c2e.exe

[DartVader]

Hello there,
I have a problem and would like to ask for help to solve it. As usual, I infected my computer somehow. Well, you know, it happens. This time, it really freaked me out, because I used a "program" many times and it caused me troubles (or I suppose it did) now, after few years when I am using Avast.  Actually, before I started that kind of software, I also got a virus or something from friend's flash drive.
So, the c2e.exe appeared in prefetch folder of windows and aas far as I know, I can delete it from there with no harm. But, I don't know if it does or does not refer to a actual virus. My last reinstall (format of hdd) was two months ago and I'd really like to avoid it, or take it as a last resort. I actually think the reinstall can improve the whole system performance, but it also take some time to install drivers and needed software.
Also, I have to say, to avoid problems with my virus/malware/whatever, I switched Avast off, so it doesn't bother me with popups, doesn't want me to restart system or check the system at the start, so it appers that it's no big deal. The main problem is, that I use the computer for a school purposes, and I am afraid of transfering a virus through a flash drive I own, which unfortunately also contain that particular program and thus may be infected.
Finally, the last thing I have on my mind is, that last time I'd been forced to reinstall was after deleting (or putting a infected file into quarantine). So I would definitelly don't want to experience it again.
Thanks in advance, Dartvader.

[FreewheelinFrank]

Please upload the file to VirusTotal for analysis. Post the results here.

[polonus]

Hi DartVader

This is info on mentioned malware: http://www.prevx.com/filenames/1403440537600651757-X1/C2E.EXE.html

Files Created
%Temp%\herss.exe
%Temp%\cvasds0.dll (0-9)
X:\c2e.exe
X:\autorun.inf

%Temp% = C:\Documents and Settings\[UserName]\Local Settings\Temp\
X:\ = C:\- Z:\

Registry Modifications
Keys added
HKLM\SOFTWARE\Classes\CLSID\MADOWN

Values added
HKLM\SOFTWARE\Classes\CLSID\MADOWN\urlinfo: "dsdxsxd.g"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft = %Temp%\herss.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden = 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun = 0x00000091

Remote Host
202.111.175.157 port 80

Data identified/URLs to be download
hXtp://www.baidu2y4.com/1mg/am.rar
hXtp://www.baidu2y4.com/1mg/am1.rar

polonus

[DartVader]

polonus: hi, thanks for an answer. however, I am not a pc guru, so I am not sure what to do with this stuff. anyway thank you for your effort.

[CharleyO]

***

More information on c2e.exe :

http://www.prevx.com/filenames/1403440537600651757-X1/C2E.EXE.html

http://www.threatexpert.com/report.aspx?md5=ba3436dfc09ef446c92271cd2b9027f3


***

[emantoyaks]

I will give you a tips on how to remove manually:

try to create a batch file:

@echo off

taskkill /f /im c2e.exe
taskkill /f /im 1hqup.exe
taskkill /f /im herss.exe
exit

that codes will terminate there process.
try to phaste that codes in notepad and save the file like this "terminate.bat"

then after all navigate to your registry, to go in registry just goto START } RUN } and type regedit

then try to find this and delete in your registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cdoosoft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL