Jump to content

Pop Up After Fake Anti Virus


Recommended Posts

Please make sure you can View Hidden Files and Folders first

1. Click Start

2. Open My Computer

3. Select the Tools menu and click Folder Options

4. Select the View Tab

5. Under the Hidden files and folders heading, select Show hidden files and folders

6. Uncheck the Hide protected operating system files (recommended) option

7. Uncheck "Hide extensions for known file types"

7. Click Yes to confirm

8. Click OK

Now, open Windows Explorer and browse to the following location to confirm sigcheck is there:

C:\Windows\System32\sigcheck.exe

Do you see it?

Also, the command to launch from the run line is a single line command, so copy and paste it as such.

Link to post
Share on other sites

  • Replies 89
  • Created
  • Last Reply

Top Posters In This Topic

Click start -> run

copy/paste the following in the open box and click ok

cmd /k sigcheck %WINDIR%\system32\drivers\atapi.sys

After the command processes, right-click within the cmd window and choose "Select All"

The window will change colors

Right-click again within the cmd window and it will change back to black

This action copies the content to the Window's Clipboard

Open Notepad and paste the results there and into your next reply.

Your results will look something like this:

Sigcheck v1.41

Copyright © 2004-2007 Mark Russinovich

Sysinternals - www.sysinternals.com

c:\windows\system32\drivers\atapi.sys:

Verified: Signed

Signing date: 7:38 AM 4/11/2009

Publisher: Microsoft Corporation

Description: ATAPI IDE Miniport Driver

Product: Microsoft

Link to post
Share on other sites

Sigcheck v1.62 - File version and signature viewer

Copyright © 2004-2009 Mark Russinovich

Sysinternals - www.sysinternals.com

c:\windows\system32\drivers\atapi.sys:

Verified: Signed

Signing date: 9:07 PM 4/13/2008

Publisher: Microsoft Corporation

Description: IDE/ATAPI Port Driver

Product: Microsoft

Link to post
Share on other sites

Upload the following files one at a time to the Virus Total Scanner by browsing to each file's folder location. Virus Total Scanner will

employ several scanners to test the file for its threat potential. Please post the urls to the scan results back here.

File 1:

c:\windows\system32\drivers\atapi.sys

File 2:

c:\windows\servicepackfiles\i386\atapi.sys

If you are alerted with a VirusTotal message that the file has already been scanned, do NOT give me the old file results!! I need a fresh scan report. Thanks.

Link to post
Share on other sites

File atapi.sys received on 2009.11.23 23:20:53 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 1/41 (2.44%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 40 and 57 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.5.0.43 2009.11.23 -

AhnLab-V3 5.0.0.2 2009.11.23 -

AntiVir 7.9.1.70 2009.11.23 -

Antiy-AVL 2.0.3.7 2009.11.23 -

Authentium 5.2.0.5 2009.11.23 -

Avast 4.8.1351.0 2009.11.23 -

AVG 8.5.0.425 2009.11.23 -

BitDefender 7.2 2009.11.24 -

CAT-QuickHeal 10.00 2009.11.23 -

ClamAV 0.94.1 2009.11.23 -

Comodo 3013 2009.11.23 -

DrWeb 5.0.0.12182 2009.11.23 -

eSafe 7.0.17.0 2009.11.23 Win32.Rootkit

eTrust-Vet 35.1.7137 2009.11.23 -

F-Prot 4.5.1.85 2009.11.23 -

F-Secure 9.0.15370.0 2009.11.20 -

Fortinet 3.120.0.0 2009.11.23 -

GData 19 2009.11.23 -

Ikarus T3.1.1.74.0 2009.11.23 -

Jiangmin 11.0.800 2009.11.23 -

K7AntiVirus 7.10.903 2009.11.23 -

Kaspersky 7.0.0.125 2009.11.24 -

McAfee 5811 2009.11.23 -

McAfee+Artemis 5811 2009.11.23 -

McAfee-GW-Edition 6.8.5 2009.11.23 -

Microsoft 1.5302 2009.11.23 -

NOD32 4631 2009.11.23 -

Norman 6.03.02 2009.11.23 -

nProtect 2009.1.8.0 2009.11.23 -

Panda 10.0.2.2 2009.11.23 -

PCTools 7.0.3.5 2009.11.23 -

Prevx 3.0 2009.11.24 -

Rising 22.23.00.09 2009.11.23 -

Sophos 4.47.0 2009.11.23 -

Sunbelt 3.2.1858.2 2009.11.23 -

Symantec 1.4.4.12 2009.11.24 -

TheHacker 6.5.0.2.076 2009.11.23 -

TrendMicro 9.0.0.1003 2009.11.23 -

VBA32 3.12.12.0 2009.11.22 -

ViRobot 2009.11.23.2049 2009.11.23 -

VirusBuster 5.0.21.0 2009.11.23 -

Additional information

File size: 96512 bytes

MD5...: 9f3a2f5aa6875c72bf062c712cfa2674

SHA1..: a719156e8ad67456556a02c34e762944234e7a44

SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9

ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb

DD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x159f7

timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)

machinetype.......: 0x14c (I386)

( 9 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7

NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29

.rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708

.data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834

PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9

PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863

INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3

.rsrc 0x16780 0x3e0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab

.reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 3 imports )

> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress

> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR

> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: IDE/ATAPI Port Driver

original name: atapi.sys

internal name: atapi.sys

file version.: 5.1.2600.5512 (xpsp.080413-2108)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

packers (Kaspersky): PE_Patch

Link to post
Share on other sites

File atapi.sys received on 2009.11.23 23:23:11 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 1/41 (2.44%)

Loading server information...

Your file is queued in position: 3.

Estimated start time is between 60 and 85 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.5.0.43 2009.11.23 -

AhnLab-V3 5.0.0.2 2009.11.23 -

AntiVir 7.9.1.70 2009.11.23 -

Antiy-AVL 2.0.3.7 2009.11.23 -

Authentium 5.2.0.5 2009.11.23 -

Avast 4.8.1351.0 2009.11.23 -

AVG 8.5.0.425 2009.11.23 -

BitDefender 7.2 2009.11.24 -

CAT-QuickHeal 10.00 2009.11.23 -

ClamAV 0.94.1 2009.11.23 -

Comodo 3013 2009.11.23 -

DrWeb 5.0.0.12182 2009.11.23 -

eSafe 7.0.17.0 2009.11.23 Win32.Rootkit

eTrust-Vet 35.1.7137 2009.11.23 -

F-Prot 4.5.1.85 2009.11.23 -

F-Secure 9.0.15370.0 2009.11.20 -

Fortinet 3.120.0.0 2009.11.23 -

GData 19 2009.11.23 -

Ikarus T3.1.1.74.0 2009.11.23 -

Jiangmin 11.0.800 2009.11.23 -

K7AntiVirus 7.10.903 2009.11.23 -

Kaspersky 7.0.0.125 2009.11.24 -

McAfee 5811 2009.11.23 -

McAfee+Artemis 5811 2009.11.23 -

McAfee-GW-Edition 6.8.5 2009.11.23 -

Microsoft 1.5302 2009.11.23 -

NOD32 4631 2009.11.23 -

Norman 6.03.02 2009.11.23 -

nProtect 2009.1.8.0 2009.11.23 -

Panda 10.0.2.2 2009.11.23 -

PCTools 7.0.3.5 2009.11.23 -

Prevx 3.0 2009.11.24 -

Rising 22.23.00.09 2009.11.23 -

Sophos 4.47.0 2009.11.23 -

Sunbelt 3.2.1858.2 2009.11.23 -

Symantec 1.4.4.12 2009.11.24 -

TheHacker 6.5.0.2.076 2009.11.23 -

TrendMicro 9.0.0.1003 2009.11.23 -

VBA32 3.12.12.0 2009.11.22 -

ViRobot 2009.11.23.2049 2009.11.23 -

VirusBuster 5.0.21.0 2009.11.23 -

Additional information

File size: 96512 bytes

MD5...: 9f3a2f5aa6875c72bf062c712cfa2674

SHA1..: a719156e8ad67456556a02c34e762944234e7a44

SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9

ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb

DD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x159f7

timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)

machinetype.......: 0x14c (I386)

( 9 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7

NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29

.rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708

.data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834

PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9

PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863

INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3

.rsrc 0x16780 0x3e0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab

.reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 3 imports )

> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress

> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR

> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: IDE/ATAPI Port Driver

original name: atapi.sys

internal name: atapi.sys

file version.: 5.1.2600.5512 (xpsp.080413-2108)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

packers (Kaspersky): PE_Patch

Link to post
Share on other sites

Let's try this then:

Right-click the following file and select "Copy" from the context menu (this will copy the file to the Windows Clipboard)

C:\WINDOWS\ServicePackFiles\i386\atapi.sys

Double-click "My Computer"

Double-click your OS (C:) drive

In the right pane where the files/folders located in C: are displayed, right-click in the empty space, and select "Paste"

This will copy atapi.sys to C:\

Now, verify that C:\atapi.sys exists and then we'll continue.

Link to post
Share on other sites

Delete your copy of combofix.

Please download Combofix redownload a current copy Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice.

Save it to your desktop.

Disable your Antivirus.

Launch the renamed combofix by double-clicking it and when it prompts you to install recovery console, please do that!!

If your launch Combofix from the run line,with the /killall switch, I don't think it will prompt you to install recovery console but I'm not sure about that. You'll have to try it ONLY if you cannot run Combofix the normal way (by double-clicking the EXE file on your desktop)

Let me know how far you get.

Link to post
Share on other sites

Download The Avenger by Swandog46:

http://swandog46.geekstogo.com/avenger2/download.php

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to launch Avenger.
  • Click OK.
  • Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked.

Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:

Files to move:
C:\atapi.sys | c:\windows\system32\drivers\atapi.sys

Files to delete:
c:\windows\system32\AOLDial.dll

  • Click the Execute button.
  • You will be prompted with "Are you sure you want to execute the current script?"
  • Click "Yes"
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click "Yes".
  • Your PC will reboot.
  • After your PC has completed the necessary reboot, a log should automatically open.
  • If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)

Please post the Avenger log

Link to post
Share on other sites

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\atapi.sys|c:\windows\system32\drivers\atapi.sys" completed successfully.

Error: could not open file "c:\windows\system32\AOLDial.dll"

Deletion of file "c:\windows\system32\AOLDial.dll" failed!

Status: 0xc000009c

Completed script processing.

*******************

Finished! Terminate.

AND I got a windows no disk message that popped up exception processing message c0000013 parameters 75b6b7c 4 75b6b7c 75b6b7c

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.