Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

autorite nt\system

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: autorite nt\system

Unread postby deltalima » September 2nd, 2010, 8:43 am

OK, run SuperAntiSpyware again and see if it detects those same items again or if it did remove them. Would it be possible to connect the PC to the router via a network cable while we test something?
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Re: autorite nt\system

Unread postby tasha » September 2nd, 2010, 4:00 pm

I ran SuperAntiSpyware again and it didn't find any infected files, so I suppose the cleaning was successful the first time.

Now, concerning the issue of network cable ... I hate to admit my ignorance (not to mention displaying it on a public forum) but I'm not completely sure what you want me to do. I did find a cable that could do the job, apparently called utp cabel and pluged it. Is there any settings I have to change now?
tasha
Regular Member
 
Posts: 19
Joined: August 27th, 2010, 4:13 pm

Re: autorite nt\system

Unread postby deltalima » September 2nd, 2010, 4:54 pm

Hi tasha,

I ran SuperAntiSpyware again and it didn't find any infected files


That's good.

I did find a cable that could do the job, apparently called utp cabel and pluged it. Is there any settings I have to change now?


Nothing should need changing, I just wanted to check if a cabled connection is an option in case we need it later, for now unplug the cable.

Next try to boot to normal mode and let me know if you are successful.

Also please let me know if you have a writable CD drive and software that will allow you to create a bootable CD from an ISO file using your other computer.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: autorite nt\system

Unread postby tasha » September 2nd, 2010, 6:54 pm

I tried to boot in normal mode and got a blue screen saying more or less this (translated from french): A problem was detected and windows was stopped in order to prevent any damage on your computer. If you see this message for the first time restart your computer. If this message appears again follow these steps:
Make sure to have enough disk space. If a driver is identified in the shut down message , disable the driver or contact the manufacturer in order to get the updates. Try to replace the graphic card.
Consult your computer retailer to get all the BIOS updates. Disable the options of BIOS memory like caching or shadowing. If you have to use the Safe mode to remove or disable some components, restart your computer, press F8 to access to advanced boot options and choose Safe Mode.
Technical information:
***STOP: 0x0000008E (0xc0000005, 0x80544422, 0x8055020c, 0x00000000)

As software for CD burning I have Nero 7 Premium with an option of "Image writing on disc" (I appologize if my expressions are a bit bizzare sometimes but all the programs I have are in french and sometimes I just translate literally)
tasha
Regular Member
 
Posts: 19
Joined: August 27th, 2010, 4:13 pm

Re: autorite nt\system

Unread postby deltalima » September 3rd, 2010, 3:07 am

Hi tasha,

For the next scan you will need to connect the computer to the router using the network cable.

Bootable Kaspersky CD

  1. Download the Kaspersky Rescue Disk ISO file
  2. Burn the Kaspersky Rescue Disk ISO image to a CD
  3. Insert Bootable Kaspersky Rescue Disk CD into the CD drive and boot the computer
  4. The screen should look like - press Enter

    Image
  5. Then this screen will appear

    Image
  6. Check the hard drives that you want to scan (C:) and click Start Scan
  7. When the scan has finished choose to delete any infections found and make a note of how many items
  8. remove the CD and reboot into Windows and post the results in your next reply
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: autorite nt\system

Unread postby tasha » September 3rd, 2010, 7:28 am

Hi Deltalima,

I downloaded the Kaspersky iso file and made the Kaspersky Rescue CD. But even when I run the computer with the CD in the player nothing changes, no Kaspersky window or dialog box, just blue threatening screens, black frozen screen and eventually windows in safe mode. Should I rud the CD manually?
tasha
Regular Member
 
Posts: 19
Joined: August 27th, 2010, 4:13 pm

Re: autorite nt\system

Unread postby deltalima » September 3rd, 2010, 7:35 am

Hi tasha,

When the computer boots you need to tell it to boot from the CD, keep an eye on the screen for options, depending on the model it may be F12, if not esc or F2 or del to get into the BIOS to select boot order.

Give it atry and if not let me know the model of your computer and I will find out more details of how to boot from CD.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: autorite nt\system

Unread postby tasha » September 3rd, 2010, 5:46 pm

Hi Deltalima,

As you provably figured I don't know much about misterious depths of computer science and days like this don't help.

