118 replies to this topic

[CatByte]

Hi, open task manager (ctrl + Alt + Del) in the processes tab (all users) and see if combofix is still running anything cfxxx, sed.exe, grep.exe or pev.exe...It could take 20-30 minutes

[Joecastle]

OK, Nothing running in task manager.. Should I run it again and let sit longer?

[CatByte]

Hi

Open a command window again:

copy the content of the code box then paste it into the command window

copy "%userprofile%\desktop\ComboFix.exe" "%userprofile%\desktop\runme.com"

you will then have runme.com on your desk top..

click runme.com

allow it to run uninterrupted...give it at least 15 - 20 minutes...post the resulting log

[Joecastle]

Same thing... Nothing with Combo....

[CatByte]

What exactly happened when you tried to run it?

I suspect the file we copied to replace the hijacked file might be infected as well. We need to have it scanned.

Please do the following:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  

  
  c:\windows\system32\cngaudit.dll
  

• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Please do the same for the following file:

c:\windows\system32\drivers\atapi.sys


NEXT

Please run this following tool:

Please download Dr.Web CureIt .    Save it to your desktop:

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the  pop-up window to allow the scan.
• This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Click the green arrow at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
• Please post the Dr.Web.txt report in your next reply
• Close Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

[Joecastle]

The first VirScan did not let copy to clip board but, it said it found nothing.. Here is the second VirScan

VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 03:23:13 (CST)
Scanner results: Scanners did not find malware!
File Name : atapi.sys
File Size : 19944 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 1f05b78ab91c9075565a9d8a4b880bc4
SHA1 : 218442cd7afecbc8d102c4e31d9ef3528642191b
Online report : http://virscan.org/r...cb40d454dc.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091101023128 2009-11-01 4.06 -
AhnLab V3 2009.10.31.00 2009.10.31 2009-10-31 0.93 -
AntiVir 8.2.1.53 7.1.6.173 2009-10-30 0.26 -
Antiy 2.0.18 20091029.3153836 2009-10-29 0.12 -
Arcavir 2009 200911010804 2009-11-01 0.03 -
Authentium 5.1.1 200911011547 2009-11-01 1.20 -
AVAST! 4.7.4 091101-0 2009-11-01 0.01 -
AVG 8.5.288 270.14.43/2474 2009-11-01 0.31 -
BitDefender 7.81008.4480671 7.28696 2009-11-02 3.89 -
CA (VET) 35.1.0 7094 2009-10-30 8.15 -
ClamAV 0.95.2 9970 2009-10-31 0.01 -
Comodo 3.12 2806 2009-11-01 0.88 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.01 2009-11-01 6.15 -
F-Prot 4.4.4.56 20091101 2009-11-01 1.20 -
F-Secure 7.02.73807 2009.11.01.03 2009-11-01 8.80 -
Fortinet 2.81-3.120 11.10 2009-11-01 0.19 -
GData 19.8684/19.530 20091101 2009-11-01 5.39 -
ViRobot 20091031 2009.10.31 2009-10-31 0.41 -
Ikarus T3.1.01.72 2009.11.01.74384 2009-11-01 4.22 -
JiangMin 11.0.800 2009.10.30 2009-10-30 4.05 -
Kaspersky 5.5.10 2009.11.01 2009-11-01 0.06 -
KingSoft 2009.2.5.15 2009.11.1.12 2009-11-01 0.50 -
McAfee 5.3.00 5789 2009-11-01 3.42 -
Microsoft 1.5202 2009.11.01 2009-11-01 6.50 -
Norman 6.01.09 6.01.00 2009-11-01 4.01 -
Panda 9.05.01 2009.10.31 2009-10-31 1.75 -
Trend Micro 8.700-1004 6.594.07 2009-11-01 0.03 -
Quick Heal 10.00 2009.10.31 2009-10-31 1.20 -
Rising 20.0 21.53.62.00 2009-11-01 0.60 -
Sophos 3.00.1 4.46 2009-11-02 2.83 -
Sunbelt 5482 5482 2009-11-01 1.62 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.35 -
nProtect 20091030.01 6063347 2009-10-30 7.59 -
The Hacker 6.5.0.2 v00058 2009-10-31 0.73 -
VBA32 3.12.10.11 20091031.2219 2009-10-31 1.94 -
VirusBuster 4.5.11.10 10.113.3/1996431 2009-11-01 2.40 -

[Joecastle]

