[Resolved] Computer Infected Please Help...
#91
Posted 31 October 2009 - 07:52 PM
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
Register to Remove
#92
Posted 31 October 2009 - 07:58 PM
#93
Posted 31 October 2009 - 08:29 PM
Open a command window again:
copy the content of the code box then paste it into the command window
copy "%userprofile%\desktop\ComboFix.exe" "%userprofile%\desktop\runme.com"
you will then have runme.com on your desk top..
click runme.com
allow it to run uninterrupted...give it at least 15 - 20 minutes...post the resulting log
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#94
Posted 31 October 2009 - 09:14 PM
#95
Posted 01 November 2009 - 12:31 PM
I suspect the file we copied to replace the hijacked file might be infected as well. We need to have it scanned.
Please do the following:
- Make sure to use Internet Explorer for this
- Please go to VirSCAN.org FREE on-line scan service
- Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
c:\windows\system32\cngaudit.dll
- Click on the Upload button
- If a pop-up appears saying the file has been scanned already, please select the ReScan button.
- Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
- Paste the contents of the Clipboard in your next reply.
Please do the same for the following file:
c:\windows\system32\drivers\atapi.sys
NEXT
Please run this following tool:
Please download Dr.Web CureIt . Save it to your desktop:
- Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
- This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, select Complete scan.
- Click the green arrow at the right, and the scan will start.
- Click Yes to all if it asks if you want to cure/move the file.
- When the scan has finished, in the menu, click File and choose Save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
- Please post the Dr.Web.txt report in your next reply
- Close Dr.Web Cureit.
- Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#96
Posted 01 November 2009 - 01:39 PM
VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 03:23:13 (CST)
Scanner results: Scanners did not find malware!
File Name : atapi.sys
File Size : 19944 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 1f05b78ab91c9075565a9d8a4b880bc4
SHA1 : 218442cd7afecbc8d102c4e31d9ef3528642191b
Online report : http://virscan.org/r...cb40d454dc.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091101023128 2009-11-01 4.06 -
AhnLab V3 2009.10.31.00 2009.10.31 2009-10-31 0.93 -
AntiVir 8.2.1.53 7.1.6.173 2009-10-30 0.26 -
Antiy 2.0.18 20091029.3153836 2009-10-29 0.12 -
Arcavir 2009 200911010804 2009-11-01 0.03 -
Authentium 5.1.1 200911011547 2009-11-01 1.20 -
AVAST! 4.7.4 091101-0 2009-11-01 0.01 -
AVG 8.5.288 270.14.43/2474 2009-11-01 0.31 -
BitDefender 7.81008.4480671 7.28696 2009-11-02 3.89 -
CA (VET) 35.1.0 7094 2009-10-30 8.15 -
ClamAV 0.95.2 9970 2009-10-31 0.01 -
Comodo 3.12 2806 2009-11-01 0.88 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.01 2009-11-01 6.15 -
F-Prot 4.4.4.56 20091101 2009-11-01 1.20 -
F-Secure 7.02.73807 2009.11.01.03 2009-11-01 8.80 -
Fortinet 2.81-3.120 11.10 2009-11-01 0.19 -
GData 19.8684/19.530 20091101 2009-11-01 5.39 -
ViRobot 20091031 2009.10.31 2009-10-31 0.41 -
Ikarus T3.1.01.72 2009.11.01.74384 2009-11-01 4.22 -
JiangMin 11.0.800 2009.10.30 2009-10-30 4.05 -
Kaspersky 5.5.10 2009.11.01 2009-11-01 0.06 -
KingSoft 2009.2.5.15 2009.11.1.12 2009-11-01 0.50 -
McAfee 5.3.00 5789 2009-11-01 3.42 -
Microsoft 1.5202 2009.11.01 2009-11-01 6.50 -
Norman 6.01.09 6.01.00 2009-11-01 4.01 -
Panda 9.05.01 2009.10.31 2009-10-31 1.75 -
Trend Micro 8.700-1004 6.594.07 2009-11-01 0.03 -
Quick Heal 10.00 2009.10.31 2009-10-31 1.20 -
Rising 20.0 21.53.62.00 2009-11-01 0.60 -
Sophos 3.00.1 4.46 2009-11-02 2.83 -
Sunbelt 5482 5482 2009-11-01 1.62 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.35 -
nProtect 20091030.01 6063347 2009-10-30 7.59 -
The Hacker 6.5.0.2 v00058 2009-10-31 0.73 -
VBA32 3.12.10.11 20091031.2219 2009-10-31 1.94 -
VirusBuster 4.5.11.10 10.113.3/1996431 2009-11-01 2.40 -
#97
Posted 01 November 2009 - 01:45 PM
VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 03:28:47 (CST)
Scanner results: Scanners did not find malware!
File Name : cngaudit.dll
File Size : 11776 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 7f15b4953378c8b5161d65c26d5fed4d
SHA1 : 50b57fedd78bee8a329d03b03f482bcc424a7820
Online report : http://virscan.org/r...82e08c3381.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091101023128 2009-11-01 4.07 -
AhnLab V3 2009.10.31.00 2009.10.31 2009-10-31 0.88 -
AntiVir 8.2.1.53 7.1.6.173 2009-10-30 0.21 -
Antiy 2.0.18 20091029.3153836 2009-10-29 0.12 -
Arcavir 2009 200911010804 2009-11-01 0.03 -
Authentium 5.1.1 200911011547 2009-11-01 1.19 -
AVAST! 4.7.4 091101-0 2009-11-01 0.00 -
AVG 8.5.288 270.14.43/2474 2009-11-01 0.32 -
BitDefender 7.81008.4480676 7.28697 2009-11-02 3.87 -
CA (VET) 35.1.0 7094 2009-10-30 7.93 -
ClamAV 0.95.2 9970 2009-10-31 0.01 -
Comodo 3.12 2806 2009-11-01 0.71 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.01 2009-11-01 6.23 -
F-Prot 4.4.4.56 20091101 2009-11-01 1.21 -
F-Secure 7.02.73807 2009.11.01.03 2009-11-01 0.10 -
Fortinet 2.81-3.120 11.10 2009-11-01 0.18 -
GData 19.8684/19.530 20091101 2009-11-01 5.39 -
ViRobot 20091031 2009.10.31 2009-10-31 0.41 -
Ikarus T3.1.01.72 2009.11.01.74384 2009-11-01 4.25 -
JiangMin 11.0.800 2009.10.30 2009-10-30 3.97 -
Kaspersky 5.5.10 2009.11.01 2009-11-01 0.06 -
KingSoft 2009.2.5.15 2009.11.1.12 2009-11-01 0.50 -
McAfee 5.3.00 5789 2009-11-01 3.38 -
Microsoft 1.5202 2009.11.01 2009-11-01 6.46 -
Norman 6.01.09 6.01.00 2009-11-01 4.01 -
Panda 9.05.01 2009.10.31 2009-10-31 1.91 -
Trend Micro 8.700-1004 6.594.07 2009-11-01 0.03 -
Quick Heal 10.00 2009.10.31 2009-10-31 1.21 -
Rising 20.0 21.53.62.00 2009-11-01 0.80 -
Sophos 3.00.1 4.46 2009-11-02 2.81 -
Sunbelt 5482 5482 2009-11-01 1.57 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091030.01 6063347 2009-10-30 7.28 -
The Hacker 6.5.0.2 v00058 2009-10-31 0.73 -
VBA32 3.12.10.11 20091031.2219 2009-10-31 1.94 -
VirusBuster 4.5.11.10 10.113.3/1996431 2009-11-01 2.38 -
#98
Posted 01 November 2009 - 03:11 PM
That's a good sign.
Did the Dr.Web program run?
Please do the following:
run the following from an elevated command prompt then post the atapi.txt log
Go to Start menu.
Type cmd in the Search Menu
Press Ctrl + SHIFT and Click on the cmd shortcut on the Start Menu. Ctrl-Shift-Enter is the general keyboard shortcut that triggers elevation to “Run as Administrator”.
Press Alt+C from the keyboard or click Continue to confirm the UAC elevation warning prompt and the administrative privileged command prompt will be opened.
Then highlight and copy the contents of the codebox then right click in the command window and Paste
@echo off cd \ dir atapi.sys /s>"%userprofile%\desktop\atapi.txt" start notepad "%userprofile%\desktop\atapi.txt" exit cls
NEXT
run the following from an elevated command prompt too
@echo off dir c:\qoobox\quarantine /s>"%userprofile%\desktop\qoo.txt" start notepad "%userprofile%\desktop\qoo.txt" exit cls
post qoo.txt
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#99
Posted 01 November 2009 - 05:14 PM
#100
Posted 01 November 2009 - 05:17 PM
Register to Remove
#101
Posted 01 November 2009 - 06:38 PM
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#102
Posted 01 November 2009 - 07:03 PM
#103
Posted 01 November 2009 - 09:02 PM
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#104
Posted 01 November 2009 - 09:10 PM
#105
Posted 02 November 2009 - 06:22 AM
I am at work.. I let DrWeb run last night and same thing when trying to save report... (BSOD)... But, I managed to write down the infections...
Object - Path - Status - Action
WindowsteyQ.066 - C:\ - Program.Ardamax
A0027943.exe\data220 - DrWeb Quarantine - Program.PrcView.3725
Aoo27942.exe - DrWeb Quarantine - Archive Contains Infected Objects - Moved
Edited by Joecastle, 02 November 2009 - 06:24 AM.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users