Usually when I started the computer and pressed F8 a window appeared asking me what device I want to use (HD1, HD2, CD-drive ...)to boot. When I inserted the CD I never saw that screen again!

Anyway when I restarted the computer 15 minutes ago I wanted to check the little instructions in the beginning (like you suggested) but they disappeared too fast and to my horror the computer booted in normal mode. And succeded. Though I swear I didn't manage to run the CD before I left in the afternoon. At that time it still refused to run in normal mode. Now it's running normally, I even managed to uninstall Office, no screen threatning to shut down in 60s appeared, everithing reacts in real time ...

So, in the light of this new unexpected event I wanted to ask you if there is something you would want to do in normal mode, taking advantage of its moment of good will (or a sick joke), because I'm afraid if I restart it again we'll be back into old habits.
tasha
Regular Member
 
Posts: 19
Joined: August 27th, 2010, 4:13 pm

Re: autorite nt\system

Unread postby deltalima » September 3rd, 2010, 5:56 pm

Hi tasha,

So, in the light of this new unexpected event I wanted to ask you if there is something you would want to do in normal mode


Let's take the opportunity to run -

Malwarebytes Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and select then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:
  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: autorite nt\system

Unread postby tasha » September 3rd, 2010, 6:30 pm

Hi Deltalima,

Here is the log file

Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4539

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/09/2010 0:20:25
mbam-log-2010-09-04 (00-20-25).txt

Scan type: Quick scan
Objects scanned: 126956
Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtapiDrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtapiDrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapidrv (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrateur\Application Data\ohydy.exe (Worm.Palevo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\AtapiDrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

BTW, I'm using the sick computer to post this reply. Now I have to reboot ... :pale:
tasha
Regular Member
 
Posts: 19
Joined: August 27th, 2010, 4:13 pm

Re: autorite nt\system

Unread postby deltalima » September 4th, 2010, 9:26 am

Hi tasha,

Please let me know if the computer still boots into normal mode OK.

If it does then

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply and also let me know how your computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: autorite nt\system

Unread postby tasha » September 4th, 2010, 1:23 pm

Hi Deltalima,

It took a while but at last the Kaspersky Online Scan is finished. Here is the report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, September 4, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, September 04, 2010 08:31:53
Records in database: 4190727
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 133831
Threats found: 4
Infected objects found: 6
Suspicious objects found: 1
Scan duration: 02:23:40


File name / Threat / Threats count
C:\WINDOWS\system32\winlogon.exe/C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.jw 1
C:\WINDOWS\Explorer.EXE/C:\WINDOWS\Explorer.EXE Infected: Trojan.Win32.Patched.jw 1
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Identities\{0A6C0841-6A6C-4D88-B79D-11B51A3BA937}\Microsoft\Outlook Express\Éléments supprimés.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\WINDOWS\explorer.exe Infected: Trojan.Win32.Patched.jw 1
C:\WINDOWS\system32\spool\prtprocs\w32x86\GRO1.tmp Infected: Trojan.Win32.TDSS.bkbu 1
C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.jw 1
C:\WPI\Tools\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1

Selected area has been scanned.

At risk to sound too optimistic I must say that the computer is doing much better.(Though only yesterday I was preparing to unplug the respirator) It boots and runs normally, I can connect to internet, all the programs that I tested launched without a problem ... Pure joy and happiness. Can I dare to think that the critical phase is over?
tasha
Regular Member
 
Posts: 19
Joined: August 27th, 2010, 4:13 pm

Re: autorite nt\system

Unread postby deltalima » September 4th, 2010, 1:32 pm

Hi tasha,

Can I dare to think that the critical phase is over?


Not quite yet, but we are getting there now.


Run Combofix

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Double click combofix.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures, if not, then follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Once installed, you should see the following message:

The recovery console was successfuly installed.
Click ‘YES’ to continue scanning for malware
Click ‘NO’ for exit

Click the YES button.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your “drive access” light. If it is flashing, Combofix is still at work.

