Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

autorite nt\system

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: autorite nt\system

Unread postby tasha » September 4th, 2010, 7:15 pm

VirusTotal analysis

file: explorer.exe


Antivirus Version Last update Result
AhnLab-V3 2010.09.05.00 2010.09.04 -
AntiVir 8.2.4.50 2010.09.03 -
Antiy-AVL 2.0.3.7 2010.09.03 -
Authentium 5.2.0.5 2010.09.04 W32/Patched.B
Avast 4.8.1351.0 2010.09.04 -
Avast5 5.0.594.0 2010.09.04 Win32:Bamital-X
AVG 9.0.0.851 2010.09.04 -
BitDefender 7.2 2010.09.04 Win32.Loader.O
CAT-QuickHeal 11.00 2010.09.03 -
ClamAV 0.96.2.0-git 2010.09.04 -
Comodo 5970 2010.09.04 -
DrWeb 5.0.2.03300 2010.09.04 Win32.Dat.3
Emsisoft 5.0.0.37 2010.09.04 -
eSafe 7.0.17.0 2010.09.01 -
eTrust-Vet 36.1.7835 2010.09.03 Win32/Patcher.F
F-Prot 4.6.1.107 2010.09.01 W32/Patched.B
F-Secure 9.0.15370.0 2010.09.04 Win32.Loader.O
Fortinet 4.1.143.0 2010.09.04 -
GData 21 2010.09.04 Win32.Loader.O
Ikarus T3.1.1.88.0 2010.09.04 -
Jiangmin 13.0.900 2010.09.04 -
K7AntiVirus 9.63.2442 2010.09.04 Virus
Kaspersky 7.0.0.125 2010.09.04 Trojan.Win32.Patched.jw
McAfee 5.400.0.1158 2010.09.04 W32/Bamital.a
McAfee-GW-Edition 2010.1B 2010.09.04 -
Microsoft 1.6103 2010.09.04 Virus:Win32/Bamital.C
NOD32 5423 2010.09.04 Win32/Bamital.DX
Norman 6.05.11 2010.09.04 W32/Patched.Q
nProtect 2010-09-04.01 2010.09.04 Win32.Loader.O
Panda 10.0.2.7 2010.09.04 W32/Patched.AC
PCTools 7.0.3.5 2010.09.04 Trojan.Bamital
Prevx 3.0 2010.09.05 -
Rising 22.63.05.01 2010.09.04 -
Sophos 4.57.0 2010.09.04 Troj/Patched-O
Sunbelt 6831 2010.09.04 Virus.Win32.Bamital.c (v)
SUPERAntiSpyware 4.40.0.1006 2010.09.04 -
Symantec 20101.1.1.7 2010.09.04 Trojan.Bamital!inf
TheHacker 6.5.2.1.364 2010.09.04 -
TrendMicro 9.120.0.1004 2010.09.04 PE_PATCHED.DEN
TrendMicro-HouseCall 9.120.0.1004 2010.09.04 PE_PATCHED.DEN
VBA32 3.12.14.0 2010.09.03 -
ViRobot 2010.8.31.4017 2010.09.04 Win32.Patched.AF
VirusBuster 12.64.17.1 2010.09.04 -
MD5: 5d35335e7b6de0c2f632cfc2dec7c9e6
SHA1: 4df21d7954279df5a5af9e4aacd642c591aef9b7
SHA256: c3900ffe512e0d4f4a3bc85f053d470e181ce573075eb73634210f6989c643d2
File size: 2120704 bytes
Scan date: 2010-09-04 22:11:23 (UTC)

File: winlogon.exe

Antivirus Version Last update Result
AhnLab-V3 2010.09.05.00 2010.09.04 -
AntiVir 8.2.4.50 2010.09.03 TR/Patched.KL
Antiy-AVL 2.0.3.7 2010.09.03 -
Authentium 5.2.0.5 2010.09.04 W32/Patched.B
Avast 4.8.1351.0 2010.09.04 -
Avast5 5.0.594.0 2010.09.04 Win32:Bamital-X
AVG 9.0.0.851 2010.09.04 -
BitDefender 7.2 2010.09.04 Win32.Loader.O
CAT-QuickHeal 11.00 2010.09.03 -
ClamAV 0.96.2.0-git 2010.09.04 -
Comodo 5970 2010.09.04 -
DrWeb 5.0.2.03300 2010.09.04 Win32.Dat.3
Emsisoft 5.0.0.37 2010.09.04 -
eTrust-Vet 36.1.7835 2010.09.03 Win32/Patcher.F
F-Prot 4.6.1.107 2010.09.01 W32/Patched.B
F-Secure 9.0.15370.0 2010.09.04 Win32.Loader.O
Fortinet 4.1.143.0 2010.09.04 -
GData 21 2010.09.05 Win32.Loader.O
Ikarus T3.1.1.88.0 2010.09.04 -
Jiangmin 13.0.900 2010.09.04 -
K7AntiVirus 9.63.2442 2010.09.04 Virus
Kaspersky 7.0.0.125 2010.09.04 Trojan.Win32.Patched.jw
McAfee 5.400.0.1158 2010.09.04 W32/Bamital.a
McAfee-GW-Edition 2010.1B 2010.09.04 -
Microsoft 1.6103 2010.09.04 Virus:Win32/Bamital.C
NOD32 5423 2010.09.04 Win32/Bamital.DX
Norman 6.05.11 2010.09.04 W32/Patched.Q
nProtect 2010-09-04.01 2010.09.04 Win32.Loader.O
Panda 10.0.2.7 2010.09.04 W32/Patched.AC
PCTools 7.0.3.5 2010.09.04 Trojan.Bamital
Prevx 3.0 2010.09.05 -
Rising 22.63.05.01 2010.09.04 -
Sophos 4.57.0 2010.09.04 Troj/Patched-O
Sunbelt 6831 2010.09.04 Virus.Win32.Bamital.c (v)
SUPERAntiSpyware 4.40.0.1006 2010.09.04 -
Symantec 20101.1.1.7 2010.09.04 Trojan.Bamital!inf
TheHacker 6.5.2.1.364 2010.09.04 -
TrendMicro 9.120.0.1004 2010.09.04 PE_PATCHED.DEN
TrendMicro-HouseCall 9.120.0.1004 2010.09.04 PE_PATCHED.DEN
VBA32 3.12.14.0 2010.09.03 -
ViRobot 2010.8.31.4017 2010.09.04 Win32.Patched.AF
VirusBuster 12.64.17.1 2010.09.04 -
MD5: 9ad94f96bbbe3f2f85ade0a7950fbd67
SHA1: 2cc557a9785478443b77965fbf248841c1fa2d43
SHA256: 691060d5117a828b584017d34cfbb353cc54552730b4eae4236457850db56c07
File size: 506368 bytes
Scan date: 2010-09-04 22:16:12 (UTC)

SystemLook log file:

SystemLook 04.09.10 by jpshortstuff
Log created at 00:22 on 05/09/2010 by Administrateur
Administrator - Elevation successful

========== filefind ==========

Searching for "winlogon.exe"
C:\WINDOWS\system32\winlogon.exe --a---- 506368 bytes [04:55 04/08/2004] [04:55 04/08/2004] 9AD94F96BBBE3F2F85ADE0A7950FBD67

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 2120704 bytes [13:37 17/09/2005] [13:37 17/09/2005] 5D35335E7B6DE0C2F632CFC2DEC7C9E6

-= EOF =-


CombpFix log file

ComboFix 10-09-04.01 - Administrateur 05/09/2010 0:32.2.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.32.1036.18.2047.1500 [GMT 2:00]
Lancé depuis: c:\documents and settings\Administrateur\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\Administrateur\Bureau\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\explorer.exe
file zipped: c:\windows\system32\winlogon.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . est infecté!!

c:\windows\explorer.exe . . . est infecté!!

.
((((((((((((((((((((((((((((( Fichiers créés du 2010-08-04 au 2010-09-04 ))))))))))))))))))))))))))))))))))))
.

