Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91987 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Computer Infected Please Help...


  • This topic is locked This topic is locked
118 replies to this topic

#91 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 31 October 2009 - 07:52 PM

Hi, open task manager (ctrl + Alt + Del) in the processes tab (all users) and see if combofix is still running anything cfxxx, sed.exe, grep.exe or pev.exe...It could take 20-30 minutes

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove


#92 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 31 October 2009 - 07:58 PM

OK, Nothing running in task manager.. Should I run it again and let sit longer?

#93 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 31 October 2009 - 08:29 PM

Hi

Open a command window again:

copy the content of the code box then paste it into the command window

copy "%userprofile%\desktop\ComboFix.exe" "%userprofile%\desktop\runme.com"

you will then have runme.com on your desk top..

click runme.com

allow it to run uninterrupted...give it at least 15 - 20 minutes...post the resulting log

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#94 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 31 October 2009 - 09:14 PM

Same thing... Nothing with Combo....

#95 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 01 November 2009 - 12:31 PM

What exactly happened when you tried to run it?

I suspect the file we copied to replace the hijacked file might be infected as well. We need to have it scanned.

Please do the following:

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:


    c:\windows\system32\cngaudit.dll

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Please do the same for the following file:

c:\windows\system32\drivers\atapi.sys



NEXT

Please run this following tool:

Please download Dr.Web CureIt .    Save it to your desktop:
  • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the  pop-up window to allow the scan.
  • This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select Complete scan.
  • Click the green arrow Posted Image at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
  • Please post the Dr.Web.txt report in your next reply
  • Close Dr.Web Cureit.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#96 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 01 November 2009 - 01:39 PM

The first VirScan did not let copy to clip board but, it said it found nothing.. Here is the second VirScan

VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 03:23:13 (CST)
Scanner results: Scanners did not find malware!
File Name : atapi.sys
File Size : 19944 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 1f05b78ab91c9075565a9d8a4b880bc4
SHA1 : 218442cd7afecbc8d102c4e31d9ef3528642191b
Online report : http://virscan.org/r...cb40d454dc.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091101023128 2009-11-01 4.06 -
AhnLab V3 2009.10.31.00 2009.10.31 2009-10-31 0.93 -
AntiVir 8.2.1.53 7.1.6.173 2009-10-30 0.26 -
Antiy 2.0.18 20091029.3153836 2009-10-29 0.12 -
Arcavir 2009 200911010804 2009-11-01 0.03 -
Authentium 5.1.1 200911011547 2009-11-01 1.20 -
AVAST! 4.7.4 091101-0 2009-11-01 0.01 -
AVG 8.5.288 270.14.43/2474 2009-11-01 0.31 -
BitDefender 7.81008.4480671 7.28696 2009-11-02 3.89 -
CA (VET) 35.1.0 7094 2009-10-30 8.15 -
ClamAV 0.95.2 9970 2009-10-31 0.01 -
Comodo 3.12 2806 2009-11-01 0.88 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.01 2009-11-01 6.15 -
F-Prot 4.4.4.56 20091101 2009-11-01 1.20 -
F-Secure 7.02.73807 2009.11.01.03 2009-11-01 8.80 -
Fortinet 2.81-3.120 11.10 2009-11-01 0.19 -
GData 19.8684/19.530 20091101 2009-11-01 5.39 -
ViRobot 20091031 2009.10.31 2009-10-31 0.41 -
Ikarus T3.1.01.72 2009.11.01.74384 2009-11-01 4.22 -
JiangMin 11.0.800 2009.10.30 2009-10-30 4.05 -
Kaspersky 5.5.10 2009.11.01 2009-11-01 0.06 -
KingSoft 2009.2.5.15 2009.11.1.12 2009-11-01 0.50 -
McAfee 5.3.00 5789 2009-11-01 3.42 -
Microsoft 1.5202 2009.11.01 2009-11-01 6.50 -
Norman 6.01.09 6.01.00 2009-11-01 4.01 -
Panda 9.05.01 2009.10.31 2009-10-31 1.75 -
Trend Micro 8.700-1004 6.594.07 2009-11-01 0.03 -
Quick Heal 10.00 2009.10.31 2009-10-31 1.20 -
Rising 20.0 21.53.62.00 2009-11-01 0.60 -
Sophos 3.00.1 4.46 2009-11-02 2.83 -
Sunbelt 5482 5482 2009-11-01 1.62 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.35 -
nProtect 20091030.01 6063347 2009-10-30 7.59 -
The Hacker 6.5.0.2 v00058 2009-10-31 0.73 -
VBA32 3.12.10.11 20091031.2219 2009-10-31 1.94 -
VirusBuster 4.5.11.10 10.113.3/1996431 2009-11-01 2.40 -

#97 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 01 November 2009 - 01:45 PM

I rescanned it again

VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 03:28:47 (CST)
Scanner results: Scanners did not find malware!
File Name : cngaudit.dll
File Size : 11776 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 7f15b4953378c8b5161d65c26d5fed4d
SHA1 : 50b57fedd78bee8a329d03b03f482bcc424a7820
Online report : http://virscan.org/r...82e08c3381.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091101023128 2009-11-01 4.07 -
AhnLab V3 2009.10.31.00 2009.10.31 2009-10-31 0.88 -
AntiVir 8.2.1.53 7.1.6.173 2009-10-30 0.21 -
Antiy 2.0.18 20091029.3153836 2009-10-29 0.12 -
Arcavir 2009 200911010804 2009-11-01 0.03 -
Authentium 5.1.1 200911011547 2009-11-01 1.19 -
AVAST! 4.7.4 091101-0 2009-11-01 0.00 -
AVG 8.5.288 270.14.43/2474 2009-11-01 0.32 -
BitDefender 7.81008.4480676 7.28697 2009-11-02 3.87 -
CA (VET) 35.1.0 7094 2009-10-30 7.93 -
ClamAV 0.95.2 9970 2009-10-31 0.01 -
Comodo 3.12 2806 2009-11-01 0.71 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.01 2009-11-01 6.23 -
F-Prot 4.4.4.56 20091101 2009-11-01 1.21 -
F-Secure 7.02.73807 2009.11.01.03 2009-11-01 0.10 -
Fortinet 2.81-3.120 11.10 2009-11-01 0.18 -
GData 19.8684/19.530 20091101 2009-11-01 5.39 -
ViRobot 20091031 2009.10.31 2009-10-31 0.41 -
Ikarus T3.1.01.72 2009.11.01.74384 2009-11-01 4.25 -
JiangMin 11.0.800 2009.10.30 2009-10-30 3.97 -
Kaspersky 5.5.10 2009.11.01 2009-11-01 0.06 -
KingSoft 2009.2.5.15 2009.11.1.12 2009-11-01 0.50 -
McAfee 5.3.00 5789 2009-11-01 3.38 -
Microsoft 1.5202 2009.11.01 2009-11-01 6.46 -
Norman 6.01.09 6.01.00 2009-11-01 4.01 -
Panda 9.05.01 2009.10.31 2009-10-31 1.91 -
Trend Micro 8.700-1004 6.594.07 2009-11-01 0.03 -
Quick Heal 10.00 2009.10.31 2009-10-31 1.21 -
Rising 20.0 21.53.62.00 2009-11-01 0.80 -
Sophos 3.00.1 4.46 2009-11-02 2.81 -
Sunbelt 5482 5482 2009-11-01 1.57 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091030.01 6063347 2009-10-30 7.28 -
The Hacker 6.5.0.2 v00058 2009-10-31 0.73 -
VBA32 3.12.10.11 20091031.2219 2009-10-31 1.94 -
VirusBuster 4.5.11.10 10.113.3/1996431 2009-11-01 2.38 -

#98 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 01 November 2009 - 03:11 PM

Hi,

That's a good sign.

Did the Dr.Web program run?


Please do the following:

run the following from an elevated command prompt then post the atapi.txt log

Go to Start menu.

Type cmd in the Search Menu

Press Ctrl + SHIFT and Click on the cmd shortcut on the Start Menu. Ctrl-Shift-Enter is the general keyboard shortcut that triggers elevation to “Run as Administrator”.

Press Alt+C from the keyboard or click Continue to confirm the UAC elevation warning prompt and the administrative privileged command prompt will be opened.

Then highlight and copy the contents of the codebox then right click in the command window and Paste

@echo off
cd \
dir atapi.sys /s>"%userprofile%\desktop\atapi.txt"
start notepad "%userprofile%\desktop\atapi.txt"
exit
cls


NEXT


run the following from an elevated command prompt too

@echo off
dir c:\qoobox\quarantine /s>"%userprofile%\desktop\qoo.txt"
start notepad "%userprofile%\desktop\qoo.txt"
exit
cls

post qoo.txt

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#99 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 01 November 2009 - 05:14 PM

Dr. Web did run and found 3 infections... after the complete run I clicked File then Save Report, and, at the moment I clicked on save report computer crashed (BSOD) and computer rebooted... I will run the 2 codes in cmd now...

#100 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 01 November 2009 - 05:17 PM

DO you want the atapi.txt as well? Here is qoo.txt Volume in drive C has no label. Volume Serial Number is 8431-7D92 Directory of c:\qoobox\quarantine 10/22/2009 07:09 PM <DIR> . 10/22/2009 07:09 PM <DIR> .. 10/31/2009 11:45 PM 2,907 catchme.log 10/22/2009 07:07 PM <DIR> Registry_backups 1 File(s) 2,907 bytes Directory of c:\qoobox\quarantine\Registry_backups 10/22/2009 07:07 PM <DIR> . 10/22/2009 07:07 PM <DIR> .. 0 File(s) 0 bytes Total Files Listed: 1 File(s) 2,907 bytes 5 Dir(s) 70,570,930,176 bytes free

    Advertisements

Register to Remove


#101 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 01 November 2009 - 06:38 PM

Yes please, please post the atapi.txt Do you recall the infections found by Dr.Web and the locations?

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#102 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 01 November 2009 - 07:03 PM

I'm sorry, I do not recall.. Do you want me to run it again? Volume in drive C has no label. Volume Serial Number is 8431-7D92 Directory of C:\Windows\System32\drivers 04/11/2009 01:32 AM 19,944 atapi.sys 1 File(s) 19,944 bytes Directory of C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84 04/11/2009 01:32 AM 19,944 atapi.sys 1 File(s) 19,944 bytes Directory of C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699 11/02/2006 04:49 AM 19,048 atapi.sys 1 File(s) 19,048 bytes Directory of C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d 01/20/2008 09:23 PM 21,560 atapi.sys 1 File(s) 21,560 bytes Directory of C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c 01/20/2008 09:23 PM 21,560 atapi.sys 1 File(s) 21,560 bytes Directory of C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8 04/11/2009 01:32 AM 19,944 atapi.sys 1 File(s) 19,944 bytes Total Files Listed: 6 File(s) 122,000 bytes 0 Dir(s) 70,571,233,280 bytes free

#103 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 01 November 2009 - 09:02 PM

I just replied to your windows thread...if we are needing to continue here, I would like you to try that Dr.Web scan again so we can see the infection it found...Try it in safe mode...see if there was a previous log saved.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#104 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 01 November 2009 - 09:10 PM

I will run it now...

#105 Joecastle

Joecastle

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts

Posted 02 November 2009 - 06:22 AM

Good Morning Cat..

I am at work.. I let DrWeb run last night and same thing when trying to save report... (BSOD)... But, I managed to write down the infections...

Object - Path - Status - Action

WindowsteyQ.066 - C:\ - Program.Ardamax
A0027943.exe\data220 - DrWeb Quarantine - Program.PrcView.3725
Aoo27942.exe - DrWeb Quarantine - Archive Contains Infected Objects - Moved

Edited by Joecastle, 02 November 2009 - 06:24 AM.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users