When finished ComboFix will produce a log file. Please post the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: autorite nt\system

Unread postby tasha » September 4th, 2010, 4:01 pm

Hi deltalima,

Here is the ComboFix log file:

ComboFix 10-09-03.02 - Administrateur 04/09/2010 21:36:49.1.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.32.1036.18.2047.1568 [GMT 2:00]
Lancé depuis: c:\documents and settings\Administrateur\Bureau\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrateur\Local Settings\Application Data\Windows Server
c:\documents and settings\Administrateur\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Administrateur\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Administrateur\Local Settings\Application Data\Windows Server\uses32.dat
c:\windows\system32\adgxpfi.dll
c:\windows\system32\drivers\mbwoxlmf.sys
c:\windows\system32\drivers\yfnalnya.sys
c:\windows\system32\explorer.exe
c:\windows\system32\kmjffbl.dll
c:\windows\system32\msconfig.exe
c:\windows\system32\scrrnfr.dll
c:\windows\system32\spool\prtprocs\w32x86\GRO1.tmp
c:\windows\system32\Thumbs.db

c:\windows\system32\winlogon.exe . . . est infecté!!

c:\windows\explorer.exe . . . est infecté!!

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATAPIDRV
-------\Legacy_TUYVHACD
-------\Legacy_YFNALNYA
-------\Service_tuyvhacd
-------\Service_yfnalnya


((((((((((((((((((((((((((((( Fichiers créés du 2010-08-04 au 2010-09-04 ))))))))))))))))))))))))))))))))))))
.

2010-09-04 19:42 . 2010-09-04 19:42 -------- d-sh--w- c:\windows\system32\dllcache
2010-09-04 19:42 . 2010-09-04 19:42 -------- d-----w- c:\windows\system32\xircom
2010-09-04 19:42 . 2010-09-04 19:42 -------- d-----w- c:\windows\system32\wbem\snmp
2010-09-04 19:42 . 2010-09-04 19:42 -------- d-----w- c:\windows\srchasst
2010-09-03 22:08 . 2010-09-03 22:08 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Malwarebytes
2010-09-03 22:07 . 2010-09-03 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-03 22:07 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-03 22:07 . 2010-09-03 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-03 22:07 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-02 11:08 . 2010-09-02 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-02 11:08 . 2010-09-02 11:08 -------- d-----w- c:\documents and settings\Administrateur\Application Data\SUPERAntiSpyware.com
2010-09-01 20:47 . 2010-09-01 20:47 -------- d-----w- C:\_OTL
2010-08-30 22:24 . 2010-08-30 22:24 -------- d-----w- c:\documents and settings\Administrateur\Application Data\InstallShield
2010-08-26 20:24 . 2010-08-26 20:24 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-08-26 19:27 . 2010-08-26 19:27 131 ----a-w- c:\windows\system32\file.bat
2010-08-26 19:27 . 2010-08-26 19:27 -------- d-----w- c:\documents and settings\Administrateur\Application Data\878E3BB16E0E9CA70630B7733CB1EE6D

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-04 19:45 . 2009-02-18 17:42 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Skype
2010-09-04 19:42 . 2010-09-04 19:42 -------- d-----w- c:\program files\microsoft frontpage
2010-09-04 14:02 . 2009-02-18 17:44 -------- d-----w- c:\documents and settings\Administrateur\Application Data\skypePM
2010-09-03 22:10 . 2010-04-29 10:25 0 ----a-w- c:\documents and settings\Administrateur\Local Settings\Application Data\prvlcl.dat
2010-09-01 20:44 . 2009-02-18 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-09-01 13:29 . 2001-09-28 17:00 76606 ----a-w- c:\windows\system32\perfc00C.dat
2010-09-01 13:29 . 2001-09-28 17:00 469824 ----a-w- c:\windows\system32\perfh00C.dat
2010-08-26 20:41 . 2009-02-23 14:32 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Azureus
2010-08-26 19:27 . 2010-08-26 19:27 720896 ----a-w- c:\documents and settings\Administrateur\Application Data\878E3BB16E0E9CA70630B7733CB1EE6D\newsecureapp70700.exe
2010-08-09 12:34 . 2010-08-26 20:15 14336 ----a-w- c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\iop5lzfh.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
2010-07-17 11:08 . 2010-07-17 11:08 -------- d-----w- c:\documents and settings\Administrateur\Application Data\iWin
2010-07-17 09:22 . 2010-07-17 09:22 -------- d-----w- c:\program files\Fichiers communs\Skype
2010-07-16 22:13 . 2009-09-10 20:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-15 16:45 . 2009-02-05 21:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-15 16:45 . 2010-07-15 16:45 -------- d-----w- c:\program files\SmartSound Software
2010-07-15 16:45 . 2010-07-15 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2010-07-15 16:44 . 2010-07-15 16:44 1100 ----a-w- c:\program files\uninstal.log
2010-07-15 13:17 . 2009-02-05 21:54 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 13:17 . 2010-07-15 13:17 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-09 14:20 . 2010-06-09 14:20 15781 ----a-w- c:\windows\system32\drivers\mdc8021x.sys
2009-02-05 21:06 . 2009-02-05 21:06 56 --sh--r- c:\windows\system32\E7F5CFDA1E.sys
2009-02-05 21:06 . 2009-02-05 21:06 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------