2010-09-04 19:42 . 2010-09-04 22:07 -------- d-sh--w- c:\windows\system32\dllcache
2010-09-04 19:42 . 2010-09-04 19:42 -------- d-----w- c:\windows\system32\xircom
2010-09-04 19:42 . 2010-09-04 19:42 -------- d-----w- c:\windows\system32\wbem\snmp
2010-09-04 19:42 . 2010-09-04 19:42 -------- d-----w- c:\windows\srchasst
2010-09-04 19:42 . 2010-09-04 19:42 -------- d-----w- c:\program files\microsoft frontpage
2010-09-03 22:08 . 2010-09-03 22:08 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Malwarebytes
2010-09-03 22:07 . 2010-09-03 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-03 22:07 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-03 22:07 . 2010-09-03 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-03 22:07 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-02 11:08 . 2010-09-02 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-02 11:08 . 2010-09-02 11:08 -------- d-----w- c:\documents and settings\Administrateur\Application Data\SUPERAntiSpyware.com
2010-09-01 20:47 . 2010-09-01 20:47 -------- d-----w- C:\_OTL
2010-08-30 22:24 . 2010-08-30 22:24 -------- d-----w- c:\documents and settings\Administrateur\Application Data\InstallShield
2010-08-26 20:24 . 2010-08-26 20:24 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-08-26 20:15 . 2010-08-09 12:34 14336 ----a-w- c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\iop5lzfh.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
2010-08-26 19:27 . 2010-08-26 19:27 131 ----a-w- c:\windows\system32\file.bat
2010-08-26 19:27 . 2010-08-26 19:27 720896 ----a-w- c:\documents and settings\Administrateur\Application Data\878E3BB16E0E9CA70630B7733CB1EE6D\newsecureapp70700.exe
2010-08-26 19:27 . 2010-08-26 19:27 -------- d-----w- c:\documents and settings\Administrateur\Application Data\878E3BB16E0E9CA70630B7733CB1EE6D

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-04 22:28 . 2009-02-18 17:42 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Skype
2010-09-04 22:05 . 2009-02-18 17:44 -------- d-----w- c:\documents and settings\Administrateur\Application Data\skypePM
2010-09-03 22:10 . 2010-04-29 10:25 0 ----a-w- c:\documents and settings\Administrateur\Local Settings\Application Data\prvlcl.dat
2010-09-01 20:44 . 2009-02-18 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-09-01 13:29 . 2001-09-28 17:00 76606 ----a-w- c:\windows\system32\perfc00C.dat
2010-09-01 13:29 . 2001-09-28 17:00 469824 ----a-w- c:\windows\system32\perfh00C.dat
2010-08-26 20:41 . 2009-02-23 14:32 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Azureus
2010-07-17 11:08 . 2010-07-17 11:08 -------- d-----w- c:\documents and settings\Administrateur\Application Data\iWin
2010-07-17 09:22 . 2010-07-17 09:22 -------- d-----w- c:\program files\Fichiers communs\Skype
2010-07-16 22:13 . 2009-09-10 20:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-15 16:45 . 2009-02-05 21:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-15 16:45 . 2010-07-15 16:45 -------- d-----w- c:\program files\SmartSound Software
2010-07-15 16:45 . 2010-07-15 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2010-07-15 16:44 . 2010-07-15 16:44 1100 ----a-w- c:\program files\uninstal.log
2010-07-15 13:17 . 2009-02-05 21:54 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 13:17 . 2010-07-15 13:17 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-09 14:20 . 2010-06-09 14:20 15781 ----a-w- c:\windows\system32\drivers\mdc8021x.sys
2009-02-05 21:06 . 2009-02-05 21:06 56 --sh--r- c:\windows\system32\E7F5CFDA1E.sys
2009-02-05 21:06 . 2009-02-05 21:06 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------


[-] 2005-09-18 . DBC20C4332FE84B826530C49AE09721E . 359936 . . [5.1.2600.2685] . . c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-04 . 9AD94F96BBBE3F2F85ADE0A7950FBD67 . 506368 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2005-09-17 . 5D35335E7B6DE0C2F632CFC2DEC7C9E6 . 2120704 . . [6.00.2900.2649] . . c:\windows\explorer.exe