I rescanned it again

VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 03:28:47 (CST)
Scanner results: Scanners did not find malware!
File Name : cngaudit.dll
File Size : 11776 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 7f15b4953378c8b5161d65c26d5fed4d
SHA1 : 50b57fedd78bee8a329d03b03f482bcc424a7820
Online report : http://virscan.org/r...82e08c3381.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091101023128 2009-11-01 4.07 -
AhnLab V3 2009.10.31.00 2009.10.31 2009-10-31 0.88 -
AntiVir 8.2.1.53 7.1.6.173 2009-10-30 0.21 -
Antiy 2.0.18 20091029.3153836 2009-10-29 0.12 -
Arcavir 2009 200911010804 2009-11-01 0.03 -
Authentium 5.1.1 200911011547 2009-11-01 1.19 -
AVAST! 4.7.4 091101-0 2009-11-01 0.00 -
AVG 8.5.288 270.14.43/2474 2009-11-01 0.32 -
BitDefender 7.81008.4480676 7.28697 2009-11-02 3.87 -
CA (VET) 35.1.0 7094 2009-10-30 7.93 -
ClamAV 0.95.2 9970 2009-10-31 0.01 -
Comodo 3.12 2806 2009-11-01 0.71 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.01 2009-11-01 6.23 -
F-Prot 4.4.4.56 20091101 2009-11-01 1.21 -
F-Secure 7.02.73807 2009.11.01.03 2009-11-01 0.10 -
Fortinet 2.81-3.120 11.10 2009-11-01 0.18 -
GData 19.8684/19.530 20091101 2009-11-01 5.39 -
ViRobot 20091031 2009.10.31 2009-10-31 0.41 -
Ikarus T3.1.01.72 2009.11.01.74384 2009-11-01 4.25 -
JiangMin 11.0.800 2009.10.30 2009-10-30 3.97 -
Kaspersky 5.5.10 2009.11.01 2009-11-01 0.06 -
KingSoft 2009.2.5.15 2009.11.1.12 2009-11-01 0.50 -
McAfee 5.3.00 5789 2009-11-01 3.38 -
Microsoft 1.5202 2009.11.01 2009-11-01 6.46 -
Norman 6.01.09 6.01.00 2009-11-01 4.01 -
Panda 9.05.01 2009.10.31 2009-10-31 1.91 -
Trend Micro 8.700-1004 6.594.07 2009-11-01 0.03 -
Quick Heal 10.00 2009.10.31 2009-10-31 1.21 -
Rising 20.0 21.53.62.00 2009-11-01 0.80 -
Sophos 3.00.1 4.46 2009-11-02 2.81 -
Sunbelt 5482 5482 2009-11-01 1.57 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091030.01 6063347 2009-10-30 7.28 -
The Hacker 6.5.0.2 v00058 2009-10-31 0.73 -
VBA32 3.12.10.11 20091031.2219 2009-10-31 1.94 -
VirusBuster 4.5.11.10 10.113.3/1996431 2009-11-01 2.38 -

[CatByte]

Hi,

That's a good sign.

Did the Dr.Web program run?


Please do the following:

run the following from an elevated command prompt then post the atapi.txt log

Go to Start menu.

Type cmd in the Search Menu

Press Ctrl + SHIFT and Click on the cmd shortcut on the Start Menu. Ctrl-Shift-Enter is the general keyboard shortcut that triggers elevation to “Run as Administrator”.

Press Alt+C from the keyboard or click Continue to confirm the UAC elevation warning prompt and the administrative privileged command prompt will be opened.

Then highlight and copy the contents of the codebox then right click in the command window and Paste

@echo off
cd \
dir atapi.sys /s>"%userprofile%\desktop\atapi.txt"
start notepad "%userprofile%\desktop\atapi.txt"
exit
cls

NEXT

run the following from an elevated command prompt too

@echo off
dir c:\qoobox\quarantine /s>"%userprofile%\desktop\qoo.txt"
start notepad "%userprofile%\desktop\qoo.txt"
exit
cls

post qoo.txt

[Joecastle]

Dr. Web did run and found 3 infections... after the complete run I clicked File then Save Report, and, at the moment I clicked on save report computer crashed (BSOD) and computer rebooted... I will run the 2 codes in cmd now...

[Joecastle]

DO you want the atapi.txt as well? Here is qoo.txt Volume in drive C has no label. Volume Serial Number is 8431-7D92 Directory of c:\qoobox\quarantine 10/22/2009 07:09 PM <DIR> . 10/22/2009 07:09 PM <DIR> .. 10/31/2009 11:45 PM 2,907 catchme.log 10/22/2009 07:07 PM <DIR> Registry_backups 1 File(s) 2,907 bytes Directory of c:\qoobox\quarantine\Registry_backups 10/22/2009 07:07 PM <DIR> . 10/22/2009 07:07 PM <DIR> .. 0 File(s) 0 bytes Total Files Listed: 1 File(s) 2,907 bytes 5 Dir(s) 70,570,930,176 bytes free

[CatByte]

Yes please, please post the atapi.txt Do you recall the infections found by Dr.Web and the locations?

[Joecastle]

I'm sorry, I do not recall.. Do you want me to run it again? Volume in drive C has no label. Volume Serial Number is 8431-7D92 Directory of C:\Windows\System32\drivers 04/11/2009 01:32 AM 19,944 atapi.sys 1 File(s) 19,944 bytes Directory of C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84 04/11/2009 01:32 AM 19,944 atapi.sys 1 File(s) 19,944 bytes Directory of C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699 11/02/2006 04:49 AM 19,048 atapi.sys 1 File(s) 19,048 bytes Directory of C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d 01/20/2008 09:23 PM 21,560 atapi.sys 1 File(s) 21,560 bytes Directory of C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c 01/20/2008 09:23 PM 21,560 atapi.sys 1 File(s) 21,560 bytes Directory of C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8 04/11/2009 01:32 AM 19,944 atapi.sys 1 File(s) 19,944 bytes Total Files Listed: 6 File(s) 122,000 bytes 0 Dir(s) 70,571,233,280 bytes free

[CatByte]

I just replied to your windows thread...if we are needing to continue here, I would like you to try that Dr.Web scan again so we can see the infection it found...Try it in safe mode...see if there was a previous log saved.

[Joecastle]

I will run it now...

[Joecastle]

Good Morning Cat..

I am at work.. I let DrWeb run last night and same thing when trying to save report... (BSOD)... But, I managed to write down the infections...

Object - Path - Status - Action

WindowsteyQ.066 - C:\ - Program.Ardamax
A0027943.exe\data220 - DrWeb Quarantine - Program.PrcView.3725
Aoo27942.exe - DrWeb Quarantine - Archive Contains Infected Objects - Moved

Edited by Joecastle, 02 November 2009 - 06:24 AM.