A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #803  by djpnuemo
 Tue Apr 20, 2010 7:38 pm
reinfected the machine after re-imaging it. this time ocmi.sys was the infected driver. dr. web cureit endlessly loops when detecting the infection.

previous test was with pciide.sys

detects infection
cures infection
detects infection
cures infection
detects infection
cures infection

infection not removed... *sigh*
Last edited by djpnuemo on Tue Apr 20, 2010 7:46 pm, edited 1 time in total.
 #804  by IndiGenus
 Tue Apr 20, 2010 7:45 pm
djpnuemo wrote:reinfected the machine after re-imaging it. this time ocmi.sys was the infected driver. dr. web cureit endlessly loops when detecting the infection.

detects infection
cures infection
detects infection
cures infection
detects infection
cures infection

infection not removed... *sigh*
Heee.....no big surprise. This is a tough one to fix without booting out of live system. You can simply replace with the recovery console, or one of the PE disks.
 #838  by obse
 Thu Apr 22, 2010 9:54 am
djpnuemo wrote:reinfected the machine after re-imaging it. this time ocmi.sys was the infected driver. dr. web cureit endlessly loops when detecting the infection.
Which OS did you use for tests?
 #848  by obse
 Fri Apr 23, 2010 7:15 am
djpnuemo wrote:xp sp3
Could you provide a registry entry for ocmi.sys? for example imagepath (on infected or clean system)
Did you execute other cure/detection tools before cureit?
I know this bug can be reproduced when you trying to cure system twice in a session (by ignoring reboot suggestion message). Did you?
 #853  by EP_X0FF
 Fri Apr 23, 2010 2:15 pm
You can reproduce that bug by simple running Dr.Web CureIt! inside box with fresh TDL3. Infected driver is not meaningful. It gives this error loop with everything TDL3 infects.

Screenshots with up to date CureIt and TDL.

Image

Image

Image

After intercepting this infinite loop of cure/detect Windows dmio.sys was killed. After reboot we have
00000000 0.00000000 Ah Lou, come on man, we really like this place
TDL3 successfully survives.
 #874  by EzzO
 Sun Apr 25, 2010 6:30 am
Hi guys, can you tell wich CureIT is this? Now in beta section we have new CureIT! with self-protection, new starter and more, that can be downloaded here. Can you try to cure TDL 3 with beta CureIT and show the results? Thanks :)
 #875  by obse
 Sun Apr 25, 2010 11:15 am
EP_X0FF wrote:You can reproduce that bug by simple running Dr.Web CureIt! inside box with fresh TDL3. Infected driver is not meaningful. It gives this error loop with everything TDL3 infects.
Thanks for info. It sounds strange, but all my previous tests never show such way of curing process. I will try to reproduce it.
 #876  by obse
 Sun Apr 25, 2010 11:37 am
djpnuemo wrote:that machine was re-imaged shortly after the test. i had the exact problem stated in EP_X0FF's post (http://www.kernelmode.info/forum/viewto ... p=853#p853).

if you must have that information, i can reinfected the machine and gather that information. it will take me some time, fyi.
it will be very nice if you do.

btw, can you show value imagepath from hklm\system\currentcontrolset\services\ocmi on your clean test system?