[-] 2005-09-18 . BF786B9F0DB745C5E8DFEDF1F9A4DBDC . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll


c:\windows\System32\drivers\beep.sys ... manque !!
c:\windows\System32\regsvc.dll ... manque !!
.
((((((((((((((((((((((((((((( SnapShot@2010-09-04_19.42.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 04:52 . 2004-08-04 04:52 16896 c:\windows\system32\dllcache\cfgmgr32.dll
+ 2004-08-04 04:54 . 2004-08-04 04:54 30208 c:\windows\system32\dllcache\atmlib.dll
+ 2004-08-04 04:54 . 2004-08-04 04:54 65024 c:\windows\system32\dllcache\asycfilt.dll
+ 2004-08-04 04:54 . 2004-08-04 04:54 98304 c:\windows\system32\dllcache\ahui.exe
+ 2004-08-04 04:54 . 2004-08-04 04:54 126976 c:\windows\system32\dllcache\apphelp.dll
+ 2004-08-04 04:54 . 2004-08-04 04:54 116224 c:\windows\system32\dllcache\acxtrnal.dll
+ 2005-09-18 09:39 . 2005-09-18 09:39 244736 c:\windows\system32\dllcache\acspecfc.dll
+ 2004-08-04 04:54 . 2004-08-04 04:54 450048 c:\windows\system32\dllcache\aclayers.dll
+ 2005-09-18 09:39 . 2005-09-18 09:39 1852928 c:\windows\system32\dllcache\acgenral.dll
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-19 68856]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"nwiz"="nwiz.exe" [2007-12-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-03 16116224]
"SkyTel"="SkyTel.EXE" [2006-05-20 2879488]
"BootSkin Startup Jobs"="c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2004-11-04 1569280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):6c,6f,67,6f,6e,75,69,32,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 13:17 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Fichiers communs\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/02/2009 23:54 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/07/2010 15:17 308136]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [15/07/2010 15:16 921952]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/01/2010 12:52 135664]
S3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [15/01/2008 12:39 97792]

--- Autres Services/Pilotes en mémoire ---

*NewlyCreated* - HELPSVC
*NewlyCreated* - YFNALNYA
*Deregistered* - yfnalnya
.
Contenu du dossier 'Tâches planifiées'

2010-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 10:51]

2010-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 10:51]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://start.gametop.com/?utm_source=Cr ... dium=start
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Ajouter au fichier PDF existant - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir en Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir en un fichier PDF existant - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir la cible du lien en Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir la cible du lien en un fichier PDF existant - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir la sélection en Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir la sélection en un fichier PDF existant - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir les liens sélectionnés en fichier Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convertir les liens sélectionnés en un fichier PDF existant - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\iop5lzfh.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/
FF - component: c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\iop5lzfh.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-05 00:34
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:56,04,fd,68,f3,9d,cc,f3,a2,ab,0d,b3,c3,c8,30,57,02,8b,8e,32,4c,
3b,d8,cc,c6,39,d0,9f,c5,1b,b4,95,8c,3e,6b,37,a5,25,a5,3f,9e,a8,a7,8b,66,ae,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:56,04,fd,68,f3,9d,cc,f3,a2,ab,0d,b3,c3,c8,30,57,02,8b,8e,32,4c,
3b,d8,cc,c6,39,d0,9f,c5,1b,b4,95,8c,3e,6b,37,a5,25,a5,3f,9e,a8,a7,8b,66,ae,\
.
Heure de fin: 2010-09-05 00:36:04
ComboFix-quarantined-files.txt 2010-09-04 22:35
ComboFix2.txt 2010-09-04 19:50

Avant-CF: 54.883.278.848 octets libres
Après-CF: 54.867.718.144 octets libres

- - End Of File - - 2DF8C11BC6B118D5136B1D367AAC3E61
L'envoi a r‚ussi


I noticed that some comments in log files are in french. Is that a problem for you, do you want me to translate them?