[-] 2005-09-18 . DBC20C4332FE84B826530C49AE09721E . 359936 . . [5.1.2600.2685] . . c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-04 . 9AD94F96BBBE3F2F85ADE0A7950FBD67 . 506368 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2005-09-17 . 5D35335E7B6DE0C2F632CFC2DEC7C9E6 . 2120704 . . [6.00.2900.2649] . . c:\windows\explorer.exe

[-] 2005-09-18 . BF786B9F0DB745C5E8DFEDF1F9A4DBDC . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll


c:\windows\System32\drivers\beep.sys ... manque !!
c:\windows\System32\regsvc.dll ... manque !!
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-19 68856]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"nwiz"="nwiz.exe" [2007-12-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-03 16116224]
"SkyTel"="SkyTel.EXE" [2006-05-20 2879488]
"BootSkin Startup Jobs"="c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2004-11-04 1569280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):6c,6f,67,6f,6e,75,69,32,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 13:17 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Fichiers communs\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/02/2009 23:54 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/07/2010 15:17 308136]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [15/07/2010 15:16 921952]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/01/2010 12:52 135664]
S3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [15/01/2008 12:39 97792]

--- Autres Services/Pilotes en mémoire ---

*NewlyCreated* - HELPSVC
*NewlyCreated* - YFNALNYA
*Deregistered* - yfnalnya
.
Contenu du dossier 'Tâches planifiées'

2010-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 10:51]

2010-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 10:51]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://start.gametop.com/?utm_source=Cr ... dium=start
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Ajouter au fichier PDF existant - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir en Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir en un fichier PDF existant - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir la cible du lien en Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir la cible du lien en un fichier PDF existant - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir la sélection en Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir la sélection en un fichier PDF existant - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir les liens sélectionnés en fichier Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convertir les liens sélectionnés en un fichier PDF existant - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\iop5lzfh.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/
FF - component: c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\iop5lzfh.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
.
- - - - ORPHELINS SUPPRIMES - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-HijackThis - c:\program files\hijackthis\HijackThis.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Administrateur\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-04 21:42
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:56,04,fd,68,f3,9d,cc,f3,a2,ab,0d,b3,c3,c8,30,57,02,8b,8e,32,4c,
3b,d8,cc,c6,39,d0,9f,c5,1b,b4,95,8c,3e,6b,37,a5,25,a5,3f,9e,a8,a7,8b,66,ae,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:56,04,fd,68,f3,9d,cc,f3,a2,ab,0d,b3,c3,c8,30,57,02,8b,8e,32,4c,
3b,d8,cc,c6,39,d0,9f,c5,1b,b4,95,8c,3e,6b,37,a5,25,a5,3f,9e,a8,a7,8b,66,ae,\
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'explorer.exe'(2108)
c:\windows\system32\msi.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\program files\Skype\Phone\Skype.exe
c:\program files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Heure de fin: 2010-09-04 21:50:19 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-09-04 19:50

Avant-CF: 54.826.774.528 octets libres
Après-CF: 54.887.804.928 octets libres

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - B881B62EC96405EF97565F45CB53F0F5
tasha
Regular Member
 
Posts: 19
Joined: August 27th, 2010, 4:13 pm

Re: autorite nt\system

Unread postby deltalima » September 4th, 2010, 4:57 pm

Hi tasha,

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:
c:\windows\explorer.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Please repeat this process with the file
c:\windows\system32\winlogon.exe


Download SystemLook and save it to your Desktop.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    winlogon.exe
    explorer.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

ComboFix - CFScript
WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!


You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=53216&p=543784#p543784
    Suspect::
    c:\windows\explorer.exe
    c:\windows\system32\winlogon.exe
    
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:

    Image

    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!

    When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
  5. Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 480 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware