'lo everyone, was wondering if I could get some advice on this file that I’ve taken notice of lately. Called ati2evxx.exe, it is supposed to be an ATI component.
-This file is located under C\Windows.
-18kb in size.
-1500-2000 attempts daily to access 69.42.218.29 on various ports.
-Is a “hidden” file.
-I am unable to delete, or move it as I receive the “You don’t not have permissions…etc.” although I am the administrator
-Is clean in both Jotti and Virustotal scans
What do the file properties say about it, being an ATI component any digital signing, etc.
Have you got an ATI graphics card/chip ?
There are lots of hits for the file some relating to malware but most relating to ATI, given that you scanned the file at VT with 41 scanners and come up clean, I would suspect it is ATI, but why it is connecting is another story.
If you have an ATI card then check the settings and see if there is some sort of update checking, etc.
You could also block outbound connections for this file.
The file is not digitally signed, has no company name. And has created an auto start entire named “Plug and Play” with again no company name. I do have an ATI card. And there are no options for updates. I have blocked the file, and tried to quarantine it but it keeps cloning.
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Check the box that says 64 bit
[]Under Additional Scans check the following:
[]Reg - Shell Spawning
[]File - Lop Check
[]File - Purity Scan
[]Evnt - EvtViewer (last 10)
[]Under custom scans copy and paste the following
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
%systemroot%*. /mp /s
c:$recycle.bin*.* /s
CREATERESTOREPOINT
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
To attach a file, do the following:
[*]Click Add Reply
[*]Under the reply panel is the Attachments Panel
[*]Browse for the attachment file you want to upload, then click the green Upload button
[*]Once it has uploaded, click the Manage Current Attachments drop down box
[*]Click on http://www.geekstogo.com/forum/style_images/11168623649/folder_attach_images/attach_add.png
to insert the attachment into your post
Hopefully, essexboy can get to the bottom of it as it is strange that it creates a startup entry for plug and pray.
You could also try sending it to this more detailed on-line analysis - Anubis: Analyzing Unknown Binaries, is another scanning tool that is useful, Anubis: Analyzing Unknown Binaries
Ah a 64bit system - that is why the log was large. The legitimate file is present in the syswow folder
Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YN -> ⪘̹灂ഭ ->
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
[Files/Folders - Created Within 30 Days]
NY -> ~1 -> C:\ProgramData\~1
NY -> ~0 -> C:\ProgramData\~0
NY -> runouce.exe -> C:\Windows\SysWow64\runouce.exe
[Files/Folders - Modified Within 30 Days]
NY -> ati2evxx.exe -> C:\Windows\ati2evxx.exe
NY -> cfplogvw.INI -> C:\Windows\cfplogvw.INI
[Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.
I will review the information when it comes back in.
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Thank you essexboy. I went along with all the steps you said, no problems at all, MBam found no infections. And the strange file was removed and has not “cloned” again so far.
I’ll keep updating about what happens in the next day or so. Thank you very much for you help and professionalism!
I just closed this case with ATI, they were very rude about it. They sent me to one of those “What is this process?” type places and gave me that ^^^ IP information and left me on my own. But anywho thanks again to everyone.
The whole time this happened was when I had Panda Cloud, this should be an example of how effective a whole security suite like AIS is versus a simple AV like Panda Cloud.