User and Admin account big troubles !

[niemiro]

It could be anti-rootkit. They are randomly named like this. What do you have installed? AVZ? They will always label thenselves, I think. AVZ certainly will. Find the file. If you can find it in explorer, then it is probably not a rootkit. Look in properties, details for a name. However, if you can't find it, and the tools were not running, then it is not good news.

 

[richc46]

Thats what I thought Rich. I did the BSOD. I remembered all that you had said in the past about not being able to find it in Google. So we called for help.
Hope we have good news.

 

[Jacee]

From what I see on this computer, after 4 weeks of working on it ... it most likely needs a 'clean' install. It hasn't been kept up to date with critical service packs or the latest (JRE) Java 6U23.
I'm curious what all those \system32\strange name.dat files are

awtiqfow.sys is not found in a Google search. I have no idea what it is. It could be uploaded to VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 36 AntiVirus Engines! and have it scanned. Save the results of the scan, then copy/paste them back here.

 

[Ashanta]

Don't panic !

Here is the report of this file on Virustotal website :

VirusTotal - Free Online Virus, Malware and URL Scanner

 

[Ashanta]

It could be anti-rootkit. They are randomly named like this. What do you have installed? AVZ? They will always label thenselves, I think. AVZ certainly will. Find the file. If you can find it in explorer, then it is probably not a rootkit. Look in properties, details for a name. However, if you can't find it, and the tools were not running, then it is not good news.

Here you are Niemiro :

Anti-rookit, anti-malware:

Rooter
Combofix
OTL
Gmer
Atool
Rootkit Unhooker
SanityCheck
Cmcark
HideToolz
Kernel Detective
PErvert

 

[niemiro]

I posted yesterday in a rush from my iPhone. C:\Users\FLEURD~1\AppData\Local\Temp\awtiqfow.sys

Does anybody actually trust that!? However, were you running GMER at the time? Then it could make a lot of sense. If you were running GMER, then maybe it is alright.

Rooter
Combofix
OTL
Gmer
Atool
Rootkit Unhooker
SanityCheck
Cmcark
HideToolz
Kernel Detective
PErvert

I hand over to Jacee. I bet she has a fair bit to say. ComboFix for one is not designed to be run outside of the bounds of "under instruction from a helper". They are not tools which are just designed to be thrown around. We now assume that that driver is safe.

We need to know whether you were running GMER.

Thanks!

Richard

 

[Ashanta]

Hi Niemiro,

I've been running Gmer when getting all my troubles, yes indeed

About Combofix and OTL, I never used this prog alone, by myself; on the contrary, for the others prog from my anti-rootkits list.

Look at the location of awtiqfow.sys . It corresponding to the date when I ran Gmer.

 

[Ashanta]

How to know if my old FLeur de Vie admin account was the hidden Admin account ? Is there a way to check it ? If I remove this account after transferring my personal documents and files to a new admin account named "Old Admin", won't I have troubles to re-enable hidden Admin account ?

 

[niemiro]

Hi Niemiro,

I've been running Gmer when getting all my troubles, yes indeed

About Combofix and OTL, I never used this prog alone, by myself; on the contrary, for the others prog from my anti-rootkits list.

Look at the location of awtiqfow.sys . It corresponding to the date when I ran Gmer.

Don't worry then. No problems after all!

 

[richc46]

If it is finally determined that the driver is not malware. You can remove it. If we do not know the name of the software that it is connected to you can just manually go to the driver location and change the extension to .bup or it can just be deleted. If deleted we will not be able to replace it if needed later. If you still get BSOD after that I will check the BSODs again. The BSOD is a problem in it self, but may also be a caused by something that is also the reason for your primary problems.

 

[Lorien]

How to know if my old FLeur de Vie admin account was the hidden Admin account ? Is there a way to check it ? If I remove this account after transferring my personal documents and files to a new admin account named "Old Admin", won't I have troubles to re-enable hidden Admin account ?

If it is the hidden Admin account, you will not be able to delete or remove it - merely disable it. Vista will not allow you to delete the built-in hidden Administrator account (or the Guest account for that matter). It's impossible (but don't test it this way in case it isn't or you will delete that account and you don't want to do that). Also, that account should bypass the UAC prompts if it is the built-in Administrator Account as that account works different than others and UAC should not interfere with it. I'm not sure of a specific way to tell if it is or isn't the built-in Administrator account except to disable the built-in Administrator account and see if that account becomes disabled. Make sure you have another working Administrator account before you do this so you can enable it again (otherwise, you will be hosed). Here's that procedure: http://www.vistax64.com/tutorials/67567-administrator-account.html. In a way, I hope that wasn't the account because I've never seen a corrupted built-in Administrator account before and I honestly don't know how to fix that as we can't create another such account.

 

[Shadowjk]

As shown in the attached picture when you mange the account you will not be able to delete it

 

[niemiro]

If it is finally determined that the driver is not malware. You can remove it. If we do not know the name of the software that it is connected to you can just manually go to the driver location and change the extension to .bup or it can just be deleted. If deleted we will not be able to replace it if needed later. If you still get BSOD after that I will check the BSODs again. The BSOD is a problem in it self, but may also be a caused by something that is also the reason for your primary problems.

The BSoD is caused by GMER. GMER is an anti-rootkit software. I don't want to discuss Rooter, but GMER fights rootkits with its own driver. This driver regularly causes BSoDs on some systems. We have now identified that the driver is not malware.

GMER will not cause a BSoD unless it is run. It is perfectly safe to completely ignore the driver and BSoD.

It won't reappear.

Richard

 

[Lorien]

Excellent, Josh! That's a much easier way to tell - since mine is not activated, I didn't realize the manage other user accounts screen for it would not have the delete option available. Ashanta, that's how you can tell in the easiest way.

 

[richc46]

Thanks for the information. In that event the BSOD problem is taken care of anyway.
Ill go back to the BSOD report and look for any other clues relating to the current problem.

 

[richc46]

The only other problem is the list of very old Drivers. These must be updated. These alone can cause BSODs. Because of the number many other problems can also arise. Usually I find from one to about a dozen.

EMS7SK.sys   Wed Feb 15 21:55:09 2006 
smserial.sys Fri Jun 23 06:20:33 2006 
secdrv.SYS   Wed Sep 13 09:18:32 2006 
NETw3v32.sys Mon Sep 25 04:11:18 2006 
yk60x86.sys  Mon Oct 02 03:05:41 2006 
peauth.sys   Mon Oct 23 04:55:32 2006 
ESD7SK.sys   Wed Oct 25 02:36:47 2006 
spldr.sys    Wed Oct 25 18:40:44 2006 
spsys.sys    Wed Oct 25 18:43:28 2006 
halmacpi.dll Thu Nov 02 04:30:18 2006 
intelppm.sys Thu Nov 02 04:30:18 2006 
cdfs.sys     Thu Nov 02 04:30:50 2006 
CLFS.SYS     Thu Nov 02 04:30:52 2006 
Msfs.SYS     Thu Nov 02 04:30:56 2006 
Npfs.SYS     Thu Nov 02 04:30:57 2006 
fltmgr.sys   Thu Nov 02 04:30:58 2006 
mup.sys      Thu Nov 02 04:31:04 2006 
dfsc.sys     Thu Nov 02 04:31:04 2006 
bowser.sys   Thu Nov 02 04:31:11 2006 
rdbss.sys    Thu Nov 02 04:31:24 2006 
mrxsmb10.sys Thu Nov 02 04:31:25 2006 
srv.sys      Thu Nov 02 04:31:55 2006 
luafv.sys    Thu Nov 02 04:33:07 2006 
msisadrv.sys Thu Nov 02 04:35:08 2006 
pci.sys      Thu Nov 02 04:35:13 2006 
mssmbios.sys Thu Nov 02 04:35:13 2006 
pcmcia.sys   Thu Nov 02 04:35:13 2006 
fileinfo.sys Thu Nov 02 04:36:47 2006 
watchdog.sys Thu Nov 02 04:37:44 2006 
Dxapi.sys    Thu Nov 02 04:38:17 2006 
ksecdd.sys   Thu Nov 02 04:43:45 2006 
msrpc.sys    Thu Nov 02 04:50:16 2006 
Beep.SYS     Thu Nov 02 04:51:03 2006 
Null.SYS     Thu Nov 02 04:51:05 2006 
mountmgr.sys Thu Nov 02 04:51:06 2006 
kbdclass.sys Thu Nov 02 04:51:09 2006 
mouclass.sys Thu Nov 02 04:51:09 2006 
i8042prt.sys Thu Nov 02 04:51:12 2006 
swenum.sys   Thu Nov 02 04:51:15 2006 
ks.sys       Thu Nov 02 04:51:18 2006 
CLASSPNP.SYS Thu Nov 02 04:51:34 2006 
crashdmp.sys Thu Nov 02 04:51:36 2006 
disk.sys     Thu Nov 02 04:51:40 2006 
volmgr.sys   Thu Nov 02 04:51:44 2006 
cdrom.sys    Thu Nov 02 04:51:44 2006 
storport.sys Thu Nov 02 04:51:45 2006 
partmgr.sys  Thu Nov 02 04:51:47 2006 
volmgrx.sys  Thu Nov 02 04:51:54 2006 
crcdisk.sys  Thu Nov 02 04:52:27 2006 
msiscsi.sys  Thu Nov 02 04:52:40 2006 
ecache.sys   Thu Nov 02 04:52:42 2006 
vga.sys      Thu Nov 02 04:53:56 2006 
monitor.sys  Thu Nov 02 04:54:05 2006 
WDFLDR.SYS   Thu Nov 02 04:54:05 2006 
VIDEOPRT.SYS Thu Nov 02 04:54:07 2006 
Wdf01000.sys Thu Nov 02 04:54:18 2006 
WMILIB.SYS   Thu Nov 02 04:54:53 2006 
portcls.sys  Thu Nov 02 04:55:02 2006 
umbus.sys    Thu Nov 02 04:55:24 2006 
lltdio.sys   Thu Nov 02 04:56:48 2006 
rspndr.sys   Thu Nov 02 04:56:48 2006 
HTTP.sys     Thu Nov 02 04:57:06 2006 
smb.sys      Thu Nov 02 04:57:10 2006 
ndisuio.sys  Thu Nov 02 04:57:22 2006 
netbios.sys  Thu Nov 02 04:57:26 2006 
fwpkclnt.sys Thu Nov 02 04:57:26 2006 
nsiproxy.sys Thu Nov 02 04:57:30 2006 
ndis.sys     Thu Nov 02 04:57:33 2006 
tdx.sys      Thu Nov 02 04:57:34 2006 
tcpipreg.sys Thu Nov 02 04:57:46 2006 
raspppoe.sys Thu Nov 02 04:58:12 2006 
rasacd.sys   Thu Nov 02 04:58:13 2006 
rasl2tp.sys  Thu Nov 02 04:58:13 2006 
ndiswan.sys  Thu Nov 02 04:58:13 2006 
raspptp.sys  Thu Nov 02 04:58:14 2006 
afd.sys      Thu Nov 02 04:58:41 2006 
TDI.SYS      Thu Nov 02 04:58:46 2006 
modem.sys    Thu Nov 02 04:58:52 2006 
termdd.sys   Thu Nov 02 05:02:00 2006 
rdpencdd.sys Thu Nov 02 05:02:01 2006 
RDPCDD.sys   Thu Nov 02 05:02:01 2006 
rdpdr.sys    Thu Nov 02 05:02:58 2006 
drmk.sys     Thu Nov 02 05:20:49 2006 
BOOTVID.dll  Thu Nov 02 05:39:29 2006 
kdcom.dll    Thu Nov 02 05:42:20 2006 
CI.dll       Thu Nov 02 05:42:45 2006 
PSHED.dll    Thu Nov 02 05:42:51 2006 
RTKVHDA.sys  Wed Nov 08 06:04:28 2006 
ElbyCDFL.sys Thu Dec 14 16:22:33 2006 
HDAudBus.sys Sat Mar 24 14:54:34 2007 
Fs_Rec.SYS   Mon Apr 16 21:26:39 2007 
sdbus.sys    Fri Apr 27 22:15:33 2007 
tunmp.sys    Wed Jun 06 22:56:53 2007 
tunnel.sys   Wed Jun 06 22:57:03 2007 
csc.sys      Mon Jun 18 20:48:27 2007 
dxgkrnl.sys  Mon Jul 02 21:01:10 2007 
pacer.sys    Tue Jul 03 21:27:33 2007 
ndistapi.sys Tue Jul 03 21:28:09 2007 
NDProxy.SYS  Tue Jul 03 21:28:13 2007 
wanarp.sys   Tue Jul 03 21:28:16 2007 
ElbyCDIO.sys Tue Aug 07 15:48:32 2007 
BATTC.SYS    Thu Aug 30 20:57:44 2007 
compbatt.sys Thu Aug 30 20:57:47 2007 
CmBatt.sys   Thu Aug 30 20:57:48 2007 
usbuhci.sys  Thu Aug 30 21:19:58 2007 
usbehci.sys  Thu Aug 30 21:19:59 2007 
USBPORT.SYS  Thu Aug 30 21:20:03 2007 
usbhub.sys   Thu Aug 30 21:20:18 2007 
NETIO.SYS    Thu Sep 27 22:46:49 2007 
tcpip.sys    Thu Sep 27 22:47:19 2007 
ntkrnlmp.exe Tue Oct 09 21:45:28 2007 
PCIIDEX.SYS  Tue Oct 23 22:02:39 2007 
atapi.sys    Tue Oct 23 22:02:39 2007 
ataport.SYS  Tue Oct 23 22:02:40 2007 
intelide.sys Tue Oct 23 22:02:40 2007 
msahci.sys   Tue Oct 23 22:02:41 2007 
mrxsmb20.sys Thu Oct 25 21:40:16 2007 
mrxsmb.sys   Thu Oct 25 21:40:17 2007 
Ntfs.sys     Thu Oct 25 21:40:39 2007 
srvnet.sys   Thu Oct 25 21:40:43 2007 
srv2.sys     Thu Oct 25 21:40:47 2007 
volsnap.sys  Thu Oct 25 22:04:17 2007 
nwifi.sys    Mon Oct 29 21:21:14 2007 
AnyDVD.sys   Fri Nov 30 10:22:57 2007

