) and I post the report?

When you try to re-install the programme have all the previous files/folders been deleted ? i.e is it a totally clean install

I suppose that the deinstallation is OK, there was no strange event during the procedure.

I found nothing in C:\Program Files, C:\ProgramData, C:\Users\Christophe\AppData\Roaming. When it is installed, its path is “ProgramFiles/Le Robert/Le Petit Robert”.

I find a few occurrences in register (using regedit+F3)

StartPrograms : cc-cleaner and spybot found “Le Petit Robert Hyperappel”, on drive E: (there is no CD on the drive), and msconfig found nothing.

Have you updated any drivers recently ?

No, just software update by Avast Software Updater…

OK I will need to check that programme out … Apart from that any other problems

Do you have this patch for the programme ? http://softwaretopic.informer.com/petit-robert-2010-patch/

There is a forum here with some references to errors
http://www.generation-nt.com/reponses/petit-robert-2001-entraide-3666721.html

No, No, I have no patch

The links that you quoted give me a new interessant lighting. I need some time to investigate these links.

I have no version 2010 of Petit Robert, but a previous version, 2.2, copyright Robert / SEJER 2004. The most recent files on the CD date 2002. This version does not need a password to work.

However, if it was about an expired license or about an access with password, it would have been resumed in the read-me and there would have been, after the failure of the installation, informative explaining messages why I cannot reinstall the software? At least, I hope

Apart from that any other problems

and two red lines :
01:56:13.447 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x861921e8]<<
01:56:13.478 \Driver\atapi[0x853f2f38] → IRP_MJ_CREATE → 0x861921e8

Are they annoying?