Google redirect/Atapi.sys problem

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Am I infected? What do I do?

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

Google redirect/Atapi.sys problem

Options

Marcusartist View Member Profile	Feb 1 2010, 07:49 PM Post #1
New Member Group: Members Posts: 4 Joined: 1-February 10 Member No.: 446,536	Hi all, I hope you can help me with this. I've been plagued by a "google redirect" virus for a few weeks now. I've scanned with malwarebytes, adaware, and many other apps. The only ones that detected anything were gmer and Hitman. Gmer reports that atapi.sys has been suspiciously modified. Hitman reports atapi.sys as a Rootkit. I didn't allow Hitman to make any changes because I'm not confident that I should be attempting to modify a .sys file, and I've read accounts of people really messing up their comps by trying to fix the atapi.sys issue. I've used HT but it doesn't really show anything wrong as far as I can tell. I'm running XP home sp3. Firefox is my browser. I stopped using IE8 because that browser is what I was using when I first noticed the problem; now it's happening with Firefox as well. I realize this is a common problem nowadays-- many people are experiencing this redirect issue. When the problem first showed up a few weeks ago, I went through a few blue screens of death, and also my desktop was changed to a light green background with a black fake warning box in the middle, "you are infected", or whatever... I did a sys restore and that helped for a few days but now the redirect problem is back. I've also noticed that ALL the processes running in my taskmanager are taking up a LOT more memory than usual. I installed Cleanmem and it's keeping that problem in check at least.... This "virus" is not always noticeable. Sometimes I can use google without any problems, other times I'm redirected. Oh, and I do not have my XP cd anymore; I'd have to contact Dell for a new disc. (I have the drivers/utilities disc and the Application disc that's all) So... is there a way I can fix this atapi file, which has apparently been modified? I'm assuming combofix will work, but I will need some assistance using it; I don't want to take any chances. Update: ran a rootrepeal scan and MBR Rootkit detected. Also, something about "bootstrap.exe" and some other interesting stuff; I have a .txt file saved if you want me to post it. Also, under device manager, view hidden files, both SASDIFSV and SASKUTIL are both either not working properly or do not have correct drivers installed; not sure if this is related to the problem or not... Update: ran Win32kDiag and all I get is: WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished! Thanks for any help, Mark This post has been edited by Marcusartist: Feb 1 2010, 11:46 PM

Marcusartist View Member Profile	Feb 3 2010, 03:26 PM Post #2
New Member Group: Members Posts: 4 Joined: 1-February 10 Member No.: 446,536	another update: My situation keeps getting worse and worse... I was playing an mmorpg today and didn't even have any browser open, and suddenly a warning box popped up right over my game screen about my PC being infected (I believe the program was called "Protect my PC" or something like that, anyway, it started "scanning" and of course reported all sorts of problems, anyway I ran Hitman and got rid of several baddies, but when I rebooted I was unable to open ANYthing ending in .exe. Somehow my rundll32 was corrupted or something.. so I got online on a friend's comp and dl'd an ap called "exefix" for xp... this worked.. so far. My system keeps getting worse and worse, and I think the main problem is that atapi.sys file...

boopme View Member Profile	Feb 3 2010, 04:53 PM Post #3
To INSANITY and BEYOND !! Group: Moderator Posts: 25,322 Joined: 10-September 04 From: NJ USA Member No.: 2,608	Hello,please run this next. Next run MBAM (MalwareBytes): NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop. Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes. Make sure you are connected to the Internet. Double-click on mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install. On the Scanner tab: Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen: Click on the Show Results button to see a list of any malware that was found. Make sure that *everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad. The log is automatically saved and can be viewed by clicking the Logs* tab in MBAM. Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system. Exit MBAM when done. Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!). Go to Start > Run and type: cmd.exe press Ok. At the command prompt type: c:\mbr.exe >>"C:\mbr.log" press Enter. The process is automatic...a black DOS window will open and quickly disappear. This is normal. A log file named mbr.log will be created and saved to the root of the system drive (usually C:\). Copy and paste the results of the mbr.log in your next reply. If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool. -------------------- How do I get help? Who is helping me? Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook

Marcusartist View Member Profile	Feb 4 2010, 10:18 PM Post #4
New Member Group: Members Posts: 4 Joined: 1-February 10 Member No.: 446,536	Hi, Boopme. Thank you for taking the time to help me. Here are my MBAM and MBR logs. (FYI, during my first mbam scan the comp shutdown; BS o'Death, but it worked the second time) Malwarebytes' Anti-Malware 1.44 Database version: 3691 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 2/4/2010 8:24:07 PM mbam-log-2010-02-04 (20-23-24).txt Scan type: Quick Scan Objects scanned: 144187 Time elapsed: 20 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 8 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\HelpAssistant.MARCUSAR-38F8CE.001\Start Menu\Programs\Your PC Protector (Rogue.YourPCProtector) -> No action taken. Files Infected: C:\Documents and Settings\HelpAssistant.MARCUSAR-38F8CE.001\Start Menu\Programs\Your PC Protector\Your PC Protector.lnk (Rogue.YourPCProtector) -> No action taken. Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully copy of MBR has been found in sector 0x06FBC03D malicious code @ sector 0x06FBC040 ! PE file found in sector at 0x06FBC056 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix. Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully copy of MBR has been found in sector 0x06FBC03D malicious code @ sector 0x06FBC040 ! PE file found in sector at 0x06FBC056 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix. Some more info: Whatever I'm infected with keeps adding more crap to my comp; yesterday I did some scans and found "sdra64.exe".... I got rid of it, but... I'm wondering how I keep getting new malware when I'm not surfing anymore... I keep getting infected with different nasties... whatever I have has opened a door, a very wide door apparently, because Hitman, Mbam, winpatrol, HJT, etc., kept finding new baddies each day...I did the scans and cleaned, rescanned and thought I was ok, then new stuff kept showing up.. I'm wondering if there's ONE bad guy (rootkit?) that keeps me wide open to new infections... Oh, something else I just remembered: I copied "atapi.sys" from my I386 folder to replace the one in sys32 drivers folder; this was a "fix" I had read about. My atapi.sys was "suspiciously modified" as I stated in my initial post, and when I checked the file it was indeed modified on Jan 18 2010 (original was 2004).. not sure if you need any of this info, just wanted to let you know.. And something else: I connect to the internet with a Netgear USB wireless adaptor; the router I have hooked up to my family's computer upstairs... I set up the router for them, but there's no security on it (they're using WindowsME and the CD that came with the router is not compatible with ME, but the router could still (obviously) be hooked up.. this was the advice the guys at Radio Shack (yeah i know...) gave me, so... how can I secure BOTH our computers?? thanks again for your help. This post has been edited by Marcusartist: Feb 4 2010, 11:13 PM

boopme View Member Profile	Feb 6 2010, 04:31 PM Post #5
To INSANITY and BEYOND !! Group: Moderator Posts: 25,322 Joined: 10-September 04 From: NJ USA Member No.: 2,608	Hello as you have both sdra64.exe and atapi mods... These will keep restarting and we'll need an HJT log to remove. I am concerned you have a Virut infection, I figure you ran GMer to get that info so in the next step post it's log instead of Rootrepeal's.. You will need to run HJT/DDS. Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log. Let me know if it went OK. Avira Free is compatible with those operating systems. http://www.free-av.de/en/trialpay_download..._antivirus.html -------------------- How do I get help? Who is helping me? Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook

Marcusartist View Member Profile	Feb 9 2010, 01:37 PM Post #6
New Member Group: Members Posts: 4 Joined: 1-February 10 Member No.: 446,536	Hi Boopme. I've solved my problems; everything is ok now. Thanks again!

boopme View Member Profile	Feb 9 2010, 03:30 PM Post #7
To INSANITY and BEYOND !! Group: Moderator Posts: 25,322 Joined: 10-September 04 From: NJ USA Member No.: 2,608	Hi, OK thanks for letting us know.. If you are sure it's clear then... Now you should Create a New Restore Point *to prevent possible reinfection* from an old one*. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is: Go to Start* > Programs > Accessories > System Tools and click "System Restore". Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go to Start > Run and type: Cleanmgr Click "Ok". Disk Cleanup will scan your files for several minutes, then open. Click the "More Options" tab, then click the "Clean up" button under System Restore. Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?" Click Yes, then click Ok. Click Yes again when prompted with "Are you sure you want to perform these actions?" Disk Cleanup will remove the files and close automatically. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista. -------------------- How do I get help? Who is helping me? Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook

« Next Oldest · Am I infected? What do I do? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 15th March 2010 - 08:31 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides