Unclassified malware in winlogon.exe and autoclk.exe

Learn about Computer Security Virus/Malware Removal Assistance
1

Hi. I have two unknow malware detections in two diferent machines with Comodo Internet security installed in both. In the first case, navigating, comodo popped out with a detection of a inclassified malware in winlogon(in C:/Windows/system32), and after I quarantined it, other archive called autoclk.exe(in C:/Windows/) popped out. In this later case I deleted it. But in other computer with comodo installed(in other city, not conection betwenn the two machines …or I think that) popped the warning about winlogon(but not the second). Is this a bug or quite the contrary, Comodo detected something that nod32, ad aware and spybot can’t? Ah! I have 3.5.57173.439 of comodo installed, with virus definitions updated.

P.D:sorry for my english

2

In that page (virustotal.com) only comodo detects it(very useful web!!) . Well, my computer is on all day, I used some winlogon of other computer to restore the archive(the second one, autoclk.exe is erased >.<,what is the use of this file?). Comodo allowed me to repair winlogon, luckily.

m00nbl00d, thanks for your help, very much appreciated :■■■■

3

Hijack logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:57, on 29/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\COMODO\COMODO Internet Security\cfp.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Archivos de programa\ABIT\ABIT uGuru\GuruClock.exe
C:\Archivos de programa\ABIT\ABIT uGuru\uGuru.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\Archivos de programa\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Karolus\Escritorio\Core Temp.exe
C:\Archivos de programa\Telefonica\KitAIM\AimMon.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe
C:\ARCHIV~1\MICROS~2\rapimgr.exe
C:\Archivos de programa\Telefonica\Kit ADSL USB\dslmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Opera\Opera.exe
C:\Archivos de programa\Java\jre6\launch4j-tmp\JDownloader.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.telefonica.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [StartCCC] “C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” MSRun
O4 - HKLM..\Run: [COMODO Internet Security] “C:\Archivos de programa\COMODO\COMODO Internet Security\cfp.exe” -h
O4 - HKLM..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 4
O4 - HKLM..\Run: [amd_dc_opt] C:\Archivos de programa\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM..\Run: [RivaTunerStartupDaemon] “C:\Archivos de programa\RivaTuner v2.21\RivaTuner.exe” /S
O4 - HKLM..\Run: [GuruClock] C:\Archivos de programa\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM..\Run: [ABIT uGuru] C:\Archivos de programa\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM..\Run: [WinampAgent] “C:\Archivos de programa\Winamp\winampa.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Archivos de programa\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [RemoteControl] “C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [egui] “C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice
O4 - HKLM..\Run: [Ad-Watch] C:\Archivos de programa\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Core Temp] “C:\Documents and Settings\Karolus\Escritorio\Core Temp.exe”
O4 - HKCU..\Run: [MsnMsgr] “C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [MSMSGS] “C:\Archivos de programa\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe”
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICIO LOCAL’)
O4 - HKUS\S-1-5-19..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘SERVICIO LOCAL’)
O4 - HKUS\S-1-5-19..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,4,N (User ‘SERVICIO LOCAL’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Servicio de red’)
O4 - HKUS\S-1-5-20..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘Servicio de red’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘Default user’)
O4 - Global Startup: Consola KIT ADSL.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra ‘Tools’ menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~2\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Crear un favorito móvil… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229923442343
O17 - HKLM\System\CCS\Services\Tcpip..{AA862C11-2488-4B71-A864-975FDEF78720}: NameServer = 80.58.61.250 80.58.61.254
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Archivos de programa\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe


End of file - 8481 bytes

Now with the malwarebytes and all that.

Thanks again!!!

4

Hello, i have the same problem, and reading I don’t understand how to solve this problem.
Also the thanks from

m00nbl00d, thanks for your help, very much appreciated
i don’t understand what he says.

I want to specify some things: the file autoclk.exe is a executable of driver for winXp to install ND220 Alice modem. Now I explain what’s my problem.
Yesterday I install Comodo Internet Security on a WinXp sp2 system. All gone right until I install drivers of modem alice ND220 from his original cd.
It’s the first time appears this file “autoclk.exe” that is flagged from CIS like a Virus Malware, it ask to me to “Quarantine - Remove- Once - Add to my own files - Add to exclusion” i try:

  • Remove - Quarantine and the modem doesn’t install.
    Once - Add to my own files and the CIS continuously ask me what to do whit this file.

I put him in Trusted application, and Custom with allow all but continuously ask.
When I navigate the system is snare after that crash or block and there are no solution apart reset fiscally the machine with button.
I disable all anti virus, firewall, defence+ and the system navigate ok and never snare, crash or block
I’m desperate, never happen to me. Please help me.

5

Hi Ulukai, welcome to the forum.

You could upload the file to VirusTotal to see if others detect it, as it sounds like a false positive:

If it looks to be so please report it in the False Positive section of the forum.

You could try adding it to My Own Safe Files in Defense+ so that it is ignored.

6

I think it’s a false positive.
There is a malicious file name same as ‘autoclk.exe’.
So CAV thinks it’s a malicious file… ;D ;D
Report it as a false positive.
Turn off CAV and use other AV until it’s solved.

Creasy.

7

Should not be necessary for a false positive.

8

First try making it part of My Own Safe Files when the AV pops up.

Make the autoclk.exe file part o your My Own Safe files. Go to Defense + → Common Tasks → My Own Safe Files and see it it is there. When needed add the autoclk.exe to the list.

Then go to Computer Security Policy and look up autoclk.exe in the list → select it → Edit → make it a Trusted application. Remember to Apply and Ok when leaving all the screens.

Does this help?

9

Thanks to all, very kinds.

I’ll try every tips and will tell you what happens.

Thanks again, see you soon

10

Hello I’m back with bad news:

I try:

Make the [b]autoclk.exe[/b] file part o your My Own Safe files. Go to Defense + --> Common Tasks --> My Own Safe Files and see it it is there. When needed add the autoclk.exe to the list.

Then go to Computer Security Policy and look up autoclk.exe in the list → select it → Edit → make it a Trusted application. Remember to Apply and Ok when leaving all the screens.

and there are no reason, CIS every restart ask me what to do with this at first net connecting.
Sometimes it’s let me surfing for a while, others snare & block.
anothers big problems that I check are:
-some application tells me that I’m not connected to internet (but I can surfing) (like messenger live install)
-with two user switching without disconnect it’s tell that i’m already connected but i Can’t surf)

I try:

You could upload the file to VirusTotal to see if others detect it, as it sounds like a false positive: http://www.virustotal.com/

and here the response:
http://www.virustotal.com/it/analisis/d4519f5de5a95783b98c75b1cd409778
it’s tell that CIS consider an Unclassified Malware, i thinks it’s a false positive, but why Comodo thinks differently?

I was very frustrating about this, and try to uninstall Comodo, and found another matter, from control panel install/uninstall click on uninstall button, it’s open the window of install instead uninstall, with vary fast click on window that open & close (like a virus) without my permission, I was able to uninstall.

I have made an image of this computer with CIS installed (last version of course) and not ND220 driver, restore it some times and do test:
-install the driver un ND220 Usb modem and the problems starts.
-uninstall from control panel it’s correct, i install the driver ND220 Usb modem and re-install CIS and the problems starts.
-uninstall from control panel it’s correct, i install the driver ND220 Usb modem and there are no problems (apart unsafe navigation)

I thinks there is no way to use ND220 and CIS together or use a LAN Router/Modem or Uninstall CIS am I right?

If I post this file on false positive section, do you think something change on next release?

11

If you follow the instructions here:
https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/how_to_report_false_positivessuspicious_files_how_to_submit_them-t36051.0.html

It should be fixed, you could add the virustotal report to a post in that section.

12

The people handling false positives are usually very prompt and will let you know when a fp is fixed in an upcoming data base.

As to the problems with your modem. Do you see any problems in the D+ logs regarding files that are part of the modem software? Can you try making all .exe and .bat files in the folder(s) of your modem software part of My Own Safe Files (D+ → Common Tasks)?

Can you show us the logs of the firewall as well?

13
It should be fixed, you could add the virustotal report to a post in that section.

I did a post on false positive section.

As to the problems with your modem. Do you see any problems in the D+ logs regarding files that are part of the modem software? Can you try making all .exe and .bat files in the folder(s) of your modem software part of My Own Safe Files (D+ --> Common Tasks)?

Sorry, I don’t see any logs, I restore backup and uninstall CIS for now, I was very frustrating and not very able with computer, specially when it doesn’t do what I say.

Before did it, I do “My Own Safe Files operations” with the files, that modem file was in %systemroot% I give you the link to the site, you can try to install and verify by yourself, (it’s better to do a image before you do it) when you open link to remote connection it’s call autoclk.exe and the system become unstable, try also to uninstall CIS, you will be surprised.

http://aiuto.alice.it/download/driver/modem_adsl.html,cnt=782&rel=0.html

14

I installed the drivers here on Win7 beta. All seems to work fine. But I don’t have your modem connected of course. I did get the pop ups of the AV and I made it part of the My Own safe Files and put it to the Exclusions as well.

I reread your posts and I think you did not put the autoclk.exe to the Exclusions of the AV. If it is not with Exclusions yet can put it there. Does that make a difference?

15

You make me doubts with this phrase

I reread your posts and I think you did not put the autoclk.exe to the Exclusions of the AV. If it is not with Exclusions yet can put it there. Does that make a difference?
I do Defense+ Add to my Own Safe Files and Trust application, there is another way to add Exclusion to AV?

If I’m right with Exlusion procedure, I see a way out after reading this post:

https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/comodo_internet_security_fp-t38285.0.html

I look your firm and see that you are using the version fixed that is speaking about meidan user, I think so you can’t reproduce the errors, sorry, I read their answer after my post on there.

I’m using CIS version# 3.5.57173.439, in the bottom of the same post, I read about another response.
If I understand well there where also a false positive, and they have fixed in the newer database release, but I can’t use because with my CIS version the DB number is 994 is it right?

16

Ulukai,

How did you get a VirusTotal report for the new AV signatures if you are using 3.5?

Edit: The false positive has now been fixed:
https://forums.comodo.com/empty-t38285.0.html;new;topicseen#new

17

You need to update to 3.8. With version 3.8 the date base format of the AV changed. As a consequence you can not get any AV updates for the 3.5 version. The current AV data base is 1133.

You need to do a clean install of 3.8. It is better not to import the 3.5 configuration in 3.8.