PS: I think there might be a problem with my antivirus program, AVG 9.0 Free edition: There is a yellow warning sign over its icone and when I open it there is a sign in big red characters: "You are not protected! Some components report an error!"
Indeed, the Anti-Virus and Anti-Spyware components are out of date and E-mail Scanner and Resident Shield are not active. I checked for solutions on this page: http://free.avg.com/ww-en/kb.num-2429#tba5 and did everything is says, but nothing changes. Can you help me out? :help: Could that be the source of all my trouble?
tasha
Regular Member
 
Posts: 19
Joined: August 27th, 2010, 4:13 pm
Advertisement
Register to Remove

Re: autorite nt\system

Unread postby deltalima » September 5th, 2010, 7:29 am

Hi tasha,

Those scans confirm the infection and that we need to replace the two files

c:\windows\system32\winlogon.exe
c:\windows\explorer.exe


The safest way would be to reinstall the Windows operating system, however if you wish to attempt to repair we can continue provided that you understand that this can be a hazardous operation.

Unfortunately there are no clean copies of these files on your computer and we would need to copy them off another.

Do you have access to another computer with the same version of the Windows XP (Service Pack 2)? If so please let me know how you would like to proceed.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: autorite nt\system

Unread postby tasha » September 6th, 2010, 5:11 pm

Hello Deltalima,

when I already thought that things were getting better you tell me I have to reinstall the system!
Well, I guess I'll just have to do what has to be done ...
One question: If I find the missing files (I'll try to contact the guy who worked on this computer last time it crushed) what are the odds? You were talkng about a hazardous operation ...
Anyway, it could take me some time to get the information I need but if I don't get it in a couple of days I'll proceed with the plan B (send everything to hell) and reinstall the bloody system.
tasha
Regular Member
 
Posts: 19
Joined: August 27th, 2010, 4:13 pm

Re: autorite nt\system

Unread postby deltalima » September 6th, 2010, 5:24 pm

Hi tasha,

if I don't get it in a couple of days I'll proceed with the plan B


Please hold on for a while if you can, I am now working on the same infection on another computer (with only 1 infected file to replace) and am making good progress. We do not have a working fix yet but things are looking promising. I plan to sort the other computer first and then use the same method on yours if that is OK.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: autorite nt\system

Unread postby deltalima » September 7th, 2010, 2:47 pm

Hi tasha,

Now have a fix for your issue.

If you wish to proceed

Please go here and click download to download the Windows XP Service Pack 2 Network Installation Package and save the file.

Then go here and click download to download the Update for Windows XP (KB884883) and save the file.

Please let me know when complete and I will give further instructions do not install.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: autorite nt\system

Unread postby tasha » September 10th, 2010, 5:52 am

Hi Deltalima

sorry for the delay but I had some problems with internet connection lately.

I received your message and downloaded the network installation packaga but I couldn't download the update for windows xp. (didn't find the DOWNLOAD button!!)

Could be because of my currently very instable internet connection and plenty of errors on the pages ... ?
tasha
Regular Member
 
Posts: 19
Joined: August 27th, 2010, 4:13 pm

Re: autorite nt\system

Unread postby deltalima » September 10th, 2010, 6:05 am

I couldn't download the update for windows xp. (didn't find the DOWNLOAD button!!)


You will need to click the Continue button and validate Windows before you can download, This is easier to do using Internet Explorer instead of Firefox.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: autorite nt\system

Unread postby tasha » September 12th, 2010, 5:35 am

Hi Deltalima,

I did like you told me, followed the instructions ... (I use firefox - now my desktop went on holidays and I miss all the icons. I can enter the task manager - ctrl+alt+del - and run programs from there. I ran firefox this way, internet connection was already established, and didn't have enough corage to go find explorer, that I never use utherwise) ... when I arrived to the point where I saw a button "continue" and text "click continue to complete validation". I clicked continue and got a page that was telling me that the requested page doesn't exist anymore. I repeated the whole procedure another two times just to be sure, with the same resoults.

...

Wouldn't I be better off reinstalling the damn thing?
tasha
Regular Member
 
Posts: 19
Joined: August 27th, 2010, 4:13 pm

Re: autorite nt\system

Unread postby deltalima » September 12th, 2010, 7:08 am

Hi tasha,

I use firefox


Please try the same process using Internet Explorer, it is more straightforward to run the validation.

Wouldn't I be better off reinstalling


It would ensure that the computer is clean, the choice is yours. Please let me know how you would like to proceed.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: autorite nt\system

Unread postby NonSuch » September 15th, 2010, 5:55 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware