Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix & Kingston Blackbox Datatravler


  • Please log in to reply
8 replies to this topic

#1 dcostain

dcostain

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 23 November 2010 - 02:18 PM

This is my first post. I have been working in medium duty IT for about 5 years, and have had my run of the mill of virus removals

I have been using ComboFix as a last resort for several weeks now, and found only one issue

our company uses the Kingston Blackbox Datatraveler encrypted Flash drives for Data transportation here is the issue we have had after running ComboFix. Let me know if anyone else has had this.

On machines that we have run the ComboFix software on, upon completion of the ComboFix scan, the software on the Kingston BlackBox Datatravelers STOPS working. Upon inserting the USB device the Blackbox software should open, then prompt for a password automatically, it will not. Even if you open My Computer, and manually open the DTBB application on the virtual cd drive the USB stick creates, it will error out saying "DT Black Box cannot be started". I have tried this on several machines that have been freshly installed with XP to test, and it does not allow the Blackbox authentication software to run, breaking it every time. I am investigating the ComboFix log files, to locate whats happening. It seems to be a permission issue on some Temp type folder that Blackbox temporarily dumps to, in the startup process. The DataTravelers will continue to work in other machines, just not the one ComboFix has been run on.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:31 AM

Posted 24 November 2010 - 11:36 PM

ComboFix disables autorun when you run it as a security measure.

You can follow the steps in this article to enable it again:

http://support.microsoft.com/kb/330135

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:31 AM

Posted 25 November 2010 - 08:12 AM

FYI: Why is this a security concern?

Keeping Autorun enabled on USB and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun as a method of prevention. Microsoft recommends doing the same.
  • Microsoft Security Advisory (967940): Update for Windows Autorun

    ...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...Microsoft has revised this advisory to notify users of an update to Autorun that restricts AutoPlay functionality to CD-ROM and DVD-ROM media. This update is intended to stop AutoPlay functionality from working on USB drives, external hard drives, or network shares...

  • Microsoft Article ID: 971029: Update to the AutoPlay functionality in Windows

    ...This update disables AutoRun entries in AutoPlay, and displays only entries that are populated from CD and DVD drives. Effectively, this prevents AutoPlay from working with USB media...


Edited by quietman7, 25 November 2010 - 08:22 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 dcostain

dcostain
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 30 November 2010 - 08:43 AM

Auto Run is turned on. I should have stated that I did try this already. Even if I manually open Double click the application icon to start, it opens the software to try and load, then the application itself, gives me the error that it cannot start. The error is not coming from Windows, its coming from the software itself. Thank you for your help trying. Here is a copy of the Combofix log. This machine is a fresh image to test on. The Datatraveler Blackbox software worked before running, now it does not. ComboFix 10-11-22.05 - Teacher 11/23/2010 10:29:38.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.682 [GMT -8:00] Running from: c:\documents and settings\Teacher\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system\BisonC27.dll c:\windows\system32\Desktop_.ini . ((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 ))))))))))))))))))))))))))))))) . 2010-11-23 14:10 . 2008-04-14 09:42 221184 ----a-w- c:\windows\system32\wmpns.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 20:23 . 2007-04-03 12:44 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2008-04-14 09:41 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2008-04-14 09:41 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-09 13:36 . 2010-05-11 15:59 841216 ----a-w- c:\windows\system32\wininet.dll 2010-09-09 13:36 . 2008-04-14 09:42 1830912 ----a-w- c:\windows\system32\inetcpl.cpl 2010-09-09 13:36 . 2008-04-14 09:41 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-09-09 13:36 . 2008-04-14 09:41 17408 ----a-w- c:\windows\system32\corpol.dll 2010-09-08 15:48 . 2008-04-14 04:07 389120 ----a-w- c:\windows\system32\html.iec 2010-09-01 11:51 . 2008-04-14 09:39 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:38 . 2010-05-11 15:58 1861888 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2008-04-14 09:42 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 06:05 . 2008-04-14 09:42 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:37 . 2010-05-11 15:58 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2010-06-07 22:50 5120 ----a-w- c:\windows\system32\xpsp4res.dll . ------- Sigcheck ------- [-] 2010-06-07 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008] "RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608] "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-05-25 1253376] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "_nltide_3"="advpack.dll" [2010-09-09 124928] c:\documents and settings\All Users\Start Menu\Programs\Startup\ FOGTray.exe.lnk - c:\windows\Installer\{91C5D423-B6AB-4EAB-8F17-2BB3AE162CA1}\_7A904DA5032482F09F08F6.exe [2010-8-30 10134] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMART Board Tools.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART Board Tools.lnk backup=c:\windows\pss\SMART Board Tools.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-07-21 22:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 16:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-03-19 05:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\SMART Technologies\\SMART Product Drivers\\UCGui.exe"= "c:\\Program Files\\SMART Technologies\\SMART Product Drivers\\SMARTSNMPAgent.exe"= "c:\\Program Files\\SMART Technologies\\SMART Product Drivers\\UCService.exe"= "c:\\Program Files\\SMART Technologies\\SMART Product Drivers\\WebServer.exe"= "c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management R2 Fog Service;FOG Service;c:\program files\FOG\FOGService.exe [5/10/2010 8:26 AM 10752] R2 SMART Display Controller;SMART Display Controller;c:\program files\SMART Technologies\SMART Product Drivers\UCService.exe [1/5/2010 12:43 PM 779560] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/8/2010 10:16 AM 102448] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 9:25 AM 30969208] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464] S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe [1/5/2010 12:44 PM 1053992] S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies\SMART Product Drivers\WebServer.exe [1/5/2010 12:44 PM 1262888] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 1:42 AM 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL FF - ProfilePath - c:\documents and settings\Teacher\Application Data\Mozilla\Firefox\Profiles\c4p3cyjz.default\ FF - plugin: c:\progra~1\MICROS~3\Office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\MICROS~3\Office14\NPSPWRAP.DLL FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npSAFARIMontagePlayer.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-23 10:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(976) c:\windows\System32\BCMLogon.dll c:\windows\system32\igfxdev.dll . Completion time: 2010-11-23 10:35:58 ComboFix-quarantined-files.txt 2010-11-23 18:35 Pre-Run: 107,553,415,168 bytes free Post-Run: 107,628,109,824 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 90C799D07B7E7EA03497A5DFBA01B5B8

Edited by dcostain, 30 November 2010 - 08:51 AM.


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:31 AM

Posted 30 November 2010 - 08:55 AM

I am not familiar with the BisonC27.dll file. Is that file removed on the other machines as well?

#6 dcostain

dcostain
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 30 November 2010 - 09:08 AM

That dll is associated with the brand of built in webcam that comes with the other model of machine we use. It is identical to the one I am testing on, just has a webcam, so we use the same image for both.

#7 dcostain

dcostain
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 30 November 2010 - 03:24 PM

d

Edited by dcostain, 30 November 2010 - 03:42 PM.


#8 dcostain

dcostain
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 06 December 2010 - 09:29 AM

Bump

#9 dcostain

dcostain
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 30 December 2010 - 10:01 AM

Anyone yet run into this?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users