 

[Ashanta]

I have just had an idea! The PATH variable is stored in the HKLM Session Manager. Let us test the HKLM hive. Open Task Manager. File > New Task (Run...) and put in explorer.exe. Repeat for cmd.exe. See if either of them open.

Thanks!

Only cmd.exe works under my user account (with the black screen) !

Thanks a lot Lorien and Shadowjk,

My hidden account is wich is now 'Fleur de vie', (corresponding to my old 'Secours' account). This remark is for Lorien

What about these folders with a long name concerning about afw.cat from my Secours account (=bad account) ? Do I need to transfer or not ?

 

[Ashanta]

If it is finally determined that the driver is not malware. You can remove it. If we do not know the name of the software that it is connected to you can just manually go to the driver location and change the extension to .bup or it can just be deleted. If deleted we will not be able to replace it if needed later. If you still get BSOD after that I will check the BSODs again. The BSOD is a problem in it self, but may also be a caused by something that is also the reason for your primary problems.

The BSoD is caused by GMER. GMER is an anti-rootkit software. I don't want to discuss Rooter, but GMER fights rootkits with its own driver. This driver regularly causes BSoDs on some systems. We have now identified that the driver is not malware.

GMER will not cause a BSoD unless it is run. It is perfectly safe to completely ignore the driver and BSoD.

It won't reappear.

Richard

Hi Richard, :D

So, I don't need to remove this file, don't you ?

About BSOD, maybe it will disappear once I remove Secours account, bad account.

 

[richc46]

Any change may prevent BSODs. Those drivers still must be updated. Once this problem is solved, we will all be glad to help. There are quite a few, but its not hard to do.
If you are not going to use that software, you should be OK with the driver. If you do get another BSOD, I will exmine the file and if its the same cause, we can remove the software and driver.

 

[niemiro]

If it is finally determined that the driver is not malware. You can remove it. If we do not know the name of the software that it is connected to you can just manually go to the driver location and change the extension to .bup or it can just be deleted. If deleted we will not be able to replace it if needed later. If you still get BSOD after that I will check the BSODs again. The BSOD is a problem in it self, but may also be a caused by something that is also the reason for your primary problems.

The BSoD is caused by GMER. GMER is an anti-rootkit software. I don't want to discuss Rooter, but GMER fights rootkits with its own driver. This driver regularly causes BSoDs on some systems. We have now identified that the driver is not malware.

GMER will not cause a BSoD unless it is run. It is perfectly safe to completely ignore the driver and BSoD.

It won't reappear.

Richard

Hi Richard, :D

So, I don't need to remove this file, don't you ?

About BSOD, maybe it will disappear once I remove Secours account, bad account.

I am very surprised that your helper did not remove all of these tools. Usually, at the very least, ComboFix is removed. However, don't go removing it quite yet, as, especially with ComboFix, you MUST wait for Jacee to show you how to remove it, as I think for you we would only delete the .exe, and not any other way, now that so much time has elapsed.